Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g3y89237.exe

Overview

General Information

Sample name:g3y89237.exe
Analysis ID:1529307
MD5:95a6d287978fa62ad30f26bae7aec73b
SHA1:759461ef978d1fc7d8a0571980b0065b51a61531
SHA256:48980f70da16b59927768b0e3a4d56c8c98e129f05f7f26b81847ffede708428
Tags:exerocketdocs-loluser-JAMESWT_MHT
Infos:

Detection

DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Malware Callback Communication
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • g3y89237.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\g3y89237.exe" MD5: 95A6D287978FA62AD30F26BAE7AEC73B)
    • powershell.exe (PID: 6008 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 4416 cmdline: "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • regsvr32.exe (PID: 356 cmdline: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x45788:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x48cbe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x62078:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x655ae:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: regsvr32.exe PID: 356JoeSecurity_DcRat_2Yara detected DcRatJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.regsvr32.exe.23d130d.1.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x4087b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    4.2.regsvr32.exe.668bfd.0.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x4087b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    4.2.regsvr32.exe.23d130d.1.raw.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x4447b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0x479b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    4.2.regsvr32.exe.668bfd.0.raw.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x4447b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0x479b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Potentially Suspicious Malware Callback Communication
    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.196.9.174, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 356, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49813
    Sigma detected: Network Connection Initiated By Regsvr32.EXE
    Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 185.196.9.174, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 356, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49813
    Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini, CommandLine: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini, ProcessId: 356, ProcessName: regsvr32.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", CommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g3y89237.exe", ParentImage: C:\Users\user\Desktop\g3y89237.exe, ParentProcessId: 6596, ParentProcessName: g3y89237.exe, ProcessCommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", ProcessId: 6008, ProcessName: powershell.exe

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Sigma detected: Powershell launch regsvr32
    Source: Process startedAuthor: Joe Security: Data: Command: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", CommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g3y89237.exe", ParentImage: C:\Users\user\Desktop\g3y89237.exe, ParentProcessId: 6596, ParentProcessName: g3y89237.exe, ProcessCommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)", ProcessId: 6008, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T20:51:31.760492+020028424781Malware Command and Control Activity Detected185.196.9.1747777192.168.2.649813TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: g3y89237.exeReversingLabs: Detection: 57%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: g3y89237.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.196.9.174:7777 -> 192.168.2.6:49813
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.196.9.174 7777Jump to behavior
    Source: global trafficTCP traffic: 192.168.2.6:49813 -> 185.196.9.174:7777
    Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.174
    Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabG5
    Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enen=b03f5f7&
    Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.2309860244.0000020BAA2B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.co
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002742000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.00000000026C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.2311324939.0000020BAA37E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 4.2.regsvr32.exe.23d130d.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 4.2.regsvr32.exe.668bfd.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 4.2.regsvr32.exe.23d130d.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 4.2.regsvr32.exe.668bfd.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5A810 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF70BF5A810
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle,4_2_00007FFD8B36493C
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B396DF0 NtReadFile,4_2_00007FFD8B396DF0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3753D0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,4_2_00007FFD8B3753D0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F700_2_00007FF70BF44F70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44FE20_2_00007FF70BF44FE2
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF81C000_2_00007FF70BF81C00
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF885500_2_00007FF70BF88550
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF818D90_2_00007FF70BF818D9
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF464CC0_2_00007FF70BF464CC
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5ED200_2_00007FF70BF5ED20
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF73D800_2_00007FF70BF73D80
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5DDC00_2_00007FF70BF5DDC0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4BE100_2_00007FF70BF4BE10
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF50E100_2_00007FF70BF50E10
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF41E500_2_00007FF70BF41E50
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF69E800_2_00007FF70BF69E80
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4EF8C0_2_00007FF70BF4EF8C
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF79F900_2_00007FF70BF79F90
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4EFFB0_2_00007FF70BF4EFFB
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF880000_2_00007FF70BF88000
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF890400_2_00007FF70BF89040
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF520450_2_00007FF70BF52045
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF8C0600_2_00007FF70BF8C060
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF770600_2_00007FF70BF77060
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F06B0_2_00007FF70BF4F06B
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6A06A0_2_00007FF70BF6A06A
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF870900_2_00007FF70BF87090
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4A9500_2_00007FF70BF4A950
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F9A50_2_00007FF70BF4F9A5
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF729B00_2_00007FF70BF729B0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF459C20_2_00007FF70BF459C2
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF489F00_2_00007FF70BF489F0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF69A100_2_00007FF70BF69A10
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4FA240_2_00007FF70BF4FA24
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF46A450_2_00007FF70BF46A45
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF64A700_2_00007FF70BF64A70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5BAC00_2_00007FF70BF5BAC0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6DAD00_2_00007FF70BF6DAD0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4EB700_2_00007FF70BF4EB70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5FB800_2_00007FF70BF5FB80
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4EC300_2_00007FF70BF4EC30
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4FC940_2_00007FF70BF4FC94
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4CCD00_2_00007FF70BF4CCD0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF455260_2_00007FF70BF45526
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F5830_2_00007FF70BF4F583
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F5A60_2_00007FF70BF4F5A6
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6C5B00_2_00007FF70BF6C5B0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F5F50_2_00007FF70BF4F5F5
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6A60F0_2_00007FF70BF6A60F
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4663B0_2_00007FF70BF4663B
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF456460_2_00007FF70BF45646
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF8F6600_2_00007FF70BF8F660
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF736600_2_00007FF70BF73660
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF8F6800_2_00007FF70BF8F680
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F69D0_2_00007FF70BF4F69D
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF466A50_2_00007FF70BF466A5
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF7A7000_2_00007FF70BF7A700
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF777500_2_00007FF70BF77750
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4B7600_2_00007FF70BF4B760
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F7AB0_2_00007FF70BF4F7AB
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F8160_2_00007FF70BF4F816
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF878190_2_00007FF70BF87819
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF758500_2_00007FF70BF75850
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4C8800_2_00007FF70BF4C880
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF819000_2_00007FF70BF81900
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF531200_2_00007FF70BF53120
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F1660_2_00007FF70BF4F166
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF751600_2_00007FF70BF75160
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF8E1C00_2_00007FF70BF8E1C0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF7B1D00_2_00007FF70BF7B1D0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF441F80_2_00007FF70BF441F8
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF432000_2_00007FF70BF43200
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF872400_2_00007FF70BF87240
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF722600_2_00007FF70BF72260
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF462700_2_00007FF70BF46270
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF452E60_2_00007FF70BF452E6
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6A2E70_2_00007FF70BF6A2E7
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F37A0_2_00007FF70BF4F37A
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5E3B00_2_00007FF70BF5E3B0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF454060_2_00007FF70BF45406
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF6A4190_2_00007FF70BF6A419
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF704200_2_00007FF70BF70420
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF7C4300_2_00007FF70BF7C430
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF644700_2_00007FF70BF64470
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F47C0_2_00007FF70BF4F47C
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF4F4E90_2_00007FF70BF4F4E9
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34784DFA2_2_00007FFD34784DFA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3478B9F22_2_00007FFD3478B9F2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3478264D2_2_00007FFD3478264D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34788D702_2_00007FFD34788D70
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3478BAFA2_2_00007FFD3478BAFA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3478B3002_2_00007FFD3478B300
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347842702_2_00007FFD34784270
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34788AB52_2_00007FFD34788AB5
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347838122_2_00007FFD34783812
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34853C212_2_00007FFD34853C21
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36493C4_2_00007FFD8B36493C
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3627CB4_2_00007FFD8B3627CB
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36358F4_2_00007FFD8B36358F
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B377C204_2_00007FFD8B377C20
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B37DAB04_2_00007FFD8B37DAB0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38BB204_2_00007FFD8B38BB20
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36EB104_2_00007FFD8B36EB10
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B361B174_2_00007FFD8B361B17
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38E8E04_2_00007FFD8B38E8E0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3859104_2_00007FFD8B385910
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3980504_2_00007FFD8B398050
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3780104_2_00007FFD8B378010
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38CEB04_2_00007FFD8B38CEB0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36AED04_2_00007FFD8B36AED0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B392ED04_2_00007FFD8B392ED0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B382E904_2_00007FFD8B382E90
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B367E504_2_00007FFD8B367E50
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36237F4_2_00007FFD8B36237F
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38B4004_2_00007FFD8B38B400
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3832F04_2_00007FFD8B3832F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3793104_2_00007FFD8B379310
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3771A44_2_00007FFD8B3771A4
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38E2104_2_00007FFD8B38E210
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B37E0B04_2_00007FFD8B37E0B0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3940D04_2_00007FFD8B3940D0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B39F0604_2_00007FFD8B39F060
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3900904_2_00007FFD8B390090
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36A1204_2_00007FFD8B36A120
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B38C7D04_2_00007FFD8B38C7D0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3907604_2_00007FFD8B390760
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36182A4_2_00007FFD8B36182A
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3896F04_2_00007FFD8B3896F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3936204_2_00007FFD8B393620
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3735F04_2_00007FFD8B3735F0
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B3965404_2_00007FFD8B396540
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02416A1C4_2_02416A1C
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02416DF84_2_02416DF8
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024172284_2_02417228
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0241A4D44_2_0241A4D4
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02415B404_2_02415B40
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02417CDC4_2_02417CDC
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD347914A84_2_00007FFD347914A8
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD34795F454_2_00007FFD34795F45
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD347A0E664_2_00007FFD347A0E66
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD3479719E4_2_00007FFD3479719E
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD347A1C124_2_00007FFD347A1C12
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD3479CDCD4_2_00007FFD3479CDCD
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD347973624_2_00007FFD34797362
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: String function: 00007FF70BF48ED0 appears 63 times
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: String function: 00007FF70BF4A360 appears 37 times
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: String function: 00007FF70BF5A0A0 appears 75 times
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: String function: 00007FF70BF8FD54 appears 72 times
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: String function: 00007FF70BF43C30 appears 78 times
    Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFD8B374C90 appears 109 times
    Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFD8B368330 appears 69 times
    Source: QEMs.ini.0.drStatic PE information: Number of sections : 11 > 10
    Source: g3y89237.exeStatic PE information: Number of sections : 11 > 10
    Source: 4.2.regsvr32.exe.23d130d.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 4.2.regsvr32.exe.668bfd.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 4.2.regsvr32.exe.23d130d.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 4.2.regsvr32.exe.668bfd.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/7@0/2
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF5CCF0 memset,FormatMessageW,GetLastError,HeapFree,HeapFree,0_2_00007FF70BF5CCF0
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF8C060 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,HeapFree,UnmapViewOfFile,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,0_2_00007FF70BF8C060
    Source: C:\Users\user\Desktop\g3y89237.exeFile created: C:\Users\user\AppData\Roaming\QEMs.iniJump to behavior
    Source: C:\Windows\System32\regsvr32.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
    Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\LsdacJlsbotslshJmsr
    Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\cbRHd
    Source: C:\Users\user\Desktop\g3y89237.exeMutant created: \Sessions\1\BaseNamedObjects\MUTEX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es3wdygj.rbs.ps1Jump to behavior
    Source: g3y89237.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\g3y89237.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: g3y89237.exeReversingLabs: Detection: 57%
    Source: unknownProcess created: C:\Users\user\Desktop\g3y89237.exe "C:\Users\user\Desktop\g3y89237.exe"
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.iniJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeFile written: C:\Users\user\AppData\Roaming\QEMs.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: g3y89237.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: g3y89237.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle,4_2_00007FFD8B36493C
    Source: g3y89237.exeStatic PE information: section name: .xdata
    Source: QEMs.ini.0.drStatic PE information: section name: .xdata
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3466D2A5 pushad ; iretd 2_2_00007FFD3466D2A6
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_023D4BC4 push es; retf 0000h4_2_023D4BCC
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_023D4C11 push es; retf 4_2_023D4C25
    Source: C:\Users\user\Desktop\g3y89237.exeFile created: C:\Users\user\AppData\Roaming\QEMs.iniJump to dropped file
    Source: C:\Users\user\Desktop\g3y89237.exeFile created: C:\Users\user\AppData\Roaming\QEMs.iniJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Windows\System32\regsvr32.exeMemory allocated: 1A6C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4478Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5398Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 7597Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 2266Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\QEMs.iniJump to dropped file
    Source: C:\Users\user\Desktop\g3y89237.exeAPI coverage: 9.2 %
    Source: C:\Windows\System32\regsvr32.exeAPI coverage: 7.2 %
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964Thread sleep count: 4478 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964Thread sleep count: 5398 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244Thread sleep time: -10145709240540247s >= -30000sJump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 4232Thread sleep count: 7597 > 30Jump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 5956Thread sleep time: -11990383647911201s >= -30000sJump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 1212Thread sleep count: 2266 > 30Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF45304h0_2_00007FF70BF44F70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF4542Ch0_2_00007FF70BF44F70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF45544h0_2_00007FF70BF44F70
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF4566Ch0_2_00007FF70BF44F70
    Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle,4_2_00007FFD8B36493C
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF41180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,0_2_00007FF70BF41180
    Source: C:\Users\user\Desktop\g3y89237.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 185.196.9.174 7777Jump to behavior
    Found direct / indirect Syscall (likely to bypass EDR)
    Source: C:\Users\user\Desktop\g3y89237.exeNtWriteFile: Indirect: 0x7FF70BF5A861Jump to behavior
    Sets debug register (to hijack the execution of another thread)
    Source: C:\Windows\System32\regsvr32.exeThread register set: 356 5Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"Jump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.iniJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/qems.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8c004488-0c84-408c-cc80-404c848444cc}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
    Source: C:\Users\user\Desktop\g3y89237.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/qems.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8c004488-0c84-408c-cc80-404c848444cc}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"Jump to behavior
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002738000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420968424.000000001B772000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002A00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002738000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF88550 GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,CloseHandle,0_2_00007FF70BF88550
    Source: C:\Users\user\Desktop\g3y89237.exeCode function: 0_2_00007FF70BF44F70 CreateMutexA,GetLastError,SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,memcpy,memset,RtlFreeHeap,RtlFreeHeap,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,0_2_00007FF70BF44F70
    Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: regsvr32.exe, 00000004.00000002.3418346673.00000000023B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420402664.000000001B1C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420402664.000000001B009000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

    Stealing of Sensitive Information

    barindex
    Yara detected DcRat
    Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 356, type: MEMORYSTR
    Found many strings related to Crypto-Wallets (likely being stolen)
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \\Electrum\\wall
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \\Exodus\\exodus
    Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \\Exodus\\exodus
    Source: powershell.exe, 00000002.00000002.2324083460.00007FFD34950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider

    Remote Access Functionality

    barindex
    Yara detected DcRat
    Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 356, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		213
    Process Injection    		11
    Masquerading    		OS Credential Dumping11
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    Abuse Elevation Control Mechanism    		1
    Disable or Modify Tools    		LSASS Memory21
    Security Software Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Native API    		Logon Script (Windows)1
    DLL Side-Loading    		31
    Virtualization/Sandbox Evasion    		Security Account Manager31
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook213
    Process Injection    		NTDS3
    Process Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Abuse Elevation Control Mechanism    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSync14
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    g3y89237.exe58%ReversingLabsWin64.Worm.AutoRun

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\QEMs.ini3%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://aka.ms/pscore680%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Iconpowershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://osoft.copowershell.exe, 00000002.00000002.2309860244.0000020BAA2B7000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://www.microsoft.powershell.exe, 00000002.00000002.2311324939.0000020BAA37E000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002742000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.00000000026C1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            8.8.8.8
            		unknownUnited States
            		15169GOOGLEUSfalse
            185.196.9.174
            		unknownSwitzerland
            		42624SIMPLECARRIERCHtrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1529307
            Start date and time:2024-10-08 20:50:10 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 8s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:g3y89237.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@7/7@0/2
            EGA Information:
            • Successful, ratio: 66.7%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 28
            • Number of non-executed functions: 196
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 6008 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • VT rate limit hit for: g3y89237.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            14:51:10API Interceptor42x Sleep call for process: powershell.exe modified
            20:51:20Task SchedulerRun new task: MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC} path: regsvr32 s>/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            SIMPLECARRIERCHz71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
            • 185.196.9.150
            1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
            • 185.196.11.237
            GX9zyKVNXR.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            Lys2hJAvd1.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            JfvFiUr0DO.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            gLKtR4HuEw.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            injector V2.5.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            Jeverly.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            by_execute.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26
            Shark#U041ePShC.exeGet hashmaliciousRedLineBrowse
            • 185.196.9.26

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):1.1940658735648508
            Encrypted:false
            SSDEEP:3:Nlllul1jR:NllU
            MD5:0EC63F8643FAD46EC878DB86E00F7FF5
            SHA1:53D9444F5369A346E09B2E3D95E06D838BD43A52
            SHA-256:E35DD4598E36CB170B240FD08843073B98DD8BDA901C13FCEBC923ABA2EAE934
            SHA-512:EF572FBB9395F9077C737A458960558BDB7CBBDD183001ECEB1ABF4B82784F0B16E3A7BA1F1F3353E73387AEBC28952A198979E10FE3FD13F2064E69DA69677F
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e..................................."............@..........

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30oytdva.odu.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ameqqxp.hmz.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eryajlto.zes.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es3wdygj.rbs.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\second_data_temp.zip

            Download File
            Process:C:\Windows\System32\regsvr32.exe
            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
            Category:dropped
            Size (bytes):196418
            Entropy (8bit):7.940648651684764
            Encrypted:false
            SSDEEP:3072:cawln3q3afb9T3kjA8TDNu7gL1JkCS+2/lybYq0ammMRuM7Wk3BG3u9ut2onhzjZ:i3q3aD9jWA81u7gL1M+2ohymMsMyk3BQ
            MD5:97C72688B52C0414DBDD568B79164CD1
            SHA1:8228C716B40DB6618C479FEB5780CB5A83E048C5
            SHA-256:813B1356C67E8243329C41F7235172DD46E5305F5B01961C1C499F9CDBB55A05
            SHA-512:70EADC06297D9D1EF24D0230D3032C9175D3571BE4A7C739F8F130727068C2CE6F5D2CA7C6FE4601B9102EC830DFEFE62397452C702BA8566A80AA2849AC1BE5
            Malicious:false
            Preview:PK........IJ<Y..5...........second_data.bin.\gT.M.F@d..T.*."....H.E...5..M...T.... b.7.?..D..R.......(.P.N.d-aw......y....w&.W>,,..D3..iw.K.hH..5.0..)1....Z$"=.@..._..R....e..<...g..g....Y.I.......n~z..Q\.%.N..C.kBs.F.f..H...X.j....:...v9..r..[..^.h?.'..~-|..;.....K..........%......x.R...n.....0_K)..kZ\.......c.c.#v...yp..........wZ..1.Xz..fmm.Z!e=...M.....T...l.twoy....O..BD^.....X5.....`..C3..8....i._iIf.......V...(.....%.VP..i.!y...#...T...K.W[.>..tX.....@.!~(....;..*.E..':b.s'Vx.....K.7,\m9g...?.T.{..........n.f.........DmOU\sT....I..z.s..............x:.Jz....U...?.......Fev.t^kRm.v H.Z.b..j.yH~q.oN.[I...s..?......p.`z.\.u.vY.B].......[.Q...S.....>..o.?..Z.H<#.So?ouT.wF....:..yRg....U-4.QV..../....Y...c......'.w*.<.r..jx..Wm:V..-.H_l...o.=O...j[.fFQ.>G>IY.#%.....#...>.K..ceW......H..V>....,.Sy?.7..k..S..cd....*..7.._......{r.-.......Z..eJ..%C6......_...........\.h.r....fJ|7)..O.'....eC.NK~....".Ey......v..Q.A.]*.2.^9.K.i.bR....

            C:\Users\user\AppData\Roaming\QEMs.ini

            Download File
            Process:C:\Users\user\Desktop\g3y89237.exe
            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
            Category:dropped
            Size (bytes):565760
            Entropy (8bit):7.22638858913546
            Encrypted:false
            SSDEEP:12288:KOP1GIVEBUsI3NdVU+VwQCaRjWz1u7iP9hYR0g:nLGi73NdVU+VwQCt1uwLYR
            MD5:3215CD0C5B1A3C9FA3507E56D987372E
            SHA1:B0EBBCCAE5B02E287EAFCEAC9D7D69785928C0DF
            SHA-256:8E5ABD89E9823C6BE5C6D149F15434FB84760A008F2034A0D17F8C0094F738CF
            SHA-512:AB32F2E6C72F46AFA16EDF7DD4F7F2DF684751F94B7E2B81452E2AF7CEAE29888FF93CE55BD0007DF4168F7F42588EBCDC553C1C724962AA37603EC1B7AD2CF0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 3%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...],.f..........."...*............0................................................5....`... .................................................h............`..x...........................................`A..(.......................0............................text...............................`..`.data...............................@....rdata..............................@..@.pdata..x....`.......<..............@..@.xdata.../.......0...X..............@..@.bss....@................................edata..............................@..@.idata..h...........................@....CRT....`...........................@....tls................................@....reloc..............................@..B........................................................................................................................................................................

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
            Entropy (8bit):7.474155007450314
            TrID:
            • Win64 Executable (generic) (12005/4) 74.95%
            • Generic Win/DOS Executable (2004/3) 12.51%
            • DOS Executable Generic (2002/1) 12.50%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
            File name:g3y89237.exe
            File size:813'056 bytes
            MD5:95a6d287978fa62ad30f26bae7aec73b
            SHA1:759461ef978d1fc7d8a0571980b0065b51a61531
            SHA256:48980f70da16b59927768b0e3a4d56c8c98e129f05f7f26b81847ffede708428
            SHA512:4b2c702d64893804a803e4414ef22d4eaa8fbb95678d1b9011a46dd5c94fb7d1945cfe49a67dc345f6260f7ee23f4ca6601a60634e977b6b84ca9d02072c6003
            SSDEEP:24576:JqmTmwgCof8IO6kh97pa66GbKHA+bEFymZtsnmPI9SflCE9:Jqm67CovO6kr7l9bsA3nfsng9CE
            TLSH:4505D05BB59165BDD156C0B4A3969A73AA33B88A15307D7F03E0C2343F5AE601F2CF29
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r,.f...............*.....d.................@.....................................A....`... ............................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x1400013d0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x66F82C72 [Sat Sep 28 16:18:58 2024 UTC]
            TLS Callbacks:0x4001bd50, 0x1, 0x40050630, 0x1, 0x40050600, 0x1
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:1126c03dff64ebd50cc488a05fb408fc

            Entrypoint Preview

            Instruction
            dec eax
            sub esp, 28h
            dec eax
            mov eax, dword ptr [000BF775h]
            mov dword ptr [eax], 00000001h
            call 00007F2348E97A4Fh
            nop
            nop
            dec eax
            add esp, 28h
            ret
            nop dword ptr [eax]
            dec eax
            sub esp, 28h
            dec eax
            mov eax, dword ptr [000BF755h]
            mov dword ptr [eax], 00000000h
            call 00007F2348E97A2Fh
            nop
            nop
            dec eax
            add esp, 28h
            ret
            nop dword ptr [eax]
            dec eax
            sub esp, 28h
            call 00007F2348EE6D74h
            dec eax
            cmp eax, 01h
            sbb eax, eax
            dec eax
            add esp, 28h
            ret
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            dec eax
            lea ecx, dword ptr [00000009h]
            jmp 00007F2348E97C89h
            nop dword ptr [eax+00h]
            ret
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            inc ecx
            push edi
            inc ecx
            push esi
            inc ecx
            push esp
            push esi
            push edi
            push ebx
            dec eax
            sub esp, 58h
            dec eax
            mov esi, edx
            dec eax
            mov edi, ecx
            xorps xmm0, xmm0
            movaps esp+40h, dqword ptr [xmm0]
            movaps esp+30h, dqword ptr [xmm0]
            dec eax
            lea ebx, dword ptr [esp+28h]
            dec esp
            lea esi, dword ptr [esp+30h]
            dec esp
            lea edi, dword ptr [00051B7Fh]
            dec esp
            lea esp, dword ptr [00051B88h]
            nop dword ptr [eax+eax+00000000h]
            inc ecx
            mov eax, 00000020h
            dec eax

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc80000x12fc.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x4e8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc10000x1a04.pdata
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xcd0000x4f4.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0xc07a00x28.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0xc84980x3e0.idata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x506580x508002645da5252a8ede0ab4bce17306bbc97False0.5288571185947205data6.316500921252662IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .data0x520000x1000x20010eb475aeba5d9d51c142f7732b620faFalse0.115234375data0.6706989826579657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rdata0x530000x6dc600x6de00b52a252b3d733ec5a51b845151e68585False0.9442859428327645data7.941446733172013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pdata0xc10000x1a040x1c00b83c0c8e30f804b9063bd6f6fa6c57a9False0.4877232142857143data5.3403135577888605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .xdata0xc30000x3b900x3c0022efaa79625930fcf57efa266b0a0df9False0.4087890625data5.6697002618983285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bss0xc70000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .idata0xc80000x12fc0x1400506063cf9ba0d152684b0d41f4abeeccFalse0.3203125COM executable for DOS4.499330191107107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .CRT0xca0000x680x2009fce38482d7d11a62c73b491188da9fdFalse0.07421875data0.37876561408198567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .tls0xcb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xcc0000x4e80x600ff2527db6408abb7a087171a5113ff09False0.3352864583333333data4.784930512373522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xcd0000x4f40x600b1c8fb044929943ce0b3cf41acc33d7cFalse0.5696614583333334data4.90304425543602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_MANIFEST0xcc0580x48fXML 1.0 document, ASCII text0.40102827763496146

            Imports

            DLLImport
            KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualProtect, VirtualQuery, __C_specific_handler
            msvcrt.dll__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
            ntdll.dllNtReadFile, NtWriteFile, RtlNtStatusToDosError
            KERNEL32.dllAddVectoredExceptionHandler, CancelIo, CloseHandle, CompareStringOrdinal, CreateEventW, CreateFileMappingA, CreateFileW, CreateMutexA, CreateNamedPipeW, CreateProcessW, CreateThread, CreateToolhelp32Snapshot, DeleteProcThreadAttributeList, DuplicateHandle, FormatMessageW, FreeEnvironmentStringsW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetStdHandle, GetSystemDirectoryW, GetSystemTimePreciseAsFileTime, GetWindowsDirectoryW, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, ReadFile, ReadFileEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetFileInformationByHandle, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, Sleep, SleepEx, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WriteConsoleW, WriteFileEx, lstrlenW
            ole32.dllCoTaskMemFree
            SHELL32.dllSHGetKnownFolderPath
            api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
            bcryptprimitives.dllProcessPrng

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-10-08T20:51:31.760492+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.196.9.1747777192.168.2.649813TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 8, 2024 20:51:31.100656033 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:31.105777979 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:31.105863094 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:31.132884026 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:31.138326883 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:31.751373053 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:31.755328894 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:31.760492086 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:31.954617023 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:32.006150961 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:34.733884096 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:34.740019083 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:34.740672112 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:34.746701002 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:45.409971952 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:45.415251970 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:45.415329933 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:45.420226097 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:45.618129969 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:45.662375927 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:45.760426044 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:45.803019047 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:56.069075108 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:56.077176094 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:56.077244997 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:56.083287954 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:56.434566975 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:56.474896908 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:51:56.581466913 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:51:56.631181955 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:06.745662928 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:06.751518011 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:06.751595974 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:06.756894112 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:07.087275028 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:07.131202936 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:07.229324102 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:07.271852970 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:17.412918091 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:17.418009043 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:17.418077946 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:17.423330069 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:17.623289108 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:17.678097010 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:17.792530060 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:17.834328890 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:28.084896088 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:28.090074062 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:28.090193987 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:28.095894098 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:28.434242010 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:28.475030899 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:28.572995901 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:28.615571022 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:38.761836052 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:38.766853094 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:38.770273924 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:38.775502920 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:39.109386921 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:39.162447929 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:39.247435093 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:39.303051949 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:49.428792000 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:49.555726051 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:49.557833910 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:49.562957048 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:49.896245003 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:49.943697929 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:52:50.042135954 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:52:50.084480047 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:00.101666927 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:00.106807947 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:00.107037067 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:00.111995935 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:00.463148117 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:00.506511927 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:00.589169025 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:00.631247997 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:10.796350956 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:10.805334091 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:10.805393934 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:10.813086987 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:11.150815010 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:11.193774939 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:11.292645931 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:11.334352016 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:15.185776949 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:15.191323996 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:15.191404104 CEST498137777192.168.2.6185.196.9.174
            Oct 8, 2024 20:53:15.197130919 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:15.640657902 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:15.668472052 CEST777749813185.196.9.174192.168.2.6
            Oct 8, 2024 20:53:15.668556929 CEST498137777192.168.2.6185.196.9.174

            ICMP Packets

            TimestampSource IPDest IPChecksumCodeType
            Oct 8, 2024 20:51:25.096282005 CEST192.168.2.68.8.8.84d5aEcho
            Oct 8, 2024 20:51:25.103641987 CEST8.8.8.8192.168.2.6555aEcho Reply

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:51:06
            Start date:08/10/2024
            Path:C:\Users\user\Desktop\g3y89237.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\g3y89237.exe"
            Imagebase:0x7ff70bf40000
            File size:813'056 bytes
            MD5 hash:95A6D287978FA62AD30F26BAE7AEC73B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:14:51:07
            Start date:08/10/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
            Imagebase:0x7ff6e3d50000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:14:51:07
            Start date:08/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:14:51:20
            Start date:08/10/2024
            Path:C:\Windows\System32\regsvr32.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
            Imagebase:0x7ff781110000
            File size:25'088 bytes
            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:6
            Start time:14:51:24
            Start date:08/10/2024
            Path:C:\Windows\System32\regsvr32.exe
            Wow64 process (32bit):false
            Commandline:"regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
            Imagebase:0x7ff781110000
            File size:25'088 bytes
            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:10%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:9.8%
              Total number of Nodes:2000
              Total number of Limit Nodes:184
              execution_graph 61824 7ff70bf8bb30 61825 7ff70bf8bb49 61824->61825 61831 7ff70bf8bb81 61824->61831 61827 7ff70bf8bb96 GetLastError 61825->61827 61828 7ff70bf8bb59 61825->61828 61826 7ff70bf8bc57 CloseHandle CloseHandle 61826->61831 61843 7ff70bf5a0a0 61827->61843 61828->61831 61832 7ff70bf8bc01 GetLastError 61828->61832 61829 7ff70bf5a0a0 HeapFree 61829->61831 61831->61826 61831->61829 61835 7ff70bf8bc9b 61831->61835 61847 7ff70bf8bff0 61831->61847 61834 7ff70bf8bc2e 61832->61834 61834->61831 61836 7ff70bf5a0a0 HeapFree 61834->61836 61853 7ff70bf47c30 57 API calls 61835->61853 61836->61831 61838 7ff70bf8bcaa 61839 7ff70bf8bcb4 HeapFree 61838->61839 61840 7ff70bf8bcce CloseHandle CloseHandle HeapFree 61838->61840 61839->61840 61854 7ff70bf90150 6 API calls 61840->61854 61842 7ff70bf8bcf9 61844 7ff70bf5a0c1 61843->61844 61845 7ff70bf5a0c6 61843->61845 61844->61845 61846 7ff70bf5a0fc HeapFree 61844->61846 61845->61831 61846->61845 61850 7ff70bf8c00b 61847->61850 61852 7ff70bf8c005 HeapAlloc 61847->61852 61849 7ff70c008720 61849->61831 61851 7ff70bf8c056 61850->61851 61850->61852 61851->61831 61852->61849 61853->61838 61854->61842 61855 7ff70bf8bd00 61856 7ff70bf8be35 61855->61856 61857 7ff70bf8bd1a 61855->61857 61868 7ff70bf8be60 57 API calls 61856->61868 61859 7ff70bf8bd31 ReadFile 61857->61859 61860 7ff70bf8be16 61857->61860 61863 7ff70bf8bd7f GetLastError 61859->61863 61864 7ff70bf8bd65 61859->61864 61867 7ff70bf5f430 58 API calls 61860->61867 61862 7ff70bf8be55 61865 7ff70bf8bdac 61863->61865 61865->61864 61866 7ff70bf5a0a0 HeapFree 61865->61866 61866->61864 61867->61856 61868->61862 61869 7ff70bf823c7 61870 7ff70bf823db 61869->61870 61871 7ff70bf82634 61870->61871 61876 7ff70bf82473 61870->61876 62027 7ff70bf7cae0 58 API calls 61871->62027 61873 7ff70bf8254a SetLastError GetSystemDirectoryW 61875 7ff70bf82560 GetLastError 61873->61875 61873->61876 61874 7ff70bf82673 62028 7ff70bf7cb80 61874->62028 61875->61876 61879 7ff70bf825e3 GetLastError 61875->61879 61876->61873 61880 7ff70bf8257a GetLastError 61876->61880 61882 7ff70bf825ac 61876->61882 62026 7ff70bf5f4d0 58 API calls 61876->62026 61883 7ff70bf825f6 HeapFree 61879->61883 61895 7ff70bf82611 61879->61895 61880->61876 61884 7ff70bf84a31 61880->61884 61886 7ff70bf84b58 61882->61886 61887 7ff70bf825b5 61882->61887 61883->61895 62051 7ff70bf49140 57 API calls 61884->62051 62052 7ff70bf48e60 61886->62052 61891 7ff70bf825db memcpy 61887->61891 61892 7ff70bf8bff0 HeapAlloc 61887->61892 61889 7ff70bf8277e 61889->61895 61902 7ff70bf82c82 61889->61902 62038 7ff70bf7cae0 58 API calls 61889->62038 61901 7ff70bf827c3 HeapFree 61891->61901 61915 7ff70bf827d8 61891->61915 61897 7ff70bf825d2 61892->61897 61894 7ff70bf826cb 61894->61889 61909 7ff70bf8275d 61894->61909 62033 7ff70bf7cae0 58 API calls 61894->62033 62034 7ff70bf87240 61 API calls 61894->62034 61905 7ff70bf829cd HeapFree 61895->61905 61911 7ff70bf81b0a 61895->61911 61897->61891 61903 7ff70bf84b6c 61897->61903 61901->61915 61920 7ff70bf82d72 61902->61920 61999 7ff70bf82d16 61902->61999 62043 7ff70bf7cae0 58 API calls 61902->62043 62055 7ff70bf47bd0 57 API calls 61903->62055 61905->61911 61909->61895 61912 7ff70bf82767 HeapFree 61909->61912 61918 7ff70bf81b7a CloseHandle 61911->61918 61919 7ff70bf81b83 61911->61919 61912->61895 61914 7ff70bf82995 61914->61895 61923 7ff70bf8bff0 HeapAlloc 61914->61923 61932 7ff70bf84b7b 61914->61932 61915->61914 62035 7ff70bf5f4d0 58 API calls 61915->62035 61918->61919 61925 7ff70bf841f0 61920->61925 61934 7ff70bf82d9b 61920->61934 61937 7ff70bf8400e 61920->61937 62046 7ff70bf851b0 59 API calls 61920->62046 61927 7ff70bf82a3e 61923->61927 61936 7ff70bf8484b HeapFree 61925->61936 61925->61937 61927->61932 61945 7ff70bf82a47 61927->61945 62056 7ff70bf47bd0 57 API calls 61932->62056 61933 7ff70bf8422c 61933->61934 62047 7ff70bf7cae0 58 API calls 61933->62047 61934->61925 61991 7ff70bf82de0 61934->61991 62049 7ff70bf5f570 WaitOnAddress GetLastError 61934->62049 61935 7ff70bf843ad 61946 7ff70bf84793 CloseHandle 61935->61946 61947 7ff70bf8479f 61935->61947 61936->61937 61940 7ff70bf8486a HeapFree 61937->61940 61941 7ff70bf8487f 61937->61941 61940->61941 61941->61895 61944 7ff70bf84889 HeapFree 61941->61944 61942 7ff70bf82bbe 61972 7ff70bf82be9 61942->61972 62037 7ff70bf7cae0 58 API calls 61942->62037 61943 7ff70bf84098 61943->61920 62045 7ff70bf7cae0 58 API calls 61943->62045 61944->61895 61945->61942 62036 7ff70bf5f4d0 58 API calls 61945->62036 61946->61947 61955 7ff70bf847a9 CloseHandle 61947->61955 61956 7ff70bf847b5 61947->61956 61949 7ff70bf83d93 HeapFree 61949->61999 61951 7ff70bf843e0 61960 7ff70bf8476c CloseHandle 61951->61960 61953 7ff70bf83f90 61958 7ff70bf83f95 HeapFree 61953->61958 61959 7ff70bf83fa3 61953->61959 61955->61956 61957 7ff70bf847bf CloseHandle 61956->61957 61983 7ff70bf847cb 61956->61983 61957->61983 61958->61959 61964 7ff70bf83fbe 61959->61964 61965 7ff70bf83fad HeapFree 61959->61965 61960->61935 61966 7ff70bf8477d CloseHandle 61960->61966 61963 7ff70bf83dd5 memcpy 61969 7ff70bf83e03 HeapFree 61963->61969 61963->61999 61970 7ff70bf83fcf HeapFree 61964->61970 61990 7ff70bf83fdd 61964->61990 61965->61964 61966->61935 61969->61999 61970->61990 61971 7ff70bf84413 61979 7ff70bf84764 CloseHandle 61971->61979 61973 7ff70bf82e53 memcpy 61972->61973 62011 7ff70bf82c34 61972->62011 62039 7ff70bf5f4d0 58 API calls 61972->62039 61981 7ff70bf82e7c 61973->61981 62025 7ff70bf82e88 61973->62025 61975 7ff70bf84827 61975->61925 61984 7ff70bf84831 HeapFree 61975->61984 61976 7ff70bf8481f WakeByAddressSingle 61976->61975 61977 7ff70bf8404b 61977->61895 61985 7ff70bf8406b HeapFree 61977->61985 61978 7ff70bf84036 HeapFree 61978->61977 61979->61960 62040 7ff70bf7cae0 58 API calls 61981->62040 61983->61975 61983->61976 61984->61925 61985->61895 61986 7ff70bf82e3e 61986->61973 61988 7ff70bf82f44 61993 7ff70bf842ab 61988->61993 62048 7ff70bf7cae0 58 API calls 61988->62048 61990->61937 61992 7ff70bf83ff9 HeapFree 61990->61992 61991->61935 61991->61951 61991->61971 62000 7ff70bf844e8 61991->62000 62050 7ff70bf88000 65 API calls 61991->62050 61992->61937 61993->61889 61993->61977 61994 7ff70bf84586 CreateProcessW 61997 7ff70bf845d4 61994->61997 61998 7ff70bf84703 GetLastError 61994->61998 62002 7ff70bf8461e CloseHandle CloseHandle CloseHandle 61997->62002 62003 7ff70bf8460b 61997->62003 62006 7ff70bf84755 CloseHandle 61998->62006 62007 7ff70bf84727 61998->62007 61999->61943 61999->61949 61999->61953 61999->61963 61999->61964 61999->61990 62001 7ff70bf7cb80 58 API calls 61999->62001 62008 7ff70bf83f46 HeapFree 61999->62008 62012 7ff70bf7cae0 58 API calls 61999->62012 62044 7ff70bf5f4d0 58 API calls 61999->62044 62000->61994 62000->62007 62001->61999 62009 7ff70bf8464b 62002->62009 62010 7ff70bf8463f CloseHandle 62002->62010 62003->62002 62006->61979 62007->62006 62008->61999 62013 7ff70bf84676 62009->62013 62014 7ff70bf84661 HeapFree 62009->62014 62010->62009 62011->61977 62011->61978 62012->61999 62015 7ff70bf8467b HeapFree 62013->62015 62016 7ff70bf84690 62013->62016 62014->62013 62015->62016 62017 7ff70bf8469a HeapFree 62016->62017 62018 7ff70bf846af 62016->62018 62017->62018 62020 7ff70bf846ce 62018->62020 62021 7ff70bf846b9 HeapFree 62018->62021 62019 7ff70bf7cae0 58 API calls 62019->62025 62020->61911 62022 7ff70bf846e9 HeapFree 62020->62022 62021->62020 62022->61911 62024 7ff70bf5f4d0 58 API calls 62024->62025 62025->61988 62025->62011 62025->62019 62025->62024 62041 7ff70bf87240 61 API calls 62025->62041 62042 7ff70bf4c830 57 API calls 62025->62042 62026->61876 62027->61874 62029 7ff70bf7cba9 62028->62029 62031 7ff70bf7ccf6 62029->62031 62057 7ff70bf5f4d0 58 API calls 62029->62057 62031->61894 62032 7ff70bf7cae0 58 API calls 62031->62032 62032->61894 62033->61894 62034->61894 62035->61915 62036->61945 62037->61972 62038->61902 62039->61986 62040->62025 62041->62025 62042->62025 62043->61999 62044->61999 62045->61920 62046->61933 62047->61934 62048->61993 62049->61991 62050->62000 62058 7ff70bf484c0 57 API calls 62052->62058 62057->62031 62059 7ff70bf878d5 62064 7ff70bf88550 62059->62064 62062 7ff70bf87a2b CloseHandle 62063 7ff70bf878f5 62062->62063 62065 7ff70bf885b0 GetCurrentProcessId 62064->62065 62075 7ff70bf885c4 62065->62075 62066 7ff70bf885d0 ProcessPrng 62066->62066 62066->62075 62068 7ff70bf88677 HeapFree 62068->62075 62069 7ff70bf8bff0 HeapAlloc 62069->62075 62070 7ff70bf88c56 62136 7ff70bf47bd0 57 API calls 62070->62136 62075->62065 62075->62066 62075->62068 62075->62069 62075->62070 62079 7ff70bf88840 62075->62079 62080 7ff70bf88a45 GetLastError 62075->62080 62081 7ff70bf88b67 62075->62081 62084 7ff70bf88aec 62075->62084 62094 7ff70bf88a8b HeapFree 62075->62094 62099 7ff70bf48010 62075->62099 62134 7ff70bf4e820 HeapReAlloc HeapAlloc 62075->62134 62135 7ff70bf47bd0 57 API calls 62079->62135 62080->62075 62080->62084 62085 7ff70bf88b6c HeapFree 62081->62085 62086 7ff70bf88b7d 62081->62086 62087 7ff70bf88b0f HeapFree 62084->62087 62092 7ff70bf88b20 62084->62092 62085->62086 62114 7ff70bf7c000 62086->62114 62087->62092 62091 7ff70bf88b30 HeapFree 62097 7ff70bf88b3e 62091->62097 62092->62091 62092->62097 62093 7ff70bf88c0b 62096 7ff70bf878e6 62093->62096 62098 7ff70bf88c30 HeapFree 62093->62098 62094->62065 62095 7ff70bf88b44 CloseHandle 62095->62096 62096->62062 62096->62063 62097->62095 62097->62096 62098->62096 62100 7ff70bf480fd 62099->62100 62103 7ff70bf48030 62099->62103 62101 7ff70bf4812b 62100->62101 62138 7ff70bf4a030 57 API calls 62100->62138 62101->62075 62103->62100 62104 7ff70bf4816b 62103->62104 62106 7ff70bf8bff0 HeapAlloc 62103->62106 62139 7ff70bf47bf0 57 API calls 62104->62139 62108 7ff70bf480eb 62106->62108 62108->62100 62137 7ff70bf47bd0 57 API calls 62108->62137 62140 7ff70bf7c290 62114->62140 62118 7ff70bf7c0ae 62119 7ff70bf7c0c1 HeapFree 62118->62119 62128 7ff70bf7c040 62118->62128 62119->62128 62121 7ff70bf7c23a 62126 7ff70bf7c23f GetLastError CloseHandle 62121->62126 62122 7ff70bf7c115 62122->62121 62123 7ff70bf7c145 CreateFileW 62122->62123 62124 7ff70bf7c187 62123->62124 62125 7ff70bf7c1f6 GetLastError 62123->62125 62129 7ff70bf7c1c5 62124->62129 62132 7ff70bf7c196 GetLastError 62124->62132 62127 7ff70bf7c1cc HeapFree 62125->62127 62125->62128 62130 7ff70bf7c26d 62126->62130 62131 7ff70bf7c25c HeapFree 62126->62131 62127->62128 62128->62092 62128->62093 62129->62127 62129->62128 62130->62128 62131->62130 62132->62129 62133 7ff70bf7c1a2 SetFileInformationByHandle 62132->62133 62133->62126 62133->62129 62134->62075 62141 7ff70bf7c2b7 62140->62141 62142 7ff70bf7c2e2 62140->62142 62143 7ff70bf7c3f8 62141->62143 62144 7ff70bf7c2c4 62141->62144 62145 7ff70bf7cb80 58 API calls 62142->62145 62205 7ff70bf47bf0 57 API calls 62143->62205 62147 7ff70bf8bff0 HeapAlloc 62144->62147 62161 7ff70bf7c310 62145->62161 62149 7ff70bf7c2d9 62147->62149 62148 7ff70bf7c3fd 62206 7ff70bf47bd0 57 API calls 62148->62206 62149->62142 62149->62148 62151 7ff70bf7c390 62155 7ff70bf7c033 62151->62155 62156 7ff70bf7c3af HeapFree 62151->62156 62155->62128 62162 7ff70bf7c430 62155->62162 62156->62155 62157 7ff70bf7c3bf 62157->62155 62204 7ff70bf7cae0 58 API calls 62157->62204 62161->62151 62161->62157 62166 7ff70bf7c459 62162->62166 62163 7ff70bf7c06a 62163->62118 62163->62122 62163->62128 62164 7ff70bf7c5f3 SetLastError GetFullPathNameW 62164->62166 62167 7ff70bf7c61c GetLastError 62164->62167 62166->62163 62166->62164 62169 7ff70bf7c635 GetLastError 62166->62169 62171 7ff70bf7c66d 62166->62171 62207 7ff70bf5f4d0 58 API calls 62166->62207 62167->62166 62168 7ff70bf7c6c2 GetLastError 62167->62168 62172 7ff70bf7c6e8 62168->62172 62173 7ff70bf7c6d3 HeapFree 62168->62173 62169->62166 62170 7ff70bf7ca3e 62169->62170 62212 7ff70bf49140 57 API calls 62170->62212 62174 7ff70bf7ca58 62171->62174 62175 7ff70bf7c676 62171->62175 62172->62163 62177 7ff70bf7c719 HeapFree 62172->62177 62173->62172 62179 7ff70bf48e60 57 API calls 62174->62179 62187 7ff70bf7c80e 62175->62187 62196 7ff70bf7c699 62175->62196 62177->62163 62178 7ff70bf7ca56 62182 7ff70bf7caa8 62178->62182 62183 7ff70bf7ca93 HeapFree 62178->62183 62179->62178 62180 7ff70bf7c81b 62181 7ff70bf7c82d 62180->62181 62209 7ff70bf5f4d0 58 API calls 62180->62209 62189 7ff70bf7c902 memcpy 62181->62189 62184 7ff70bf7cace 62182->62184 62185 7ff70bf7cab5 HeapFree 62182->62185 62183->62182 62214 7ff70bf90150 6 API calls 62184->62214 62185->62184 62186 7ff70bf7c7c2 memcpy 62186->62180 62186->62189 62187->62180 62211 7ff70bf4e820 HeapReAlloc HeapAlloc 62187->62211 62190 7ff70bf7c92c 62189->62190 62191 7ff70bf7c934 62189->62191 62210 7ff70bf7cae0 58 API calls 62190->62210 62191->62163 62198 7ff70bf7c957 HeapFree 62191->62198 62196->62186 62208 7ff70bf4e820 HeapReAlloc HeapAlloc 62196->62208 62197 7ff70bf7cad6 62198->62163 62199 7ff70bf7c9f7 62199->62180 62200 7ff70bf7ca6f 62199->62200 62213 7ff70bf47bd0 57 API calls 62200->62213 62202 7ff70bf7c8ae 62202->62186 62202->62200 62204->62155 62207->62166 62208->62202 62209->62181 62210->62191 62211->62199 62214->62197 62215 7ff70bf413d0 62218 7ff70bf41180 62215->62218 62217 7ff70bf413e6 62219 7ff70bf411b0 62218->62219 62220 7ff70bf411b9 Sleep 62219->62220 62221 7ff70bf411c9 62219->62221 62220->62219 62222 7ff70bf4134c _initterm 62221->62222 62223 7ff70bf411fc 62221->62223 62232 7ff70bf412ee 62221->62232 62222->62223 62233 7ff70bf909c0 62223->62233 62225 7ff70bf41224 SetUnhandledExceptionFilter 62226 7ff70bf41247 62225->62226 62227 7ff70bf4124c malloc 62226->62227 62228 7ff70bf41276 62227->62228 62227->62232 62229 7ff70bf41280 strlen malloc memcpy 62228->62229 62229->62229 62230 7ff70bf412b2 62229->62230 62258 7ff70bf476b0 62230->62258 62232->62217 62234 7ff70bf909e1 62233->62234 62236 7ff70bf909f8 62233->62236 62234->62225 62235 7ff70bf90cc0 62235->62234 62237 7ff70bf90cc9 62235->62237 62236->62234 62236->62235 62242 7ff70bf90bd0 62236->62242 62252 7ff70bf90a70 62236->62252 62241 7ff70bf90ced 62237->62241 62271 7ff70bf90850 8 API calls 62237->62271 62239 7ff70bf90d16 62274 7ff70bf907e0 8 API calls 62239->62274 62272 7ff70bf907e0 8 API calls 62241->62272 62243 7ff70bf90c10 62242->62243 62246 7ff70bf90d00 62242->62246 62243->62246 62269 7ff70bf90850 8 API calls 62243->62269 62244 7ff70bf90d22 62244->62225 62245 7ff70bf90c30 62245->62246 62249 7ff70bf90c22 62245->62249 62273 7ff70bf907e0 8 API calls 62246->62273 62249->62245 62249->62246 62270 7ff70bf90850 8 API calls 62249->62270 62252->62234 62252->62239 62252->62241 62252->62242 62252->62245 62252->62246 62253 7ff70bf90ae2 62252->62253 62253->62246 62253->62252 62254 7ff70bf90850 8 API calls 62253->62254 62255 7ff70bf90b5d 62253->62255 62256 7ff70bf90b60 62253->62256 62254->62253 62255->62256 62256->62234 62257 7ff70bf90b92 VirtualProtect 62256->62257 62257->62256 62259 7ff70bf476c2 62258->62259 62260 7ff70bf476e5 SetThreadDescription 62259->62260 62275 7ff70bf59930 62260->62275 62267 7ff70bf47740 62267->62232 62269->62249 62270->62249 62271->62237 62272->62246 62273->62239 62274->62244 62276 7ff70bf59953 62275->62276 62277 7ff70bf8bff0 HeapAlloc 62275->62277 62278 7ff70bf59958 62276->62278 62279 7ff70bf599b0 62276->62279 62277->62276 62283 7ff70bf4770a 62278->62283 62403 7ff70bf5c500 57 API calls 62278->62403 62404 7ff70bf47c30 57 API calls 62279->62404 62281 7ff70bf599ae 62405 7ff70bf90150 6 API calls 62281->62405 62288 7ff70bf599f0 62283->62288 62285 7ff70bf599d4 62406 7ff70bf90150 6 API calls 62285->62406 62287 7ff70bf599ed 62407 7ff70bf5b750 62288->62407 62291 7ff70bf59a57 62295 7ff70bf59a66 62291->62295 62452 7ff70bf59680 HeapFree 62291->62452 62292 7ff70bf59a17 62293 7ff70bf59a8e 62292->62293 62294 7ff70bf59a1d 62292->62294 62454 7ff70bf59fd0 57 API calls 62293->62454 62423 7ff70bf5b670 62294->62423 62453 7ff70bf4a030 57 API calls 62295->62453 62300 7ff70bf59a35 62302 7ff70bf47712 62300->62302 62455 7ff70bf4a150 57 API calls 62300->62455 62308 7ff70bf41990 62302->62308 62464 7ff70bf46abe 62308->62464 62521 7ff70bf46b38 62308->62521 62578 7ff70bf46aba 62308->62578 62635 7ff70bf46734 62308->62635 62689 7ff70bf46ab6 62308->62689 62746 7ff70bf46730 62308->62746 62800 7ff70bf466b0 62308->62800 62854 7ff70bf46b31 62308->62854 62911 7ff70bf467b2 62308->62911 62965 7ff70bf46ab2 62308->62965 63022 7ff70bf467ab 62308->63022 63076 7ff70bf4672c 62308->63076 63130 7ff70bf46aae 62308->63130 63187 7ff70bf46728 62308->63187 63241 7ff70bf46b2a 62308->63241 63298 7ff70bf46aaa 62308->63298 63355 7ff70bf46b23 62308->63355 63412 7ff70bf467a4 62308->63412 63466 7ff70bf46724 62308->63466 63520 7ff70bf466a5 62308->63520 63574 7ff70bf46aa6 62308->63574 63631 7ff70bf45526 62308->63631 63702 7ff70bf46720 62308->63702 63756 7ff70bf4671c 62308->63756 63810 7ff70bf46b1c 62308->63810 63867 7ff70bf4679d 62308->63867 63921 7ff70bf46718 62308->63921 63975 7ff70bf46714 62308->63975 64029 7ff70bf46b15 62308->64029 64086 7ff70bf46796 62308->64086 64140 7ff70bf44f96 62308->64140 64239 7ff70bf4678f 62308->64239 64293 7ff70bf46710 62308->64293 64347 7ff70bf46a90 62308->64347 64404 7ff70bf4670c 62308->64404 64458 7ff70bf46b07 62308->64458 64515 7ff70bf46788 62308->64515 64569 7ff70bf46708 62308->64569 64623 7ff70bf46704 62308->64623 64677 7ff70bf45406 62308->64677 64750 7ff70bf46700 62308->64750 64804 7ff70bf46b00 62308->64804 64861 7ff70bf46781 62308->64861 64915 7ff70bf466fc 62308->64915 64969 7ff70bf466f8 62308->64969 65023 7ff70bf46af9 62308->65023 65080 7ff70bf4677a 62308->65080 65134 7ff70bf46773 62308->65134 65188 7ff70bf466f4 62308->65188 65242 7ff70bf46270 62308->65242 65287 7ff70bf466f0 62308->65287 65341 7ff70bf46b70 62308->65341 65398 7ff70bf46a70 62308->65398 65455 7ff70bf44f70 62308->65455 65551 7ff70bf46af2 62308->65551 65608 7ff70bf4676c 62308->65608 65662 7ff70bf466ec 62308->65662 65716 7ff70bf46aee 62308->65716 65773 7ff70bf46b69 62308->65773 65830 7ff70bf46aea 62308->65830 65887 7ff70bf46765 62308->65887 65941 7ff70bf46ae6 62308->65941 65998 7ff70bf452e6 62308->65998 66073 7ff70bf46b62 62308->66073 66130 7ff70bf46ae2 62308->66130 66187 7ff70bf44fe2 62308->66187 66284 7ff70bf46b5b 62308->66284 66341 7ff70bf4675e 62308->66341 66395 7ff70bf46ade 62308->66395 66452 7ff70bf46ada 62308->66452 66509 7ff70bf462d3 62308->66509 66566 7ff70bf46b54 62308->66566 66623 7ff70bf46ad6 62308->66623 66680 7ff70bf46750 62308->66680 66734 7ff70bf466d0 62308->66734 66788 7ff70bf46ad2 62308->66788 66845 7ff70bf464cc 62308->66845 66897 7ff70bf46b4d 62308->66897 66954 7ff70bf46ace 62308->66954 67011 7ff70bf46749 62308->67011 67065 7ff70bf46aca 62308->67065 67122 7ff70bf46a45 62308->67122 67179 7ff70bf46b46 62308->67179 67236 7ff70bf46ac6 62308->67236 67293 7ff70bf45646 62308->67293 67362 7ff70bf46b3f 62308->67362 67419 7ff70bf46641 62308->67419 67473 7ff70bf46742 62308->67473 67527 7ff70bf459c2 62308->67527 67579 7ff70bf46ac2 62308->67579 67636 7ff70bf4673b 62308->67636 67690 7ff70bf4663b 62308->67690 62309 7ff70bf41996 62309->62267 62402 7ff70bf59c20 59 API calls 62309->62402 62404->62281 62405->62285 62406->62287 62408 7ff70bf5b76b TlsGetValue 62407->62408 62409 7ff70bf5b7f8 62407->62409 62410 7ff70bf5b77a 62408->62410 62414 7ff70bf59a12 62408->62414 62457 7ff70bf5b910 57 API calls 62409->62457 62413 7ff70bf8bff0 HeapAlloc 62410->62413 62410->62414 62412 7ff70bf5b804 TlsGetValue 62412->62410 62412->62414 62415 7ff70bf5b78f 62413->62415 62414->62291 62414->62292 62416 7ff70bf5b798 TlsGetValue TlsSetValue 62415->62416 62417 7ff70bf5b819 62415->62417 62416->62414 62419 7ff70bf5b7c1 62416->62419 62458 7ff70bf47c30 57 API calls 62417->62458 62421 7ff70bf5b7d7 HeapFree 62419->62421 62456 7ff70bf59680 HeapFree 62419->62456 62420 7ff70bf5b828 62421->62414 62424 7ff70bf5b68e TlsGetValue 62423->62424 62425 7ff70bf5b719 62423->62425 62427 7ff70bf5b6b9 62424->62427 62429 7ff70bf5b69d 62424->62429 62459 7ff70bf5b910 57 API calls 62425->62459 62427->62300 62428 7ff70bf5b725 TlsGetValue 62428->62427 62428->62429 62429->62427 62430 7ff70bf8bff0 HeapAlloc 62429->62430 62431 7ff70bf5b6d2 62430->62431 62432 7ff70bf5b6d7 TlsGetValue TlsSetValue 62431->62432 62433 7ff70bf5b73a 62431->62433 62432->62427 62434 7ff70bf5b6fc HeapFree 62432->62434 62460 7ff70bf47c30 57 API calls 62433->62460 62434->62427 62436 7ff70bf5b749 62437 7ff70bf5b76b TlsGetValue 62436->62437 62438 7ff70bf5b7f8 62436->62438 62452->62295 62454->62300 62456->62421 62457->62412 62458->62420 62459->62428 62460->62436 62477 7ff70bf46a10 62464->62477 62465 7ff70bf47083 CloseHandle 62467 7ff70bf4709a 62465->62467 62495 7ff70bf45d2b 62465->62495 62466 7ff70bf5a0a0 HeapFree 62466->62477 67783 7ff70bf4a030 57 API calls 62467->67783 62470 7ff70bf46f68 CloseHandle 62473 7ff70bf47191 CloseHandle 62470->62473 62472 7ff70bf45d7c HeapFree HeapFree 62476 7ff70bf460c4 62472->62476 62472->62495 62473->62467 62477->62465 62477->62466 62477->62470 62477->62473 62486 7ff70bf471d3 62477->62486 62491 7ff70bf45d1c 62477->62491 67769 7ff70bf5a810 62477->67769 62481 7ff70bf45df7 62485 7ff70bf48010 58 API calls 62481->62485 67784 7ff70bf48500 57 API calls 62486->67784 62491->62495 67778 7ff70bf41d90 62491->67778 62495->62472 62495->62481 62502 7ff70bf470eb 62495->62502 67744 7ff70bf42470 62495->67744 67782 7ff70bf4a030 57 API calls 62502->67782 62542 7ff70bf46a10 62521->62542 62522 7ff70bf47083 CloseHandle 62524 7ff70bf4709a 62522->62524 62554 7ff70bf45d2b 62522->62554 62523 7ff70bf5a0a0 HeapFree 62523->62542 67791 7ff70bf4a030 57 API calls 62524->67791 62525 7ff70bf42470 2 API calls 62525->62554 62527 7ff70bf46f68 CloseHandle 62530 7ff70bf47191 CloseHandle 62527->62530 62529 7ff70bf45d7c HeapFree HeapFree 62533 7ff70bf460c4 62529->62533 62529->62554 62530->62524 62531 7ff70bf5a810 59 API calls 62531->62542 62537 7ff70bf45df7 62541 7ff70bf48010 58 API calls 62537->62541 62542->62522 62542->62523 62542->62527 62542->62530 62542->62531 62543 7ff70bf471d3 62542->62543 62548 7ff70bf45d1c 62542->62548 67792 7ff70bf48500 57 API calls 62543->67792 62548->62554 62555 7ff70bf41d90 HeapFree 62548->62555 62554->62525 62554->62529 62554->62537 62559 7ff70bf470eb 62554->62559 62555->62554 67790 7ff70bf4a030 57 API calls 62559->67790 62591 7ff70bf46a10 62578->62591 62579 7ff70bf47083 CloseHandle 62581 7ff70bf4709a 62579->62581 62609 7ff70bf45d2b 62579->62609 62580 7ff70bf5a0a0 HeapFree 62580->62591 67795 7ff70bf4a030 57 API calls 62581->67795 62582 7ff70bf42470 2 API calls 62582->62609 62584 7ff70bf46f68 CloseHandle 62587 7ff70bf47191 CloseHandle 62584->62587 62586 7ff70bf45d7c HeapFree HeapFree 62590 7ff70bf460c4 62586->62590 62586->62609 62587->62581 62588 7ff70bf5a810 59 API calls 62588->62591 62591->62579 62591->62580 62591->62584 62591->62587 62591->62588 62600 7ff70bf471d3 62591->62600 62605 7ff70bf45d1c 62591->62605 62595 7ff70bf45df7 62599 7ff70bf48010 58 API calls 62595->62599 67796 7ff70bf48500 57 API calls 62600->67796 62605->62609 62612 7ff70bf41d90 HeapFree 62605->62612 62609->62582 62609->62586 62609->62595 62616 7ff70bf470eb 62609->62616 62612->62609 67794 7ff70bf4a030 57 API calls 62616->67794 62636 7ff70bf466b4 62635->62636 62637 7ff70bf45d1c 62636->62637 62638 7ff70bf41d90 HeapFree 62636->62638 62639 7ff70bf41d90 HeapFree 62637->62639 62654 7ff70bf45d2b 62637->62654 62662 7ff70bf46539 62638->62662 62639->62654 62640 7ff70bf42470 2 API calls 62640->62654 62641 7ff70bf472cb 67806 7ff70bf49140 57 API calls 62641->67806 62642 7ff70bf45d7c HeapFree HeapFree 62643 7ff70bf460c4 62642->62643 62642->62654 62646 7ff70bf470eb 67804 7ff70bf4a030 57 API calls 62646->67804 62649 7ff70bf45df7 62653 7ff70bf48010 58 API calls 62649->62653 62654->62309 62654->62640 62654->62642 62654->62646 62654->62649 62659 7ff70bf465d9 memset 62659->62662 62662->62637 62662->62641 62662->62654 62662->62659 67798 7ff70bf42970 62662->67798 62702 7ff70bf46a10 62689->62702 62690 7ff70bf47083 CloseHandle 62692 7ff70bf4709a 62690->62692 62720 7ff70bf45d2b 62690->62720 62691 7ff70bf5a0a0 HeapFree 62691->62702 67808 7ff70bf4a030 57 API calls 62692->67808 62693 7ff70bf42470 2 API calls 62693->62720 62695 7ff70bf46f68 CloseHandle 62698 7ff70bf47191 CloseHandle 62695->62698 62697 7ff70bf45d7c HeapFree HeapFree 62701 7ff70bf460c4 62697->62701 62697->62720 62698->62692 62699 7ff70bf5a810 59 API calls 62699->62702 62702->62690 62702->62691 62702->62695 62702->62698 62702->62699 62711 7ff70bf471d3 62702->62711 62716 7ff70bf45d1c 62702->62716 62706 7ff70bf45df7 62710 7ff70bf48010 58 API calls 62706->62710 67809 7ff70bf48500 57 API calls 62711->67809 62716->62720 62723 7ff70bf41d90 HeapFree 62716->62723 62720->62693 62720->62697 62720->62706 62727 7ff70bf470eb 62720->62727 62723->62720 67807 7ff70bf4a030 57 API calls 62727->67807 62747 7ff70bf466b4 62746->62747 62748 7ff70bf45d1c 62747->62748 62749 7ff70bf41d90 HeapFree 62747->62749 62750 7ff70bf41d90 HeapFree 62748->62750 62753 7ff70bf45d2b 62748->62753 62751 7ff70bf46539 62749->62751 62750->62753 62751->62748 62751->62753 62754 7ff70bf472cb 62751->62754 62770 7ff70bf465d9 memset 62751->62770 62775 7ff70bf42970 2 API calls 62751->62775 62752 7ff70bf42470 2 API calls 62752->62753 62753->62309 62753->62752 62755 7ff70bf45d7c HeapFree HeapFree 62753->62755 62757 7ff70bf470eb 62753->62757 62760 7ff70bf45df7 62753->62760 67813 7ff70bf49140 57 API calls 62754->67813 62755->62753 62789 7ff70bf460c4 62755->62789 67811 7ff70bf4a030 57 API calls 62757->67811 62764 7ff70bf48010 58 API calls 62760->62764 62770->62751 62775->62751 62801 7ff70bf466b4 62800->62801 62802 7ff70bf45d1c 62801->62802 62803 7ff70bf41d90 HeapFree 62801->62803 62804 7ff70bf41d90 HeapFree 62802->62804 62817 7ff70bf45d2b 62802->62817 62825 7ff70bf46539 62803->62825 62804->62817 62805 7ff70bf42470 2 API calls 62805->62817 62806 7ff70bf472cb 67816 7ff70bf49140 57 API calls 62806->67816 62807 7ff70bf45d7c HeapFree HeapFree 62807->62817 62843 7ff70bf460c4 62807->62843 62809 7ff70bf470eb 67814 7ff70bf4a030 57 API calls 62809->67814 62812 7ff70bf45df7 62816 7ff70bf48010 58 API calls 62812->62816 62817->62309 62817->62805 62817->62807 62817->62809 62817->62812 62822 7ff70bf465d9 memset 62822->62825 62825->62802 62825->62806 62825->62817 62825->62822 62828 7ff70bf42970 2 API calls 62825->62828 62828->62825 62858 7ff70bf46a10 62854->62858 62855 7ff70bf47083 CloseHandle 62857 7ff70bf4709a 62855->62857 62861 7ff70bf45d2b 62855->62861 62856 7ff70bf5a0a0 HeapFree 62856->62858 67818 7ff70bf4a030 57 API calls 62857->67818 62858->62855 62858->62856 62862 7ff70bf46f68 CloseHandle 62858->62862 62864 7ff70bf47191 CloseHandle 62858->62864 62865 7ff70bf5a810 59 API calls 62858->62865 62875 7ff70bf471d3 62858->62875 62880 7ff70bf45d1c 62858->62880 62859 7ff70bf42470 2 API calls 62859->62861 62861->62859 62863 7ff70bf45d7c HeapFree HeapFree 62861->62863 62870 7ff70bf45df7 62861->62870 62891 7ff70bf470eb 62861->62891 62862->62864 62863->62861 62864->62857 62865->62858 67819 7ff70bf48500 57 API calls 62875->67819 62880->62861 62887 7ff70bf41d90 HeapFree 62880->62887 62887->62861 62912 7ff70bf466b4 62911->62912 62913 7ff70bf45d1c 62912->62913 62914 7ff70bf41d90 HeapFree 62912->62914 62915 7ff70bf41d90 HeapFree 62913->62915 62930 7ff70bf45d2b 62913->62930 62942 7ff70bf46539 62914->62942 62915->62930 62916 7ff70bf42470 2 API calls 62916->62930 62917 7ff70bf472cb 62918 7ff70bf45d7c HeapFree HeapFree 62918->62930 62922 7ff70bf470eb 62925 7ff70bf45df7 62930->62309 62930->62916 62930->62918 62930->62922 62930->62925 62935 7ff70bf465d9 memset 62935->62942 62940 7ff70bf42970 2 API calls 62940->62942 62942->62913 62942->62917 62942->62930 62942->62935 62942->62940 62976 7ff70bf46a10 62965->62976 62966 7ff70bf47083 CloseHandle 62968 7ff70bf4709a 62966->62968 62994 7ff70bf45d2b 62966->62994 62967 7ff70bf5a0a0 HeapFree 62967->62976 67825 7ff70bf4a030 57 API calls 62968->67825 62969 7ff70bf42470 2 API calls 62969->62994 62971 7ff70bf46f68 CloseHandle 62973 7ff70bf47191 CloseHandle 62971->62973 62972 7ff70bf45d7c HeapFree HeapFree 62972->62994 62973->62968 62974 7ff70bf5a810 59 API calls 62974->62976 62976->62966 62976->62967 62976->62971 62976->62973 62976->62974 62985 7ff70bf471d3 62976->62985 62990 7ff70bf45d1c 62976->62990 62980 7ff70bf45df7 67826 7ff70bf48500 57 API calls 62985->67826 62990->62994 62997 7ff70bf41d90 HeapFree 62990->62997 62994->62969 62994->62972 62994->62980 63001 7ff70bf470eb 62994->63001 62997->62994 63023 7ff70bf466b4 63022->63023 63024 7ff70bf45d1c 63023->63024 63025 7ff70bf41d90 HeapFree 63023->63025 63026 7ff70bf41d90 HeapFree 63024->63026 63041 7ff70bf45d2b 63024->63041 63049 7ff70bf46539 63025->63049 63026->63041 63027 7ff70bf42470 2 API calls 63027->63041 63028 7ff70bf472cb 63029 7ff70bf45d7c HeapFree HeapFree 63029->63041 63033 7ff70bf470eb 63036 7ff70bf45df7 63041->62309 63041->63027 63041->63029 63041->63033 63041->63036 63046 7ff70bf465d9 memset 63046->63049 63049->63024 63049->63028 63049->63041 63049->63046 63052 7ff70bf42970 2 API calls 63049->63052 63052->63049 63077 7ff70bf466b4 63076->63077 63078 7ff70bf45d1c 63077->63078 63079 7ff70bf41d90 HeapFree 63077->63079 63080 7ff70bf41d90 HeapFree 63078->63080 63091 7ff70bf45d2b 63078->63091 63107 7ff70bf46539 63079->63107 63080->63091 63081 7ff70bf42470 2 API calls 63081->63091 63082 7ff70bf472cb 63083 7ff70bf45d7c HeapFree HeapFree 63083->63091 63087 7ff70bf470eb 63090 7ff70bf45df7 63091->62309 63091->63081 63091->63083 63091->63087 63091->63090 63100 7ff70bf465d9 memset 63100->63107 63105 7ff70bf42970 2 API calls 63105->63107 63107->63078 63107->63082 63107->63091 63107->63100 63107->63105 63141 7ff70bf46a10 63130->63141 63131 7ff70bf47083 CloseHandle 63133 7ff70bf4709a 63131->63133 63150 7ff70bf45d2b 63131->63150 63132 7ff70bf5a0a0 HeapFree 63132->63141 67835 7ff70bf4a030 57 API calls 63133->67835 63134 7ff70bf42470 2 API calls 63134->63150 63136 7ff70bf46f68 CloseHandle 63138 7ff70bf47191 CloseHandle 63136->63138 63137 7ff70bf45d7c HeapFree HeapFree 63137->63150 63138->63133 63139 7ff70bf5a810 59 API calls 63139->63141 63141->63131 63141->63132 63141->63136 63141->63138 63141->63139 63151 7ff70bf471d3 63141->63151 63156 7ff70bf45d1c 63141->63156 63145 7ff70bf45df7 63150->63134 63150->63137 63150->63145 63166 7ff70bf470eb 63150->63166 67836 7ff70bf48500 57 API calls 63151->67836 63156->63150 63160 7ff70bf41d90 HeapFree 63156->63160 63160->63150 63188 7ff70bf466b4 63187->63188 63189 7ff70bf45d1c 63188->63189 63190 7ff70bf41d90 HeapFree 63188->63190 63191 7ff70bf41d90 HeapFree 63189->63191 63206 7ff70bf45d2b 63189->63206 63214 7ff70bf46539 63190->63214 63191->63206 63192 7ff70bf42470 2 API calls 63192->63206 63193 7ff70bf472cb 63194 7ff70bf45d7c HeapFree HeapFree 63194->63206 63198 7ff70bf470eb 63201 7ff70bf45df7 63206->62309 63206->63192 63206->63194 63206->63198 63206->63201 63211 7ff70bf465d9 memset 63211->63214 63214->63189 63214->63193 63214->63206 63214->63211 63217 7ff70bf42970 2 API calls 63214->63217 63217->63214 63261 7ff70bf46a10 63241->63261 63242 7ff70bf47083 CloseHandle 63244 7ff70bf4709a 63242->63244 63247 7ff70bf45d2b 63242->63247 63243 7ff70bf5a0a0 HeapFree 63243->63261 67842 7ff70bf4a030 57 API calls 63244->67842 63245 7ff70bf42470 2 API calls 63245->63247 63247->63245 63249 7ff70bf45d7c HeapFree HeapFree 63247->63249 63256 7ff70bf45df7 63247->63256 63278 7ff70bf470eb 63247->63278 63248 7ff70bf46f68 CloseHandle 63250 7ff70bf47191 CloseHandle 63248->63250 63249->63247 63250->63244 63251 7ff70bf5a810 59 API calls 63251->63261 63261->63242 63261->63243 63261->63248 63261->63250 63261->63251 63262 7ff70bf471d3 63261->63262 63267 7ff70bf45d1c 63261->63267 67843 7ff70bf48500 57 API calls 63262->67843 63267->63247 63274 7ff70bf41d90 HeapFree 63267->63274 63274->63247 63310 7ff70bf46a10 63298->63310 63299 7ff70bf47083 CloseHandle 63301 7ff70bf4709a 63299->63301 63304 7ff70bf45d2b 63299->63304 63300 7ff70bf5a0a0 HeapFree 63300->63310 67846 7ff70bf4a030 57 API calls 63301->67846 63302 7ff70bf42470 2 API calls 63302->63304 63304->63302 63306 7ff70bf45d7c HeapFree HeapFree 63304->63306 63314 7ff70bf45df7 63304->63314 63335 7ff70bf470eb 63304->63335 63305 7ff70bf46f68 CloseHandle 63307 7ff70bf47191 CloseHandle 63305->63307 63306->63304 63307->63301 63308 7ff70bf5a810 59 API calls 63308->63310 63310->63299 63310->63300 63310->63305 63310->63307 63310->63308 63319 7ff70bf471d3 63310->63319 63324 7ff70bf45d1c 63310->63324 67847 7ff70bf48500 57 API calls 63319->67847 63324->63304 63331 7ff70bf41d90 HeapFree 63324->63331 63331->63304 63356 7ff70bf46a10 63355->63356 63357 7ff70bf47083 CloseHandle 63356->63357 63358 7ff70bf5a0a0 HeapFree 63356->63358 63362 7ff70bf46f68 CloseHandle 63356->63362 63365 7ff70bf47191 CloseHandle 63356->63365 63366 7ff70bf5a810 59 API calls 63356->63366 63377 7ff70bf471d3 63356->63377 63382 7ff70bf45d1c 63356->63382 63359 7ff70bf4709a 63357->63359 63386 7ff70bf45d2b 63357->63386 63358->63356 67850 7ff70bf4a030 57 API calls 63359->67850 63360 7ff70bf42470 2 API calls 63360->63386 63362->63365 63364 7ff70bf45d7c HeapFree HeapFree 63364->63386 63365->63359 63366->63356 63372 7ff70bf45df7 67851 7ff70bf48500 57 API calls 63377->67851 63382->63386 63389 7ff70bf41d90 HeapFree 63382->63389 63386->63360 63386->63364 63386->63372 63393 7ff70bf470eb 63386->63393 63389->63386 63413 7ff70bf466b4 63412->63413 63414 7ff70bf45d1c 63413->63414 63415 7ff70bf41d90 HeapFree 63413->63415 63416 7ff70bf41d90 HeapFree 63414->63416 63431 7ff70bf45d2b 63414->63431 63443 7ff70bf46539 63415->63443 63416->63431 63417 7ff70bf42470 2 API calls 63417->63431 63418 7ff70bf472cb 63419 7ff70bf45d7c HeapFree HeapFree 63419->63431 63423 7ff70bf470eb 63426 7ff70bf45df7 63431->62309 63431->63417 63431->63419 63431->63423 63431->63426 63436 7ff70bf465d9 memset 63436->63443 63441 7ff70bf42970 2 API calls 63441->63443 63443->63414 63443->63418 63443->63431 63443->63436 63443->63441 63467 7ff70bf466b4 63466->63467 63468 7ff70bf45d1c 63467->63468 63469 7ff70bf41d90 HeapFree 63467->63469 63470 7ff70bf41d90 HeapFree 63468->63470 63485 7ff70bf45d2b 63468->63485 63497 7ff70bf46539 63469->63497 63470->63485 63471 7ff70bf42470 2 API calls 63471->63485 63472 7ff70bf472cb 63473 7ff70bf45d7c HeapFree HeapFree 63473->63485 63477 7ff70bf470eb 63480 7ff70bf45df7 63485->62309 63485->63471 63485->63473 63485->63477 63485->63480 63490 7ff70bf465d9 memset 63490->63497 63495 7ff70bf42970 2 API calls 63495->63497 63497->63468 63497->63472 63497->63485 63497->63490 63497->63495 63521 7ff70bf466b4 63520->63521 63522 7ff70bf45d1c 63521->63522 63523 7ff70bf41d90 HeapFree 63521->63523 63524 7ff70bf41d90 HeapFree 63522->63524 63539 7ff70bf45d2b 63522->63539 63547 7ff70bf46539 63523->63547 63524->63539 63525 7ff70bf42470 2 API calls 63525->63539 63526 7ff70bf472cb 67861 7ff70bf49140 57 API calls 63526->67861 63527 7ff70bf45d7c HeapFree HeapFree 63528 7ff70bf460c4 63527->63528 63527->63539 63531 7ff70bf470eb 67859 7ff70bf4a030 57 API calls 63531->67859 63534 7ff70bf45df7 63538 7ff70bf48010 58 API calls 63534->63538 63539->62309 63539->63525 63539->63527 63539->63531 63539->63534 63544 7ff70bf465d9 memset 63544->63547 63547->63522 63547->63526 63547->63539 63547->63544 63550 7ff70bf42970 2 API calls 63547->63550 63550->63547 63575 7ff70bf46a10 63574->63575 63576 7ff70bf47083 CloseHandle 63575->63576 63577 7ff70bf5a0a0 HeapFree 63575->63577 63582 7ff70bf46f68 CloseHandle 63575->63582 63584 7ff70bf47191 CloseHandle 63575->63584 63585 7ff70bf5a810 59 API calls 63575->63585 63595 7ff70bf471d3 63575->63595 63600 7ff70bf45d1c 63575->63600 63578 7ff70bf4709a 63576->63578 63581 7ff70bf45d2b 63576->63581 63577->63575 67863 7ff70bf4a030 57 API calls 63578->67863 63579 7ff70bf42470 2 API calls 63579->63581 63581->63579 63583 7ff70bf45d7c HeapFree HeapFree 63581->63583 63590 7ff70bf45df7 63581->63590 63611 7ff70bf470eb 63581->63611 63582->63584 63583->63581 63626 7ff70bf460c4 63583->63626 63584->63578 63585->63575 63594 7ff70bf48010 58 API calls 63590->63594 67864 7ff70bf48500 57 API calls 63595->67864 63600->63581 63607 7ff70bf41d90 HeapFree 63600->63607 63607->63581 67862 7ff70bf4a030 57 API calls 63611->67862 67866 7ff70bf42a00 63631->67866 63703 7ff70bf466b4 63702->63703 63704 7ff70bf41d90 HeapFree 63703->63704 63705 7ff70bf45d1c 63703->63705 63729 7ff70bf46539 63704->63729 63706 7ff70bf41d90 HeapFree 63705->63706 63721 7ff70bf45d2b 63705->63721 63706->63721 63707 7ff70bf42470 2 API calls 63707->63721 63708 7ff70bf472cb 67929 7ff70bf49140 57 API calls 63708->67929 63709 7ff70bf45d7c HeapFree HeapFree 63710 7ff70bf460c4 63709->63710 63709->63721 63713 7ff70bf470eb 67927 7ff70bf4a030 57 API calls 63713->67927 63716 7ff70bf45df7 63720 7ff70bf48010 58 API calls 63716->63720 63721->62309 63721->63707 63721->63709 63721->63713 63721->63716 63726 7ff70bf465d9 memset 63726->63729 63729->63705 63729->63708 63729->63721 63729->63726 63732 7ff70bf42970 2 API calls 63729->63732 63732->63729 63757 7ff70bf466b4 63756->63757 63758 7ff70bf41d90 HeapFree 63757->63758 63759 7ff70bf45d1c 63757->63759 63783 7ff70bf46539 63758->63783 63760 7ff70bf41d90 HeapFree 63759->63760 63775 7ff70bf45d2b 63759->63775 63760->63775 63761 7ff70bf42470 2 API calls 63761->63775 63762 7ff70bf472cb 67932 7ff70bf49140 57 API calls 63762->67932 63763 7ff70bf45d7c HeapFree HeapFree 63764 7ff70bf460c4 63763->63764 63763->63775 63767 7ff70bf470eb 67930 7ff70bf4a030 57 API calls 63767->67930 63770 7ff70bf45df7 63774 7ff70bf48010 58 API calls 63770->63774 63775->62309 63775->63761 63775->63763 63775->63767 63775->63770 63780 7ff70bf465d9 memset 63780->63783 63783->63759 63783->63762 63783->63775 63783->63780 63786 7ff70bf42970 2 API calls 63783->63786 63786->63783 63823 7ff70bf46a10 63810->63823 63811 7ff70bf47083 CloseHandle 63813 7ff70bf4709a 63811->63813 63841 7ff70bf45d2b 63811->63841 63812 7ff70bf5a0a0 HeapFree 63812->63823 67934 7ff70bf4a030 57 API calls 63813->67934 63814 7ff70bf42470 2 API calls 63814->63841 63816 7ff70bf46f68 CloseHandle 63819 7ff70bf47191 CloseHandle 63816->63819 63818 7ff70bf45d7c HeapFree HeapFree 63822 7ff70bf460c4 63818->63822 63818->63841 63819->63813 63820 7ff70bf5a810 59 API calls 63820->63823 63823->63811 63823->63812 63823->63816 63823->63819 63823->63820 63832 7ff70bf471d3 63823->63832 63837 7ff70bf45d1c 63823->63837 63827 7ff70bf45df7 63831 7ff70bf48010 58 API calls 63827->63831 67935 7ff70bf48500 57 API calls 63832->67935 63837->63841 63844 7ff70bf41d90 HeapFree 63837->63844 63841->63814 63841->63818 63841->63827 63848 7ff70bf470eb 63841->63848 63844->63841 63868 7ff70bf466b4 63867->63868 63869 7ff70bf45d1c 63868->63869 63870 7ff70bf41d90 HeapFree 63868->63870 63871 7ff70bf41d90 HeapFree 63869->63871 63878 7ff70bf45d2b 63869->63878 63873 7ff70bf46539 63870->63873 63871->63878 63872 7ff70bf42470 2 API calls 63872->63878 63873->63869 63874 7ff70bf472cb 63873->63874 63873->63878 63890 7ff70bf465d9 memset 63873->63890 63895 7ff70bf42970 2 API calls 63873->63895 63875 7ff70bf45d7c HeapFree HeapFree 63875->63878 63877 7ff70bf470eb 63878->62309 63878->63872 63878->63875 63878->63877 63881 7ff70bf45df7 63878->63881 63890->63873 63895->63873 63922 7ff70bf466b4 63921->63922 63923 7ff70bf45d1c 63922->63923 63924 7ff70bf41d90 HeapFree 63922->63924 63925 7ff70bf41d90 HeapFree 63923->63925 63932 7ff70bf45d2b 63923->63932 63927 7ff70bf46539 63924->63927 63925->63932 63926 7ff70bf42470 2 API calls 63926->63932 63927->63923 63928 7ff70bf472cb 63927->63928 63927->63932 63944 7ff70bf465d9 memset 63927->63944 63949 7ff70bf42970 2 API calls 63927->63949 63929 7ff70bf45d7c HeapFree HeapFree 63929->63932 63931 7ff70bf470eb 63932->62309 63932->63926 63932->63929 63932->63931 63935 7ff70bf45df7 63932->63935 63944->63927 63949->63927 63976 7ff70bf466b4 63975->63976 63977 7ff70bf45d1c 63976->63977 63978 7ff70bf41d90 HeapFree 63976->63978 63979 7ff70bf41d90 HeapFree 63977->63979 63986 7ff70bf45d2b 63977->63986 63981 7ff70bf46539 63978->63981 63979->63986 63980 7ff70bf42470 2 API calls 63980->63986 63981->63977 63982 7ff70bf472cb 63981->63982 63981->63986 63998 7ff70bf465d9 memset 63981->63998 64003 7ff70bf42970 2 API calls 63981->64003 63983 7ff70bf45d7c HeapFree HeapFree 63983->63986 63985 7ff70bf470eb 63986->62309 63986->63980 63986->63983 63986->63985 63989 7ff70bf45df7 63986->63989 63998->63981 64003->63981 64042 7ff70bf46a10 64029->64042 64030 7ff70bf47083 CloseHandle 64032 7ff70bf4709a 64030->64032 64060 7ff70bf45d2b 64030->64060 64031 7ff70bf5a0a0 HeapFree 64031->64042 67947 7ff70bf4a030 57 API calls 64032->67947 64033 7ff70bf42470 2 API calls 64033->64060 64035 7ff70bf46f68 CloseHandle 64038 7ff70bf47191 CloseHandle 64035->64038 64037 7ff70bf45d7c HeapFree HeapFree 64037->64060 64038->64032 64039 7ff70bf5a810 59 API calls 64039->64042 64042->64030 64042->64031 64042->64035 64042->64038 64042->64039 64051 7ff70bf471d3 64042->64051 64056 7ff70bf45d1c 64042->64056 64046 7ff70bf45df7 67948 7ff70bf48500 57 API calls 64051->67948 64056->64060 64063 7ff70bf41d90 HeapFree 64056->64063 64060->64033 64060->64037 64060->64046 64067 7ff70bf470eb 64060->64067 64063->64060 64087 7ff70bf466b4 64086->64087 64088 7ff70bf45d1c 64087->64088 64089 7ff70bf41d90 HeapFree 64087->64089 64090 7ff70bf41d90 HeapFree 64088->64090 64103 7ff70bf45d2b 64088->64103 64111 7ff70bf46539 64089->64111 64090->64103 64091 7ff70bf42470 2 API calls 64091->64103 64092 7ff70bf472cb 64093 7ff70bf45d7c HeapFree HeapFree 64093->64103 64095 7ff70bf470eb 64098 7ff70bf45df7 64103->62309 64103->64091 64103->64093 64103->64095 64103->64098 64108 7ff70bf465d9 memset 64108->64111 64111->64088 64111->64092 64111->64103 64111->64108 64114 7ff70bf42970 2 API calls 64111->64114 64114->64111 64141 7ff70bf44f9b 64140->64141 64142 7ff70bf44faf 64140->64142 64141->64142 64143 7ff70bf45006 memcpy 64141->64143 64144 7ff70bf45014 64142->64144 67953 7ff70bf4a0c0 64142->67953 64143->64144 64144->62309 64240 7ff70bf466b4 64239->64240 64241 7ff70bf45d1c 64240->64241 64242 7ff70bf41d90 HeapFree 64240->64242 64243 7ff70bf41d90 HeapFree 64241->64243 64250 7ff70bf45d2b 64241->64250 64245 7ff70bf46539 64242->64245 64243->64250 64244 7ff70bf42470 2 API calls 64244->64250 64245->64241 64246 7ff70bf472cb 64245->64246 64245->64250 64262 7ff70bf465d9 memset 64245->64262 64267 7ff70bf42970 2 API calls 64245->64267 64247 7ff70bf45d7c HeapFree HeapFree 64247->64250 64249 7ff70bf470eb 64250->62309 64250->64244 64250->64247 64250->64249 64253 7ff70bf45df7 64250->64253 64262->64245 64267->64245 64294 7ff70bf466b4 64293->64294 64295 7ff70bf45d1c 64294->64295 64296 7ff70bf41d90 HeapFree 64294->64296 64297 7ff70bf41d90 HeapFree 64295->64297 64300 7ff70bf45d2b 64295->64300 64298 7ff70bf46539 64296->64298 64297->64300 64298->64295 64298->64300 64301 7ff70bf472cb 64298->64301 64317 7ff70bf465d9 memset 64298->64317 64322 7ff70bf42970 2 API calls 64298->64322 64299 7ff70bf42470 2 API calls 64299->64300 64300->62309 64300->64299 64302 7ff70bf45d7c HeapFree HeapFree 64300->64302 64304 7ff70bf470eb 64300->64304 64307 7ff70bf45df7 64300->64307 64302->64300 64317->64298 64322->64298 64348 7ff70bf46a10 64347->64348 64349 7ff70bf47083 CloseHandle 64348->64349 64350 7ff70bf5a0a0 HeapFree 64348->64350 64354 7ff70bf46f68 CloseHandle 64348->64354 64356 7ff70bf47191 CloseHandle 64348->64356 64357 7ff70bf5a810 59 API calls 64348->64357 64368 7ff70bf471d3 64348->64368 64373 7ff70bf45d1c 64348->64373 64351 7ff70bf4709a 64349->64351 64380 7ff70bf45d2b 64349->64380 64350->64348 67964 7ff70bf4a030 57 API calls 64351->67964 64352 7ff70bf42470 2 API calls 64352->64380 64354->64356 64355 7ff70bf45d7c HeapFree HeapFree 64355->64380 64356->64351 64357->64348 64363 7ff70bf45df7 67965 7ff70bf48500 57 API calls 64368->67965 64373->64380 64381 7ff70bf41d90 HeapFree 64373->64381 64380->64352 64380->64355 64380->64363 64385 7ff70bf470eb 64380->64385 64381->64380 64405 7ff70bf466b4 64404->64405 64406 7ff70bf45d1c 64405->64406 64407 7ff70bf41d90 HeapFree 64405->64407 64408 7ff70bf41d90 HeapFree 64406->64408 64410 7ff70bf45d2b 64406->64410 64409 7ff70bf46539 64407->64409 64408->64410 64409->64406 64409->64410 64412 7ff70bf472cb 64409->64412 64429 7ff70bf465d9 memset 64409->64429 64434 7ff70bf42970 2 API calls 64409->64434 64410->62309 64411 7ff70bf42470 2 API calls 64410->64411 64413 7ff70bf45d7c HeapFree HeapFree 64410->64413 64417 7ff70bf470eb 64410->64417 64420 7ff70bf45df7 64410->64420 64411->64410 64413->64410 64429->64409 64434->64409 64471 7ff70bf46a10 64458->64471 64459 7ff70bf47083 CloseHandle 64461 7ff70bf4709a 64459->64461 64489 7ff70bf45d2b 64459->64489 64460 7ff70bf5a0a0 HeapFree 64460->64471 67971 7ff70bf4a030 57 API calls 64461->67971 64462 7ff70bf42470 2 API calls 64462->64489 64464 7ff70bf46f68 CloseHandle 64467 7ff70bf47191 CloseHandle 64464->64467 64466 7ff70bf45d7c HeapFree HeapFree 64466->64489 64467->64461 64468 7ff70bf5a810 59 API calls 64468->64471 64471->64459 64471->64460 64471->64464 64471->64467 64471->64468 64480 7ff70bf471d3 64471->64480 64485 7ff70bf45d1c 64471->64485 64475 7ff70bf45df7 67972 7ff70bf48500 57 API calls 64480->67972 64485->64489 64492 7ff70bf41d90 HeapFree 64485->64492 64489->64462 64489->64466 64489->64475 64496 7ff70bf470eb 64489->64496 64492->64489 64516 7ff70bf466b4 64515->64516 64517 7ff70bf45d1c 64516->64517 64518 7ff70bf41d90 HeapFree 64516->64518 64519 7ff70bf41d90 HeapFree 64517->64519 64526 7ff70bf45d2b 64517->64526 64525 7ff70bf46539 64518->64525 64519->64526 64520 7ff70bf42470 2 API calls 64520->64526 64521 7ff70bf472cb 67976 7ff70bf49140 57 API calls 64521->67976 64522 7ff70bf45d7c HeapFree HeapFree 64522->64526 64558 7ff70bf460c4 64522->64558 64524 7ff70bf470eb 67974 7ff70bf4a030 57 API calls 64524->67974 64525->64517 64525->64521 64525->64526 64538 7ff70bf465d9 memset 64525->64538 64543 7ff70bf42970 2 API calls 64525->64543 64526->62309 64526->64520 64526->64522 64526->64524 64529 7ff70bf45df7 64526->64529 64533 7ff70bf48010 58 API calls 64529->64533 64538->64525 64543->64525 64570 7ff70bf466b4 64569->64570 64571 7ff70bf45d1c 64570->64571 64572 7ff70bf41d90 HeapFree 64570->64572 64573 7ff70bf41d90 HeapFree 64571->64573 64588 7ff70bf45d2b 64571->64588 64596 7ff70bf46539 64572->64596 64573->64588 64574 7ff70bf42470 2 API calls 64574->64588 64575 7ff70bf472cb 67979 7ff70bf49140 57 API calls 64575->67979 64576 7ff70bf45d7c HeapFree HeapFree 64577 7ff70bf460c4 64576->64577 64576->64588 64580 7ff70bf470eb 67977 7ff70bf4a030 57 API calls 64580->67977 64583 7ff70bf45df7 64587 7ff70bf48010 58 API calls 64583->64587 64588->62309 64588->64574 64588->64576 64588->64580 64588->64583 64593 7ff70bf465d9 memset 64593->64596 64596->64571 64596->64575 64596->64588 64596->64593 64599 7ff70bf42970 2 API calls 64596->64599 64599->64596 64624 7ff70bf466b4 64623->64624 64625 7ff70bf41d90 HeapFree 64624->64625 64626 7ff70bf45d1c 64624->64626 64650 7ff70bf46539 64625->64650 64627 7ff70bf41d90 HeapFree 64626->64627 64642 7ff70bf45d2b 64626->64642 64627->64642 64628 7ff70bf42470 2 API calls 64628->64642 64629 7ff70bf472cb 67982 7ff70bf49140 57 API calls 64629->67982 64630 7ff70bf45d7c HeapFree HeapFree 64631 7ff70bf460c4 64630->64631 64630->64642 64634 7ff70bf470eb 67980 7ff70bf4a030 57 API calls 64634->67980 64637 7ff70bf45df7 64641 7ff70bf48010 58 API calls 64637->64641 64642->62309 64642->64628 64642->64630 64642->64634 64642->64637 64647 7ff70bf465d9 memset 64647->64650 64650->64626 64650->64629 64650->64642 64650->64647 64653 7ff70bf42970 2 API calls 64650->64653 64653->64650 64678 7ff70bf42a00 58 API calls 64677->64678 64679 7ff70bf4541c GetSystemTimePreciseAsFileTime 64678->64679 64681 7ff70bf470eb 64679->64681 64682 7ff70bf454c5 GetSystemTimePreciseAsFileTime 64679->64682 67983 7ff70bf4a030 57 API calls 64681->67983 64682->64681 64689 7ff70bf455e5 64682->64689 64691 7ff70bf802c0 62 API calls 64689->64691 64751 7ff70bf466b4 64750->64751 64752 7ff70bf45d1c 64751->64752 64753 7ff70bf41d90 HeapFree 64751->64753 64754 7ff70bf41d90 HeapFree 64752->64754 64768 7ff70bf45d2b 64752->64768 64776 7ff70bf46539 64753->64776 64754->64768 64755 7ff70bf42470 2 API calls 64755->64768 64756 7ff70bf472cb 67991 7ff70bf49140 57 API calls 64756->67991 64757 7ff70bf45d7c HeapFree HeapFree 64757->64768 64794 7ff70bf460c4 64757->64794 64760 7ff70bf470eb 67989 7ff70bf4a030 57 API calls 64760->67989 64763 7ff70bf45df7 64767 7ff70bf48010 58 API calls 64763->64767 64768->62309 64768->64755 64768->64757 64768->64760 64768->64763 64773 7ff70bf465d9 memset 64773->64776 64776->64752 64776->64756 64776->64768 64776->64773 64779 7ff70bf42970 2 API calls 64776->64779 64779->64776 64817 7ff70bf46a10 64804->64817 64805 7ff70bf47083 CloseHandle 64807 7ff70bf4709a 64805->64807 64835 7ff70bf45d2b 64805->64835 64806 7ff70bf5a0a0 HeapFree 64806->64817 67993 7ff70bf4a030 57 API calls 64807->67993 64808 7ff70bf42470 2 API calls 64808->64835 64810 7ff70bf46f68 CloseHandle 64813 7ff70bf47191 CloseHandle 64810->64813 64812 7ff70bf45d7c HeapFree HeapFree 64816 7ff70bf460c4 64812->64816 64812->64835 64813->64807 64814 7ff70bf5a810 59 API calls 64814->64817 64817->64805 64817->64806 64817->64810 64817->64813 64817->64814 64826 7ff70bf471d3 64817->64826 64831 7ff70bf45d1c 64817->64831 64821 7ff70bf45df7 64825 7ff70bf48010 58 API calls 64821->64825 67994 7ff70bf48500 57 API calls 64826->67994 64831->64835 64838 7ff70bf41d90 HeapFree 64831->64838 64835->64808 64835->64812 64835->64821 64842 7ff70bf470eb 64835->64842 64838->64835 67992 7ff70bf4a030 57 API calls 64842->67992 64862 7ff70bf466b4 64861->64862 64863 7ff70bf45d1c 64862->64863 64864 7ff70bf41d90 HeapFree 64862->64864 64865 7ff70bf41d90 HeapFree 64863->64865 64880 7ff70bf45d2b 64863->64880 64888 7ff70bf46539 64864->64888 64865->64880 64866 7ff70bf42470 2 API calls 64866->64880 64867 7ff70bf472cb 64868 7ff70bf45d7c HeapFree HeapFree 64868->64880 64872 7ff70bf470eb 64875 7ff70bf45df7 64880->62309 64880->64866 64880->64868 64880->64872 64880->64875 64885 7ff70bf465d9 memset 64885->64888 64888->64863 64888->64867 64888->64880 64888->64885 64891 7ff70bf42970 2 API calls 64888->64891 64891->64888 64916 7ff70bf466b4 64915->64916 64917 7ff70bf45d1c 64916->64917 64918 7ff70bf41d90 HeapFree 64916->64918 64919 7ff70bf41d90 HeapFree 64917->64919 64933 7ff70bf45d2b 64917->64933 64932 7ff70bf46539 64918->64932 64919->64933 64920 7ff70bf42470 2 API calls 64920->64933 64921 7ff70bf472cb 64922 7ff70bf45d7c HeapFree HeapFree 64922->64933 64924 7ff70bf470eb 64927 7ff70bf45df7 64932->64917 64932->64921 64932->64933 64938 7ff70bf465d9 memset 64932->64938 64942 7ff70bf42970 2 API calls 64932->64942 64933->62309 64933->64920 64933->64922 64933->64924 64933->64927 64938->64932 64942->64932 64970 7ff70bf466b4 64969->64970 64971 7ff70bf45d1c 64970->64971 64972 7ff70bf41d90 HeapFree 64970->64972 64973 7ff70bf41d90 HeapFree 64971->64973 64986 7ff70bf45d2b 64971->64986 64994 7ff70bf46539 64972->64994 64973->64986 64974 7ff70bf42470 2 API calls 64974->64986 64975 7ff70bf472cb 64976 7ff70bf45d7c HeapFree HeapFree 64976->64986 64978 7ff70bf470eb 64981 7ff70bf45df7 64986->62309 64986->64974 64986->64976 64986->64978 64986->64981 64991 7ff70bf465d9 memset 64991->64994 64994->64971 64994->64975 64994->64986 64994->64991 64997 7ff70bf42970 2 API calls 64994->64997 64997->64994 65034 7ff70bf46a10 65023->65034 65024 7ff70bf47083 CloseHandle 65026 7ff70bf4709a 65024->65026 65052 7ff70bf45d2b 65024->65052 65025 7ff70bf5a0a0 HeapFree 65025->65034 68006 7ff70bf4a030 57 API calls 65026->68006 65027 7ff70bf42470 2 API calls 65027->65052 65029 7ff70bf46f68 CloseHandle 65031 7ff70bf47191 CloseHandle 65029->65031 65030 7ff70bf45d7c HeapFree HeapFree 65030->65052 65031->65026 65032 7ff70bf5a810 59 API calls 65032->65034 65034->65024 65034->65025 65034->65029 65034->65031 65034->65032 65043 7ff70bf471d3 65034->65043 65048 7ff70bf45d1c 65034->65048 65038 7ff70bf45df7 68007 7ff70bf48500 57 API calls 65043->68007 65048->65052 65055 7ff70bf41d90 HeapFree 65048->65055 65052->65027 65052->65030 65052->65038 65059 7ff70bf470eb 65052->65059 65055->65052 65081 7ff70bf466b4 65080->65081 65082 7ff70bf45d1c 65081->65082 65083 7ff70bf41d90 HeapFree 65081->65083 65084 7ff70bf41d90 HeapFree 65082->65084 65095 7ff70bf45d2b 65082->65095 65111 7ff70bf46539 65083->65111 65084->65095 65085 7ff70bf42470 2 API calls 65085->65095 65086 7ff70bf472cb 65087 7ff70bf45d7c HeapFree HeapFree 65087->65095 65091 7ff70bf470eb 65094 7ff70bf45df7 65095->62309 65095->65085 65095->65087 65095->65091 65095->65094 65104 7ff70bf465d9 memset 65104->65111 65109 7ff70bf42970 2 API calls 65109->65111 65111->65082 65111->65086 65111->65095 65111->65104 65111->65109 65135 7ff70bf466b4 65134->65135 65136 7ff70bf45d1c 65135->65136 65137 7ff70bf41d90 HeapFree 65135->65137 65138 7ff70bf41d90 HeapFree 65136->65138 65153 7ff70bf45d2b 65136->65153 65161 7ff70bf46539 65137->65161 65138->65153 65139 7ff70bf42470 2 API calls 65139->65153 65140 7ff70bf472cb 65141 7ff70bf45d7c HeapFree HeapFree 65141->65153 65145 7ff70bf470eb 65148 7ff70bf45df7 65153->62309 65153->65139 65153->65141 65153->65145 65153->65148 65158 7ff70bf465d9 memset 65158->65161 65161->65136 65161->65140 65161->65153 65161->65158 65164 7ff70bf42970 2 API calls 65161->65164 65164->65161 65189 7ff70bf466b4 65188->65189 65190 7ff70bf45d1c 65189->65190 65191 7ff70bf41d90 HeapFree 65189->65191 65192 7ff70bf41d90 HeapFree 65190->65192 65205 7ff70bf45d2b 65190->65205 65213 7ff70bf46539 65191->65213 65192->65205 65193 7ff70bf42470 2 API calls 65193->65205 65194 7ff70bf472cb 65195 7ff70bf45d7c HeapFree HeapFree 65195->65205 65197 7ff70bf470eb 65200 7ff70bf45df7 65205->62309 65205->65193 65205->65195 65205->65197 65205->65200 65210 7ff70bf465d9 memset 65210->65213 65213->65190 65213->65194 65213->65205 65213->65210 65216 7ff70bf42970 2 API calls 65213->65216 65216->65213 65248 7ff70bf45d2b 65242->65248 65243 7ff70bf45df7 65244 7ff70bf48010 58 API calls 65243->65244 65245 7ff70bf45e7a 65244->65245 65248->65243 65250 7ff70bf470eb 65248->65250 65258 7ff70bf42470 2 API calls 65248->65258 65262 7ff70bf45d7c HeapFree HeapFree 65248->65262 68018 7ff70bf4a030 57 API calls 65250->68018 65258->65248 65260 7ff70bf460c4 65265 7ff70bf461e0 HeapFree 65260->65265 65266 7ff70bf461f6 65260->65266 65262->65248 65262->65260 65265->65266 65288 7ff70bf466b4 65287->65288 65289 7ff70bf45d1c 65288->65289 65290 7ff70bf41d90 HeapFree 65288->65290 65291 7ff70bf41d90 HeapFree 65289->65291 65298 7ff70bf45d2b 65289->65298 65293 7ff70bf46539 65290->65293 65291->65298 65292 7ff70bf42470 2 API calls 65292->65298 65293->65289 65294 7ff70bf472cb 65293->65294 65293->65298 65310 7ff70bf465d9 memset 65293->65310 65315 7ff70bf42970 2 API calls 65293->65315 65295 7ff70bf45d7c HeapFree HeapFree 65295->65298 65297 7ff70bf470eb 65298->62309 65298->65292 65298->65295 65298->65297 65301 7ff70bf45df7 65298->65301 65310->65293 65315->65293 65342 7ff70bf46a10 65341->65342 65343 7ff70bf47083 CloseHandle 65342->65343 65344 7ff70bf5a0a0 HeapFree 65342->65344 65348 7ff70bf46f68 CloseHandle 65342->65348 65351 7ff70bf47191 CloseHandle 65342->65351 65352 7ff70bf5a810 59 API calls 65342->65352 65363 7ff70bf471d3 65342->65363 65368 7ff70bf45d1c 65342->65368 65345 7ff70bf4709a 65343->65345 65372 7ff70bf45d2b 65343->65372 65344->65342 68024 7ff70bf4a030 57 API calls 65345->68024 65346 7ff70bf42470 2 API calls 65346->65372 65348->65351 65350 7ff70bf45d7c HeapFree HeapFree 65350->65372 65351->65345 65352->65342 65358 7ff70bf45df7 68025 7ff70bf48500 57 API calls 65363->68025 65368->65372 65375 7ff70bf41d90 HeapFree 65368->65375 65372->65346 65372->65350 65372->65358 65379 7ff70bf470eb 65372->65379 65375->65372 65411 7ff70bf46a10 65398->65411 65399 7ff70bf47083 CloseHandle 65401 7ff70bf4709a 65399->65401 65429 7ff70bf45d2b 65399->65429 65400 7ff70bf5a0a0 HeapFree 65400->65411 68028 7ff70bf4a030 57 API calls 65401->68028 65402 7ff70bf42470 2 API calls 65402->65429 65404 7ff70bf46f68 CloseHandle 65407 7ff70bf47191 CloseHandle 65404->65407 65406 7ff70bf45d7c HeapFree HeapFree 65406->65429 65407->65401 65408 7ff70bf5a810 59 API calls 65408->65411 65411->65399 65411->65400 65411->65404 65411->65407 65411->65408 65420 7ff70bf471d3 65411->65420 65425 7ff70bf45d1c 65411->65425 65415 7ff70bf45df7 68029 7ff70bf48500 57 API calls 65420->68029 65425->65429 65432 7ff70bf41d90 HeapFree 65425->65432 65429->65402 65429->65406 65429->65415 65436 7ff70bf470eb 65429->65436 65432->65429 65456 7ff70bf44fb6 65455->65456 65457 7ff70bf4a0c0 57 API calls 65456->65457 65458 7ff70bf450b9 65457->65458 65459 7ff70bf48e60 57 API calls 65458->65459 65564 7ff70bf46a10 65551->65564 65552 7ff70bf47083 CloseHandle 65554 7ff70bf4709a 65552->65554 65582 7ff70bf45d2b 65552->65582 65553 7ff70bf5a0a0 HeapFree 65553->65564 68061 7ff70bf4a030 57 API calls 65554->68061 65555 7ff70bf42470 2 API calls 65555->65582 65557 7ff70bf46f68 CloseHandle 65560 7ff70bf47191 CloseHandle 65557->65560 65559 7ff70bf45d7c HeapFree HeapFree 65563 7ff70bf460c4 65559->65563 65559->65582 65560->65554 65561 7ff70bf5a810 59 API calls 65561->65564 65564->65552 65564->65553 65564->65557 65564->65560 65564->65561 65573 7ff70bf471d3 65564->65573 65578 7ff70bf45d1c 65564->65578 65568 7ff70bf45df7 65572 7ff70bf48010 58 API calls 65568->65572 68062 7ff70bf48500 57 API calls 65573->68062 65578->65582 65585 7ff70bf41d90 HeapFree 65578->65585 65582->65555 65582->65559 65582->65568 65589 7ff70bf470eb 65582->65589 65585->65582 68060 7ff70bf4a030 57 API calls 65589->68060 65609 7ff70bf466b4 65608->65609 65610 7ff70bf45d1c 65609->65610 65611 7ff70bf41d90 HeapFree 65609->65611 65612 7ff70bf41d90 HeapFree 65610->65612 65626 7ff70bf45d2b 65610->65626 65634 7ff70bf46539 65611->65634 65612->65626 65613 7ff70bf42470 2 API calls 65613->65626 65614 7ff70bf472cb 68066 7ff70bf49140 57 API calls 65614->68066 65615 7ff70bf45d7c HeapFree HeapFree 65615->65626 65652 7ff70bf460c4 65615->65652 65618 7ff70bf470eb 68064 7ff70bf4a030 57 API calls 65618->68064 65621 7ff70bf45df7 65625 7ff70bf48010 58 API calls 65621->65625 65626->62309 65626->65613 65626->65615 65626->65618 65626->65621 65631 7ff70bf465d9 memset 65631->65634 65634->65610 65634->65614 65634->65626 65634->65631 65637 7ff70bf42970 2 API calls 65634->65637 65637->65634 65663 7ff70bf466b4 65662->65663 65664 7ff70bf45d1c 65663->65664 65665 7ff70bf41d90 HeapFree 65663->65665 65666 7ff70bf41d90 HeapFree 65664->65666 65680 7ff70bf45d2b 65664->65680 65679 7ff70bf46539 65665->65679 65666->65680 65667 7ff70bf42470 2 API calls 65667->65680 65668 7ff70bf472cb 68069 7ff70bf49140 57 API calls 65668->68069 65669 7ff70bf45d7c HeapFree HeapFree 65669->65680 65705 7ff70bf460c4 65669->65705 65671 7ff70bf470eb 68067 7ff70bf4a030 57 API calls 65671->68067 65674 7ff70bf45df7 65678 7ff70bf48010 58 API calls 65674->65678 65679->65664 65679->65668 65679->65680 65685 7ff70bf465d9 memset 65679->65685 65689 7ff70bf42970 2 API calls 65679->65689 65680->62309 65680->65667 65680->65669 65680->65671 65680->65674 65685->65679 65689->65679 65727 7ff70bf46a10 65716->65727 65717 7ff70bf47083 CloseHandle 65719 7ff70bf4709a 65717->65719 65745 7ff70bf45d2b 65717->65745 65718 7ff70bf5a0a0 HeapFree 65718->65727 68071 7ff70bf4a030 57 API calls 65719->68071 65720 7ff70bf42470 2 API calls 65720->65745 65722 7ff70bf46f68 CloseHandle 65724 7ff70bf47191 CloseHandle 65722->65724 65723 7ff70bf45d7c HeapFree HeapFree 65723->65745 65768 7ff70bf460c4 65723->65768 65724->65719 65725 7ff70bf5a810 59 API calls 65725->65727 65727->65717 65727->65718 65727->65722 65727->65724 65727->65725 65736 7ff70bf471d3 65727->65736 65741 7ff70bf45d1c 65727->65741 65731 7ff70bf45df7 65735 7ff70bf48010 58 API calls 65731->65735 68072 7ff70bf48500 57 API calls 65736->68072 65741->65745 65748 7ff70bf41d90 HeapFree 65741->65748 65745->65720 65745->65723 65745->65731 65752 7ff70bf470eb 65745->65752 65748->65745 68070 7ff70bf4a030 57 API calls 65752->68070 65786 7ff70bf46a10 65773->65786 65774 7ff70bf47083 CloseHandle 65776 7ff70bf4709a 65774->65776 65804 7ff70bf45d2b 65774->65804 65775 7ff70bf5a0a0 HeapFree 65775->65786 68075 7ff70bf4a030 57 API calls 65776->68075 65777 7ff70bf42470 2 API calls 65777->65804 65779 7ff70bf46f68 CloseHandle 65782 7ff70bf47191 CloseHandle 65779->65782 65781 7ff70bf45d7c HeapFree HeapFree 65785 7ff70bf460c4 65781->65785 65781->65804 65782->65776 65783 7ff70bf5a810 59 API calls 65783->65786 65786->65774 65786->65775 65786->65779 65786->65782 65786->65783 65795 7ff70bf471d3 65786->65795 65800 7ff70bf45d1c 65786->65800 65790 7ff70bf45df7 65794 7ff70bf48010 58 API calls 65790->65794 68076 7ff70bf48500 57 API calls 65795->68076 65800->65804 65807 7ff70bf41d90 HeapFree 65800->65807 65804->65777 65804->65781 65804->65790 65811 7ff70bf470eb 65804->65811 65807->65804 68074 7ff70bf4a030 57 API calls 65811->68074 65841 7ff70bf46a10 65830->65841 65831 7ff70bf47083 CloseHandle 65833 7ff70bf4709a 65831->65833 65859 7ff70bf45d2b 65831->65859 65832 7ff70bf5a0a0 HeapFree 65832->65841 68079 7ff70bf4a030 57 API calls 65833->68079 65834 7ff70bf42470 2 API calls 65834->65859 65836 7ff70bf46f68 CloseHandle 65838 7ff70bf47191 CloseHandle 65836->65838 65837 7ff70bf45d7c HeapFree HeapFree 65837->65859 65882 7ff70bf460c4 65837->65882 65838->65833 65839 7ff70bf5a810 59 API calls 65839->65841 65841->65831 65841->65832 65841->65836 65841->65838 65841->65839 65850 7ff70bf471d3 65841->65850 65855 7ff70bf45d1c 65841->65855 65845 7ff70bf45df7 65849 7ff70bf48010 58 API calls 65845->65849 68080 7ff70bf48500 57 API calls 65850->68080 65855->65859 65862 7ff70bf41d90 HeapFree 65855->65862 65859->65834 65859->65837 65859->65845 65866 7ff70bf470eb 65859->65866 65862->65859 68078 7ff70bf4a030 57 API calls 65866->68078 65888 7ff70bf466b4 65887->65888 65889 7ff70bf45d1c 65888->65889 65890 7ff70bf41d90 HeapFree 65888->65890 65891 7ff70bf41d90 HeapFree 65889->65891 65904 7ff70bf45d2b 65889->65904 65912 7ff70bf46539 65890->65912 65891->65904 65892 7ff70bf42470 2 API calls 65892->65904 65893 7ff70bf472cb 65894 7ff70bf45d7c HeapFree HeapFree 65894->65904 65896 7ff70bf470eb 65899 7ff70bf45df7 65904->62309 65904->65892 65904->65894 65904->65896 65904->65899 65909 7ff70bf465d9 memset 65909->65912 65912->65889 65912->65893 65912->65904 65912->65909 65915 7ff70bf42970 2 API calls 65912->65915 65915->65912 65952 7ff70bf46a10 65941->65952 65942 7ff70bf47083 CloseHandle 65944 7ff70bf4709a 65942->65944 65970 7ff70bf45d2b 65942->65970 65943 7ff70bf5a0a0 HeapFree 65943->65952 68086 7ff70bf4a030 57 API calls 65944->68086 65945 7ff70bf42470 2 API calls 65945->65970 65947 7ff70bf46f68 CloseHandle 65949 7ff70bf47191 CloseHandle 65947->65949 65948 7ff70bf45d7c HeapFree HeapFree 65948->65970 65949->65944 65950 7ff70bf5a810 59 API calls 65950->65952 65952->65942 65952->65943 65952->65947 65952->65949 65952->65950 65961 7ff70bf471d3 65952->65961 65966 7ff70bf45d1c 65952->65966 65956 7ff70bf45df7 68087 7ff70bf48500 57 API calls 65961->68087 65966->65970 65973 7ff70bf41d90 HeapFree 65966->65973 65970->65945 65970->65948 65970->65956 65977 7ff70bf470eb 65970->65977 65973->65970 65999 7ff70bf42a00 58 API calls 65998->65999 66000 7ff70bf452fc GetSystemTimePreciseAsFileTime 65999->66000 66002 7ff70bf470eb 66000->66002 66003 7ff70bf453a5 GetSystemTimePreciseAsFileTime 66000->66003 68089 7ff70bf4a030 57 API calls 66002->68089 66003->66002 66007 7ff70bf454c5 GetSystemTimePreciseAsFileTime 66003->66007 66007->66002 66093 7ff70bf46a10 66073->66093 66074 7ff70bf47083 CloseHandle 66076 7ff70bf4709a 66074->66076 66079 7ff70bf45d2b 66074->66079 66075 7ff70bf5a0a0 HeapFree 66075->66093 68096 7ff70bf4a030 57 API calls 66076->68096 66077 7ff70bf42470 2 API calls 66077->66079 66079->66077 66081 7ff70bf45d7c HeapFree HeapFree 66079->66081 66088 7ff70bf45df7 66079->66088 66110 7ff70bf470eb 66079->66110 66080 7ff70bf46f68 CloseHandle 66082 7ff70bf47191 CloseHandle 66080->66082 66081->66079 66082->66076 66083 7ff70bf5a810 59 API calls 66083->66093 66093->66074 66093->66075 66093->66080 66093->66082 66093->66083 66094 7ff70bf471d3 66093->66094 66099 7ff70bf45d1c 66093->66099 68097 7ff70bf48500 57 API calls 66094->68097 66099->66079 66106 7ff70bf41d90 HeapFree 66099->66106 66106->66079 66150 7ff70bf46a10 66130->66150 66131 7ff70bf47083 CloseHandle 66133 7ff70bf4709a 66131->66133 66136 7ff70bf45d2b 66131->66136 66132 7ff70bf5a0a0 HeapFree 66132->66150 68100 7ff70bf4a030 57 API calls 66133->68100 66134 7ff70bf42470 2 API calls 66134->66136 66136->66134 66138 7ff70bf45d7c HeapFree HeapFree 66136->66138 66145 7ff70bf45df7 66136->66145 66167 7ff70bf470eb 66136->66167 66137 7ff70bf46f68 CloseHandle 66139 7ff70bf47191 CloseHandle 66137->66139 66138->66136 66139->66133 66140 7ff70bf5a810 59 API calls 66140->66150 66150->66131 66150->66132 66150->66137 66150->66139 66150->66140 66151 7ff70bf471d3 66150->66151 66156 7ff70bf45d1c 66150->66156 68101 7ff70bf48500 57 API calls 66151->68101 66156->66136 66163 7ff70bf41d90 HeapFree 66156->66163 66163->66136 66188 7ff70bf450b9 66187->66188 66189 7ff70bf44feb 66187->66189 66190 7ff70bf48e60 57 API calls 66188->66190 66192 7ff70bf45076 memcpy 66189->66192 66194 7ff70bf44ff9 66189->66194 66191 7ff70bf450cb 66190->66191 66193 7ff70bf8bff0 HeapAlloc 66191->66193 66192->66194 66194->62309 66297 7ff70bf46a10 66284->66297 66285 7ff70bf47083 CloseHandle 66287 7ff70bf4709a 66285->66287 66315 7ff70bf45d2b 66285->66315 66286 7ff70bf5a0a0 HeapFree 66286->66297 68112 7ff70bf4a030 57 API calls 66287->68112 66288 7ff70bf42470 2 API calls 66288->66315 66290 7ff70bf46f68 CloseHandle 66293 7ff70bf47191 CloseHandle 66290->66293 66292 7ff70bf45d7c HeapFree HeapFree 66292->66315 66293->66287 66294 7ff70bf5a810 59 API calls 66294->66297 66297->66285 66297->66286 66297->66290 66297->66293 66297->66294 66306 7ff70bf471d3 66297->66306 66311 7ff70bf45d1c 66297->66311 66301 7ff70bf45df7 68113 7ff70bf48500 57 API calls 66306->68113 66311->66315 66318 7ff70bf41d90 HeapFree 66311->66318 66315->66288 66315->66292 66315->66301 66322 7ff70bf470eb 66315->66322 66318->66315 66342 7ff70bf466b4 66341->66342 66343 7ff70bf45d1c 66342->66343 66344 7ff70bf41d90 HeapFree 66342->66344 66345 7ff70bf41d90 HeapFree 66343->66345 66360 7ff70bf45d2b 66343->66360 66368 7ff70bf46539 66344->66368 66345->66360 66346 7ff70bf42470 2 API calls 66346->66360 66347 7ff70bf472cb 66348 7ff70bf45d7c HeapFree HeapFree 66348->66360 66352 7ff70bf470eb 66355 7ff70bf45df7 66360->62309 66360->66346 66360->66348 66360->66352 66360->66355 66365 7ff70bf465d9 memset 66365->66368 66368->66343 66368->66347 66368->66360 66368->66365 66371 7ff70bf42970 2 API calls 66368->66371 66371->66368 66399 7ff70bf46a10 66395->66399 66396 7ff70bf47083 CloseHandle 66398 7ff70bf4709a 66396->66398 66402 7ff70bf45d2b 66396->66402 66397 7ff70bf5a0a0 HeapFree 66397->66399 68119 7ff70bf4a030 57 API calls 66398->68119 66399->66396 66399->66397 66403 7ff70bf46f68 CloseHandle 66399->66403 66405 7ff70bf47191 CloseHandle 66399->66405 66406 7ff70bf5a810 59 API calls 66399->66406 66416 7ff70bf471d3 66399->66416 66421 7ff70bf45d1c 66399->66421 66400 7ff70bf42470 2 API calls 66400->66402 66402->66400 66404 7ff70bf45d7c HeapFree HeapFree 66402->66404 66411 7ff70bf45df7 66402->66411 66432 7ff70bf470eb 66402->66432 66403->66405 66404->66402 66405->66398 66406->66399 68120 7ff70bf48500 57 API calls 66416->68120 66421->66402 66428 7ff70bf41d90 HeapFree 66421->66428 66428->66402 66465 7ff70bf46a10 66452->66465 66453 7ff70bf47083 CloseHandle 66455 7ff70bf4709a 66453->66455 66483 7ff70bf45d2b 66453->66483 66454 7ff70bf5a0a0 HeapFree 66454->66465 68123 7ff70bf4a030 57 API calls 66455->68123 66456 7ff70bf42470 2 API calls 66456->66483 66458 7ff70bf46f68 CloseHandle 66461 7ff70bf47191 CloseHandle 66458->66461 66460 7ff70bf45d7c HeapFree HeapFree 66460->66483 66461->66455 66462 7ff70bf5a810 59 API calls 66462->66465 66465->66453 66465->66454 66465->66458 66465->66461 66465->66462 66474 7ff70bf471d3 66465->66474 66479 7ff70bf45d1c 66465->66479 66469 7ff70bf45df7 68124 7ff70bf48500 57 API calls 66474->68124 66479->66483 66486 7ff70bf41d90 HeapFree 66479->66486 66483->66456 66483->66460 66483->66469 66490 7ff70bf470eb 66483->66490 66486->66483 66510 7ff70bf462eb 66509->66510 66535 7ff70bf45d2b 66509->66535 66512 7ff70bf46329 66510->66512 66513 7ff70bf463b0 GetSystemTimePreciseAsFileTime 66510->66513 66510->66535 66511 7ff70bf464be 66511->66511 66514 7ff70bf47137 66512->66514 66515 7ff70bf46332 GetSystemTimePreciseAsFileTime 66512->66515 66516 7ff70bf464a5 66513->66516 66525 7ff70bf4639e 66513->66525 68128 7ff70bf484c0 57 API calls 66514->68128 66515->66516 66515->66525 68126 7ff70bf4a030 57 API calls 66516->68126 66519 7ff70bf45df7 66521 7ff70bf48010 58 API calls 66519->66521 66523 7ff70bf45e7a 66521->66523 66522 7ff70bf470eb 68127 7ff70bf4a030 57 API calls 66522->68127 66524 7ff70bf46462 66524->66516 66524->66535 66525->66524 66529 7ff70bf42a00 58 API calls 66525->66529 66525->66535 66529->66524 66533 7ff70bf42470 2 API calls 66533->66535 66535->66511 66535->66519 66535->66522 66535->66533 66538 7ff70bf45d7c HeapFree HeapFree 66535->66538 66538->66535 66541 7ff70bf460c4 66538->66541 66544 7ff70bf461e0 HeapFree 66541->66544 66545 7ff70bf461f6 66541->66545 66544->66545 66579 7ff70bf46a10 66566->66579 66567 7ff70bf47083 CloseHandle 66569 7ff70bf4709a 66567->66569 66597 7ff70bf45d2b 66567->66597 66568 7ff70bf5a0a0 HeapFree 66568->66579 68131 7ff70bf4a030 57 API calls 66569->68131 66570 7ff70bf42470 2 API calls 66570->66597 66572 7ff70bf46f68 CloseHandle 66575 7ff70bf47191 CloseHandle 66572->66575 66574 7ff70bf45d7c HeapFree HeapFree 66578 7ff70bf460c4 66574->66578 66574->66597 66575->66569 66576 7ff70bf5a810 59 API calls 66576->66579 66579->66567 66579->66568 66579->66572 66579->66575 66579->66576 66588 7ff70bf471d3 66579->66588 66593 7ff70bf45d1c 66579->66593 66583 7ff70bf45df7 66587 7ff70bf48010 58 API calls 66583->66587 68132 7ff70bf48500 57 API calls 66588->68132 66593->66597 66600 7ff70bf41d90 HeapFree 66593->66600 66597->66570 66597->66574 66597->66583 66604 7ff70bf470eb 66597->66604 66600->66597 68130 7ff70bf4a030 57 API calls 66604->68130 66634 7ff70bf46a10 66623->66634 66624 7ff70bf47083 CloseHandle 66626 7ff70bf4709a 66624->66626 66652 7ff70bf45d2b 66624->66652 66625 7ff70bf5a0a0 HeapFree 66625->66634 68135 7ff70bf4a030 57 API calls 66626->68135 66627 7ff70bf42470 2 API calls 66627->66652 66629 7ff70bf46f68 CloseHandle 66631 7ff70bf47191 CloseHandle 66629->66631 66630 7ff70bf45d7c HeapFree HeapFree 66630->66652 66675 7ff70bf460c4 66630->66675 66631->66626 66632 7ff70bf5a810 59 API calls 66632->66634 66634->66624 66634->66625 66634->66629 66634->66631 66634->66632 66643 7ff70bf471d3 66634->66643 66648 7ff70bf45d1c 66634->66648 66638 7ff70bf45df7 66642 7ff70bf48010 58 API calls 66638->66642 68136 7ff70bf48500 57 API calls 66643->68136 66648->66652 66655 7ff70bf41d90 HeapFree 66648->66655 66652->66627 66652->66630 66652->66638 66659 7ff70bf470eb 66652->66659 66655->66652 68134 7ff70bf4a030 57 API calls 66659->68134 66681 7ff70bf466b4 66680->66681 66682 7ff70bf45d1c 66681->66682 66683 7ff70bf41d90 HeapFree 66681->66683 66684 7ff70bf41d90 HeapFree 66682->66684 66699 7ff70bf45d2b 66682->66699 66707 7ff70bf46539 66683->66707 66684->66699 66685 7ff70bf42470 2 API calls 66685->66699 66686 7ff70bf472cb 68140 7ff70bf49140 57 API calls 66686->68140 66687 7ff70bf45d7c HeapFree HeapFree 66688 7ff70bf460c4 66687->66688 66687->66699 66691 7ff70bf470eb 68138 7ff70bf4a030 57 API calls 66691->68138 66694 7ff70bf45df7 66698 7ff70bf48010 58 API calls 66694->66698 66699->62309 66699->66685 66699->66687 66699->66691 66699->66694 66704 7ff70bf465d9 memset 66704->66707 66707->66682 66707->66686 66707->66699 66707->66704 66710 7ff70bf42970 2 API calls 66707->66710 66710->66707 66735 7ff70bf466b4 66734->66735 66736 7ff70bf45d1c 66735->66736 66737 7ff70bf41d90 HeapFree 66735->66737 66738 7ff70bf41d90 HeapFree 66736->66738 66753 7ff70bf45d2b 66736->66753 66761 7ff70bf46539 66737->66761 66738->66753 66739 7ff70bf42470 2 API calls 66739->66753 66740 7ff70bf472cb 68143 7ff70bf49140 57 API calls 66740->68143 66741 7ff70bf45d7c HeapFree HeapFree 66742 7ff70bf460c4 66741->66742 66741->66753 66745 7ff70bf470eb 68141 7ff70bf4a030 57 API calls 66745->68141 66748 7ff70bf45df7 66752 7ff70bf48010 58 API calls 66748->66752 66753->62309 66753->66739 66753->66741 66753->66745 66753->66748 66758 7ff70bf465d9 memset 66758->66761 66761->66736 66761->66740 66761->66753 66761->66758 66764 7ff70bf42970 2 API calls 66761->66764 66764->66761 66800 7ff70bf46a10 66788->66800 66789 7ff70bf47083 CloseHandle 66791 7ff70bf4709a 66789->66791 66794 7ff70bf45d2b 66789->66794 66790 7ff70bf5a0a0 HeapFree 66790->66800 68145 7ff70bf4a030 57 API calls 66791->68145 66792 7ff70bf42470 2 API calls 66792->66794 66794->66792 66796 7ff70bf45d7c HeapFree HeapFree 66794->66796 66804 7ff70bf45df7 66794->66804 66825 7ff70bf470eb 66794->66825 66795 7ff70bf46f68 CloseHandle 66797 7ff70bf47191 CloseHandle 66795->66797 66796->66794 66840 7ff70bf460c4 66796->66840 66797->66791 66798 7ff70bf5a810 59 API calls 66798->66800 66800->66789 66800->66790 66800->66795 66800->66797 66800->66798 66809 7ff70bf471d3 66800->66809 66814 7ff70bf45d1c 66800->66814 66808 7ff70bf48010 58 API calls 66804->66808 68146 7ff70bf48500 57 API calls 66809->68146 66814->66794 66821 7ff70bf41d90 HeapFree 66814->66821 66821->66794 68144 7ff70bf4a030 57 API calls 66825->68144 66851 7ff70bf464fd 66845->66851 66846 7ff70bf465d9 memset 66846->66851 66847 7ff70bf45d1c 66848 7ff70bf41d90 HeapFree 66847->66848 66857 7ff70bf45d2b 66847->66857 66848->66857 66849 7ff70bf42970 2 API calls 66849->66851 66850 7ff70bf470eb 68148 7ff70bf4a030 57 API calls 66850->68148 66851->66846 66851->66847 66851->66849 66853 7ff70bf472cb 66851->66853 66851->66857 66852 7ff70bf42470 2 API calls 66852->66857 68150 7ff70bf49140 57 API calls 66853->68150 66856 7ff70bf45d7c HeapFree HeapFree 66856->66857 66892 7ff70bf460c4 66856->66892 66857->62309 66857->66850 66857->66852 66857->66856 66862 7ff70bf45df7 66857->66862 66860 7ff70bf461e0 HeapFree 66861 7ff70bf461f6 66860->66861 66866 7ff70bf48010 58 API calls 66862->66866 66870 7ff70bf45e7a 66866->66870 66892->66860 66892->66861 66901 7ff70bf46a10 66897->66901 66898 7ff70bf47083 CloseHandle 66900 7ff70bf4709a 66898->66900 66904 7ff70bf45d2b 66898->66904 66899 7ff70bf5a0a0 HeapFree 66899->66901 68152 7ff70bf4a030 57 API calls 66900->68152 66901->66898 66901->66899 66905 7ff70bf46f68 CloseHandle 66901->66905 66907 7ff70bf47191 CloseHandle 66901->66907 66908 7ff70bf5a810 59 API calls 66901->66908 66918 7ff70bf471d3 66901->66918 66923 7ff70bf45d1c 66901->66923 66902 7ff70bf42470 2 API calls 66902->66904 66904->66902 66906 7ff70bf45d7c HeapFree HeapFree 66904->66906 66913 7ff70bf45df7 66904->66913 66934 7ff70bf470eb 66904->66934 66905->66907 66906->66904 66949 7ff70bf460c4 66906->66949 66907->66900 66908->66901 68153 7ff70bf48500 57 API calls 66918->68153 66923->66904 66930 7ff70bf41d90 HeapFree 66923->66930 66930->66904 66955 7ff70bf46a10 66954->66955 66956 7ff70bf47083 CloseHandle 66955->66956 66957 7ff70bf5a0a0 HeapFree 66955->66957 66961 7ff70bf46f68 CloseHandle 66955->66961 66964 7ff70bf47191 CloseHandle 66955->66964 66965 7ff70bf5a810 59 API calls 66955->66965 66976 7ff70bf471d3 66955->66976 66981 7ff70bf45d1c 66955->66981 66958 7ff70bf4709a 66956->66958 66985 7ff70bf45d2b 66956->66985 66957->66955 68156 7ff70bf4a030 57 API calls 66958->68156 66959 7ff70bf42470 2 API calls 66959->66985 66961->66964 66963 7ff70bf45d7c HeapFree HeapFree 66963->66985 66964->66958 66965->66955 66971 7ff70bf45df7 68157 7ff70bf48500 57 API calls 66976->68157 66981->66985 66988 7ff70bf41d90 HeapFree 66981->66988 66985->66959 66985->66963 66985->66971 66992 7ff70bf470eb 66985->66992 66988->66985 67012 7ff70bf466b4 67011->67012 67013 7ff70bf45d1c 67012->67013 67014 7ff70bf41d90 HeapFree 67012->67014 67015 7ff70bf41d90 HeapFree 67013->67015 67030 7ff70bf45d2b 67013->67030 67038 7ff70bf46539 67014->67038 67015->67030 67016 7ff70bf42470 2 API calls 67016->67030 67017 7ff70bf472cb 67018 7ff70bf45d7c HeapFree HeapFree 67018->67030 67022 7ff70bf470eb 67025 7ff70bf45df7 67030->62309 67030->67016 67030->67018 67030->67022 67030->67025 67035 7ff70bf465d9 memset 67035->67038 67038->67013 67038->67017 67038->67030 67038->67035 67041 7ff70bf42970 2 API calls 67038->67041 67041->67038 67078 7ff70bf46a10 67065->67078 67066 7ff70bf47083 CloseHandle 67068 7ff70bf4709a 67066->67068 67096 7ff70bf45d2b 67066->67096 67067 7ff70bf5a0a0 HeapFree 67067->67078 68163 7ff70bf4a030 57 API calls 67068->68163 67069 7ff70bf42470 2 API calls 67069->67096 67071 7ff70bf46f68 CloseHandle 67074 7ff70bf47191 CloseHandle 67071->67074 67073 7ff70bf45d7c HeapFree HeapFree 67073->67096 67074->67068 67075 7ff70bf5a810 59 API calls 67075->67078 67078->67066 67078->67067 67078->67071 67078->67074 67078->67075 67087 7ff70bf471d3 67078->67087 67092 7ff70bf45d1c 67078->67092 67082 7ff70bf45df7 68164 7ff70bf48500 57 API calls 67087->68164 67092->67096 67099 7ff70bf41d90 HeapFree 67092->67099 67096->67069 67096->67073 67096->67082 67103 7ff70bf470eb 67096->67103 67099->67096 67135 7ff70bf46a10 67122->67135 67123 7ff70bf47083 CloseHandle 67125 7ff70bf4709a 67123->67125 67153 7ff70bf45d2b 67123->67153 67124 7ff70bf5a0a0 HeapFree 67124->67135 68167 7ff70bf4a030 57 API calls 67125->68167 67126 7ff70bf42470 2 API calls 67126->67153 67128 7ff70bf46f68 CloseHandle 67131 7ff70bf47191 CloseHandle 67128->67131 67130 7ff70bf45d7c HeapFree HeapFree 67130->67153 67131->67125 67132 7ff70bf5a810 59 API calls 67132->67135 67135->67122 67135->67123 67135->67124 67135->67128 67135->67131 67135->67132 67144 7ff70bf471d3 67135->67144 67149 7ff70bf45d1c 67135->67149 67139 7ff70bf45df7 68168 7ff70bf48500 57 API calls 67144->68168 67149->67153 67156 7ff70bf41d90 HeapFree 67149->67156 67153->67126 67153->67130 67153->67139 67160 7ff70bf470eb 67153->67160 67156->67153 67192 7ff70bf46a10 67179->67192 67180 7ff70bf47083 CloseHandle 67182 7ff70bf4709a 67180->67182 67210 7ff70bf45d2b 67180->67210 67181 7ff70bf5a0a0 HeapFree 67181->67192 68171 7ff70bf4a030 57 API calls 67182->68171 67183 7ff70bf42470 2 API calls 67183->67210 67185 7ff70bf46f68 CloseHandle 67188 7ff70bf47191 CloseHandle 67185->67188 67187 7ff70bf45d7c HeapFree HeapFree 67187->67210 67188->67182 67189 7ff70bf5a810 59 API calls 67189->67192 67192->67180 67192->67181 67192->67185 67192->67188 67192->67189 67201 7ff70bf471d3 67192->67201 67206 7ff70bf45d1c 67192->67206 67196 7ff70bf45df7 68172 7ff70bf48500 57 API calls 67201->68172 67206->67210 67213 7ff70bf41d90 HeapFree 67206->67213 67210->67183 67210->67187 67210->67196 67217 7ff70bf470eb 67210->67217 67213->67210 67248 7ff70bf46a10 67236->67248 67237 7ff70bf47083 CloseHandle 67239 7ff70bf4709a 67237->67239 67266 7ff70bf45d2b 67237->67266 67238 7ff70bf5a0a0 HeapFree 67238->67248 68175 7ff70bf4a030 57 API calls 67239->68175 67240 7ff70bf42470 2 API calls 67240->67266 67242 7ff70bf46f68 CloseHandle 67245 7ff70bf47191 CloseHandle 67242->67245 67244 7ff70bf45d7c HeapFree HeapFree 67244->67266 67245->67239 67246 7ff70bf5a810 59 API calls 67246->67248 67248->67237 67248->67238 67248->67242 67248->67245 67248->67246 67257 7ff70bf471d3 67248->67257 67262 7ff70bf45d1c 67248->67262 67252 7ff70bf45df7 68176 7ff70bf48500 57 API calls 67257->68176 67262->67266 67269 7ff70bf41d90 HeapFree 67262->67269 67266->67240 67266->67244 67266->67252 67273 7ff70bf470eb 67266->67273 67269->67266 67294 7ff70bf42a00 58 API calls 67293->67294 67295 7ff70bf4565c 67294->67295 67296 7ff70bf802c0 62 API calls 67295->67296 67297 7ff70bf456d2 67296->67297 67374 7ff70bf46a10 67362->67374 67363 7ff70bf47083 CloseHandle 67365 7ff70bf4709a 67363->67365 67392 7ff70bf45d2b 67363->67392 67364 7ff70bf5a0a0 HeapFree 67364->67374 68185 7ff70bf4a030 57 API calls 67365->68185 67366 7ff70bf42470 2 API calls 67366->67392 67368 7ff70bf46f68 CloseHandle 67371 7ff70bf47191 CloseHandle 67368->67371 67370 7ff70bf45d7c HeapFree HeapFree 67370->67392 67371->67365 67372 7ff70bf5a810 59 API calls 67372->67374 67374->67363 67374->67364 67374->67368 67374->67371 67374->67372 67383 7ff70bf471d3 67374->67383 67388 7ff70bf45d1c 67374->67388 67378 7ff70bf45df7 68186 7ff70bf48500 57 API calls 67383->68186 67388->67392 67395 7ff70bf41d90 HeapFree 67388->67395 67392->67366 67392->67370 67392->67378 67399 7ff70bf470eb 67392->67399 67395->67392 67420 7ff70bf46645 67419->67420 67421 7ff70bf45d1c 67420->67421 67422 7ff70bf41d90 HeapFree 67420->67422 67423 7ff70bf41d90 HeapFree 67421->67423 67438 7ff70bf45d2b 67421->67438 67450 7ff70bf46539 67422->67450 67423->67438 67424 7ff70bf42470 2 API calls 67424->67438 67425 7ff70bf472cb 67426 7ff70bf45d7c HeapFree HeapFree 67426->67438 67430 7ff70bf470eb 67433 7ff70bf45df7 67438->62309 67438->67424 67438->67426 67438->67430 67438->67433 67443 7ff70bf465d9 memset 67443->67450 67448 7ff70bf42970 2 API calls 67448->67450 67450->67421 67450->67425 67450->67438 67450->67443 67450->67448 67474 7ff70bf466b4 67473->67474 67475 7ff70bf45d1c 67474->67475 67476 7ff70bf41d90 HeapFree 67474->67476 67477 7ff70bf41d90 HeapFree 67475->67477 67492 7ff70bf45d2b 67475->67492 67500 7ff70bf46539 67476->67500 67477->67492 67478 7ff70bf42470 2 API calls 67478->67492 67479 7ff70bf472cb 67480 7ff70bf45d7c HeapFree HeapFree 67480->67492 67484 7ff70bf470eb 67487 7ff70bf45df7 67492->62309 67492->67478 67492->67480 67492->67484 67492->67487 67497 7ff70bf465d9 memset 67497->67500 67500->67475 67500->67479 67500->67492 67500->67497 67503 7ff70bf42970 2 API calls 67500->67503 67503->67500 67528 7ff70bf459c7 HeapFree 67527->67528 67529 7ff70bf459d5 67527->67529 67528->67529 67530 7ff70bf8bff0 HeapAlloc 67529->67530 67531 7ff70bf45a71 67530->67531 67532 7ff70bf45a7a memset 67531->67532 67533 7ff70bf47241 67531->67533 67599 7ff70bf46a10 67579->67599 67580 7ff70bf47083 CloseHandle 67582 7ff70bf4709a 67580->67582 67585 7ff70bf45d2b 67580->67585 67581 7ff70bf5a0a0 HeapFree 67581->67599 68199 7ff70bf4a030 57 API calls 67582->68199 67583 7ff70bf42470 2 API calls 67583->67585 67585->67583 67587 7ff70bf45d7c HeapFree HeapFree 67585->67587 67594 7ff70bf45df7 67585->67594 67616 7ff70bf470eb 67585->67616 67586 7ff70bf46f68 CloseHandle 67588 7ff70bf47191 CloseHandle 67586->67588 67587->67585 67631 7ff70bf460c4 67587->67631 67588->67582 67589 7ff70bf5a810 59 API calls 67589->67599 67598 7ff70bf48010 58 API calls 67594->67598 67599->67580 67599->67581 67599->67586 67599->67588 67599->67589 67600 7ff70bf471d3 67599->67600 67605 7ff70bf45d1c 67599->67605 68200 7ff70bf48500 57 API calls 67600->68200 67605->67585 67612 7ff70bf41d90 HeapFree 67605->67612 67612->67585 68198 7ff70bf4a030 57 API calls 67616->68198 67637 7ff70bf466b4 67636->67637 67638 7ff70bf45d1c 67637->67638 67639 7ff70bf41d90 HeapFree 67637->67639 67640 7ff70bf41d90 HeapFree 67638->67640 67654 7ff70bf45d2b 67638->67654 67662 7ff70bf46539 67639->67662 67640->67654 67641 7ff70bf42470 2 API calls 67641->67654 67642 7ff70bf472cb 68204 7ff70bf49140 57 API calls 67642->68204 67643 7ff70bf45d7c HeapFree HeapFree 67643->67654 67680 7ff70bf460c4 67643->67680 67646 7ff70bf470eb 68202 7ff70bf4a030 57 API calls 67646->68202 67649 7ff70bf45df7 67653 7ff70bf48010 58 API calls 67649->67653 67654->62309 67654->67641 67654->67643 67654->67646 67654->67649 67659 7ff70bf465d9 memset 67659->67662 67662->67638 67662->67642 67662->67654 67662->67659 67665 7ff70bf42970 2 API calls 67662->67665 67665->67662 67691 7ff70bf46645 67690->67691 67692 7ff70bf45d1c 67691->67692 67693 7ff70bf41d90 HeapFree 67691->67693 67694 7ff70bf41d90 HeapFree 67692->67694 67707 7ff70bf45d2b 67692->67707 67719 7ff70bf46539 67693->67719 67694->67707 67695 7ff70bf42470 2 API calls 67695->67707 67696 7ff70bf472cb 68207 7ff70bf49140 57 API calls 67696->68207 67697 7ff70bf45d7c HeapFree HeapFree 67697->67707 67732 7ff70bf460c4 67697->67732 67699 7ff70bf470eb 68205 7ff70bf4a030 57 API calls 67699->68205 67702 7ff70bf45df7 67706 7ff70bf48010 58 API calls 67702->67706 67707->62309 67707->67695 67707->67697 67707->67699 67707->67702 67712 7ff70bf465d9 memset 67712->67719 67717 7ff70bf42970 2 API calls 67717->67719 67719->67692 67719->67696 67719->67707 67719->67712 67719->67717 67745 7ff70bf4249c 67744->67745 67770 7ff70bf5a861 67769->67770 67771 7ff70bf5a868 WaitForSingleObject 67770->67771 67772 7ff70bf5a87f 67770->67772 67771->67772 67773 7ff70bf5a8ab 67771->67773 67774 7ff70bf5a88b RtlNtStatusToDosError 67772->67774 67775 7ff70bf5a883 67772->67775 67774->67775 67775->62477 67779 7ff70bf41db0 67778->67779 67780 7ff70bf41dab 67778->67780 67779->62495 67780->67779 67781 7ff70bf41de5 HeapFree 67780->67781 67781->67779 67799 7ff70bf42984 67798->67799 67803 7ff70bf429ae 67798->67803 67803->62662 67867 7ff70bf42a81 67866->67867 67869 7ff70bf42a0b 67866->67869 67899 7ff70bf47bd0 57 API calls 67867->67899 67872 7ff70bf42970 2 API calls 67869->67872 67870 7ff70bf42a66 67874 7ff70bf42a6e GetSystemTimePreciseAsFileTime 67870->67874 67900 7ff70bf47bd0 57 API calls 67870->67900 67872->67870 67954 7ff70bf4a12e 67953->67954 67956 7ff70bf484c0 57 API calls 67953->67956 68208 7ff70bf836b3 68263 7ff70bf80100 68208->68263 68287 7ff70bf7fff0 68263->68287 68290 7ff70bf5e3b0 57 API calls 68287->68290 68289 7ff70bf80017 68290->68289 68416 7ff70bf81ee3 68417 7ff70bf834c9 68416->68417 68418 7ff70bf81eec 68416->68418 68420 7ff70bf7e550 60 API calls 68417->68420 68418->68417 68419 7ff70bf81eff 68418->68419 68484 7ff70bf49140 57 API calls 68419->68484 68422 7ff70bf834f4 68420->68422 68423 7ff70bf83507 68422->68423 68424 7ff70bf80100 59 API calls 68422->68424 68425 7ff70bf87170 106 API calls 68423->68425 68424->68423 68427 7ff70bf8351e 68425->68427 68429 7ff70bf83525 HeapFree 68427->68429 68436 7ff70bf83536 68427->68436 68429->68436 68434 7ff70bf83607 SetLastError GetSystemDirectoryW 68435 7ff70bf8361f GetLastError 68434->68435 68434->68436 68435->68436 68437 7ff70bf83751 GetLastError 68435->68437 68436->68434 68438 7ff70bf83638 GetLastError 68436->68438 68485 7ff70bf5f4d0 58 API calls 68436->68485 68440 7ff70bf83798 68437->68440 68441 7ff70bf83783 HeapFree 68437->68441 68438->68436 68442 7ff70bf84a8d 68438->68442 68445 7ff70bf5a0a0 HeapFree 68440->68445 68441->68440 68488 7ff70bf49140 57 API calls 68442->68488 68452 7ff70bf837a4 68445->68452 68451 7ff70bf83867 SetLastError GetWindowsDirectoryW 68451->68452 68453 7ff70bf8387f GetLastError 68451->68453 68452->68451 68457 7ff70bf83898 GetLastError 68452->68457 68486 7ff70bf5f4d0 58 API calls 68452->68486 68453->68452 68456 7ff70bf839e8 GetLastError 68453->68456 68459 7ff70bf83a1b HeapFree 68456->68459 68460 7ff70bf83a30 68456->68460 68457->68452 68458 7ff70bf84aaa 68457->68458 68489 7ff70bf49140 57 API calls 68458->68489 68459->68460 68463 7ff70bf5a0a0 HeapFree 68460->68463 68476 7ff70bf83a43 68463->68476 68469 7ff70bf83bad 68487 7ff70bf49140 57 API calls 68469->68487 68470 7ff70bf7da00 60 API calls 68470->68476 68473 7ff70bf83b97 68473->68469 68474 7ff70bf83b9c HeapFree 68473->68474 68474->68469 68475 7ff70bf83add HeapFree 68475->68476 68476->68469 68476->68470 68476->68473 68476->68475 68477 7ff70bf7e550 60 API calls 68476->68477 68478 7ff70bf80100 59 API calls 68476->68478 68479 7ff70bf87170 106 API calls 68476->68479 68480 7ff70bf83b43 HeapFree 68476->68480 68481 7ff70bf83b64 68476->68481 68477->68476 68478->68476 68479->68476 68480->68476 68482 7ff70bf83b7e HeapFree 68481->68482 68483 7ff70bf83b8f 68481->68483 68482->68483 68483->68473 68485->68436 68486->68452 68490 7ff70bf83913 68491 7ff70bf80100 59 API calls 68490->68491 68492 7ff70bf8391f 68491->68492 68493 7ff70bf87170 106 API calls 68492->68493 68494 7ff70bf8393c 68493->68494 68495 7ff70bf83957 68494->68495 68496 7ff70bf83946 HeapFree 68494->68496 68497 7ff70bf8397d HeapFree 68495->68497 68498 7ff70bf83992 68495->68498 68496->68495 68497->68498 68499 7ff70bf5a0a0 HeapFree 68498->68499 68509 7ff70bf839af 68498->68509 68499->68509 68500 7ff70bf83bad 68534 7ff70bf49140 57 API calls 68500->68534 68501 7ff70bf7da00 60 API calls 68501->68509 68504 7ff70bf83b97 68504->68500 68506 7ff70bf83b9c HeapFree 68504->68506 68506->68500 68508 7ff70bf83add HeapFree 68508->68509 68509->68500 68509->68501 68509->68504 68509->68508 68510 7ff70bf7e550 60 API calls 68509->68510 68515 7ff70bf80100 59 API calls 68509->68515 68516 7ff70bf87170 106 API calls 68509->68516 68517 7ff70bf83b43 HeapFree 68509->68517 68520 7ff70bf83b64 68509->68520 68510->68509 68515->68509 68516->68509 68517->68509 68523 7ff70bf83b7e HeapFree 68520->68523 68524 7ff70bf83b8f 68520->68524 68523->68524 68524->68504 68535 7ff70bf87871 68536 7ff70bf7c000 81 API calls 68535->68536 68537 7ff70bf878cd 68536->68537

              Executed Functions

              Function 00007FF70BF818D9 Relevance: 121.0, APIs: 61, Strings: 7, Instructions: 2044memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap$memcpy
              • String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$\cmd.exemaximum number of ProcThreadAttributes exceeded$assertion failed: is_code_point_boundary(self, new_len)$h${7$7
              • API String ID: 2518219592-732069694
              • Opcode ID: c7c0f9cb4d06138ea33d859e404d0faed99770b5e9589e7f912b3f2f8b94a00f
              • Instruction ID: 648b035a819a8eab81e2ac231da78bd238e6c00c7125157000ec3292ff7b2fac
              • Opcode Fuzzy Hash: c7c0f9cb4d06138ea33d859e404d0faed99770b5e9589e7f912b3f2f8b94a00f
              • Instruction Fuzzy Hash: 0A238462A18AD288E770AF299C503FDA391FF44788F805135DA4E9BBA5DF78B741C314
              Function 00007FF70BF44FE2 Relevance: 83.3, APIs: 44, Strings: 3, Instructions: 1018stringsynchronizationtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 646 7ff70bf44fe2-7ff70bf44fe5 647 7ff70bf450b9-7ff70bf45101 call 7ff70bf48e60 call 7ff70bf8bff0 646->647 648 7ff70bf44feb-7ff70bf44ff7 646->648 660 7ff70bf45107-7ff70bf4512c CreateMutexA GetLastError 647->660 661 7ff70bf47182-7ff70bf471ce call 7ff70bf47bd0 CloseHandle call 7ff70bf4a030 647->661 649 7ff70bf44ff9-7ff70bf45001 648->649 650 7ff70bf4505e-7ff70bf4506c 648->650 652 7ff70bf45094-7ff70bf450a6 649->652 654 7ff70bf4506e-7ff70bf45074 650->654 655 7ff70bf45076-7ff70bf4507f memcpy 650->655 657 7ff70bf45084-7ff70bf45092 654->657 655->657 657->652 663 7ff70bf45132-7ff70bf45160 SHGetKnownFolderPath 660->663 664 7ff70bf46240-7ff70bf4626f HeapFree 660->664 677 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 661->677 666 7ff70bf471ea-7ff70bf471f9 call 7ff70bf8fd6c 663->666 667 7ff70bf45166-7ff70bf451a7 lstrlenW call 7ff70bf5ddc0 CoTaskMemFree 663->667 675 7ff70bf47201-7ff70bf47214 call 7ff70bf4a150 666->675 674 7ff70bf451ad-7ff70bf45268 call 7ff70bf42a00 GetSystemTimePreciseAsFileTime 667->674 667->675 684 7ff70bf4526e-7ff70bf4539f GetSystemTimePreciseAsFileTime 674->684 685 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 674->685 675->677 698 7ff70bf4743f-7ff70bf47450 HeapFree 677->698 699 7ff70bf47455-7ff70bf4745e 677->699 684->685 695 7ff70bf453a5-7ff70bf454bf GetSystemTimePreciseAsFileTime 684->695 685->677 695->685 704 7ff70bf454c5-7ff70bf455df GetSystemTimePreciseAsFileTime 695->704 698->699 701 7ff70bf47460-7ff70bf47471 HeapFree 699->701 702 7ff70bf47476-7ff70bf4747f 699->702 701->702 705 7ff70bf47485-7ff70bf4761e HeapFree 702->705 706 7ff70bf47623-7ff70bf4762c 702->706 704->685 719 7ff70bf455e5-7ff70bf457cb call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 704->719 705->706 707 7ff70bf4762e-7ff70bf4763f HeapFree 706->707 708 7ff70bf47644-7ff70bf4764d 706->708 707->708 713 7ff70bf47668-7ff70bf47671 708->713 714 7ff70bf4764f-7ff70bf47663 HeapFree 708->714 717 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 713->717 718 7ff70bf47673-7ff70bf47684 HeapFree 713->718 714->713 718->717 735 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 719->735 736 7ff70bf457d1-7ff70bf457f5 memcpy 719->736 735->677 737 7ff70bf45800-7ff70bf45826 736->737 737->737 739 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 737->739 743 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 739->743 744 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 739->744 743->677 754 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 744->754 755 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 744->755 763 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 754->763 764 7ff70bf464c3-7ff70bf4698b 754->764 755->677 772 7ff70bf45dac-7ff70bf45df1 763->772 773 7ff70bf461d5-7ff70bf461de 763->773 764->685 764->763 776 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 772->776 777 7ff70bf4628c-7ff70bf46294 772->777 774 7ff70bf461e0-7ff70bf461f1 HeapFree 773->774 775 7ff70bf461f6-7ff70bf46207 773->775 774->775 778 7ff70bf46209-7ff70bf4621a HeapFree 775->778 779 7ff70bf4621f-7ff70bf46228 775->779 795 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 776->795 796 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 776->796 781 7ff70bf462a2-7ff70bf462bb 777->781 782 7ff70bf462c0-7ff70bf4631b 777->782 778->779 779->664 785 7ff70bf4622a-7ff70bf4623b HeapFree 779->785 787 7ff70bf46432-7ff70bf46435 781->787 782->781 782->787 785->664 787->764 789 7ff70bf46275-7ff70bf46286 787->789 789->776 789->777 795->773 796->677
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Time$CreateErrorFileFolderFreeKnownLastMutexPathPreciseSystemTasklstrlen
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Time went backwards$AppData/Roaming/.ini
              • API String ID: 3013936994-1824078142
              • Opcode ID: 2b018ac6fdf938da36e0138e5929e0236d7cd55f53d5858ca2c8a7eeed52c723
              • Instruction ID: 5dd8822b8abb8952513318302c2dafda957de212a40addf807b3057f1a954178
              • Opcode Fuzzy Hash: 2b018ac6fdf938da36e0138e5929e0236d7cd55f53d5858ca2c8a7eeed52c723
              • Instruction Fuzzy Hash: 10C28D32A1CBC181E771AB19E8547EAA3A0FF85744F804135DA8E87BA9DF7DE245C710
              Function 00007FF70BF81C00 Relevance: 61.7, APIs: 31, Strings: 4, Instructions: 487COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 802 7ff70bf81c00-7ff70bf81c0b 803 7ff70bf81c10-7ff70bf81c15 802->803 804 7ff70bf81c6a-7ff70bf81c6f 803->804 805 7ff70bf81c17-7ff70bf81c1d 803->805 806 7ff70bf81c76-7ff70bf81c79 804->806 805->803 807 7ff70bf81c1f 805->807 808 7ff70bf81c7b-7ff70bf81cb3 call 7ff70bf7da00 806->808 809 7ff70bf81cb9-7ff70bf81d02 806->809 807->806 808->809 816 7ff70bf81f1c-7ff70bf81f2e 808->816 811 7ff70bf81d04 809->811 812 7ff70bf81d1f-7ff70bf81d2c 809->812 814 7ff70bf81d30-7ff70bf81d39 811->814 815 7ff70bf81d87-7ff70bf81d9f SetLastError GetModuleFileNameW 812->815 817 7ff70bf81d3b-7ff70bf81d58 call 7ff70bf5f4d0 814->817 818 7ff70bf81d5f-7ff70bf81d84 814->818 819 7ff70bf81dae-7ff70bf81dc2 GetLastError 815->819 820 7ff70bf81da1-7ff70bf81da8 GetLastError 815->820 821 7ff70bf81f48-7ff70bf81f53 816->821 817->818 818->815 825 7ff70bf81dc8-7ff70bf81de1 819->825 826 7ff70bf84a70-7ff70bf84a88 call 7ff70bf49140 819->826 820->819 823 7ff70bf81e52-7ff70bf81e7f GetLastError 820->823 830 7ff70bf81fdc-7ff70bf81fdf 821->830 831 7ff70bf81f59-7ff70bf81f87 call 7ff70bf7e550 821->831 827 7ff70bf81e96-7ff70bf81eb5 call 7ff70bf5a0a0 823->827 828 7ff70bf81e81-7ff70bf81e91 HeapFree 823->828 825->814 832 7ff70bf81de7 825->832 845 7ff70bf84bcf-7ff70bf84c3d CloseHandle * 3 826->845 853 7ff70bf83546-7ff70bf83588 827->853 828->827 835 7ff70bf81fe5-7ff70bf81ff3 HeapFree 830->835 836 7ff70bf81f30-7ff70bf81f36 call 7ff70bf7da00 830->836 842 7ff70bf81f89-7ff70bf81f8c call 7ff70bf80100 831->842 843 7ff70bf81f91-7ff70bf81fa9 call 7ff70bf87170 831->843 832->812 835->836 846 7ff70bf81f3b-7ff70bf81f42 836->846 842->843 854 7ff70bf81fbc-7ff70bf81fc6 843->854 855 7ff70bf81fab-7ff70bf81fb7 HeapFree 843->855 856 7ff70bf84c9d-7ff70bf84cbd call 7ff70bf88490 call 7ff70bf88430 845->856 857 7ff70bf84c3f-7ff70bf84c4b CloseHandle 845->857 846->809 846->821 858 7ff70bf8358a 853->858 859 7ff70bf8359f-7ff70bf835ab 853->859 860 7ff70bf81fcc-7ff70bf81fd7 call 7ff70bf7da00 854->860 861 7ff70bf82d58-7ff70bf82d66 854->861 855->854 885 7ff70bf84cd4-7ff70bf84cd7 856->885 886 7ff70bf84cbf-7ff70bf84ccf HeapFree 856->886 857->856 863 7ff70bf835b0-7ff70bf835b9 858->863 864 7ff70bf83607-7ff70bf8361d SetLastError GetSystemDirectoryW 859->864 860->846 861->853 869 7ff70bf835bb-7ff70bf835d8 call 7ff70bf5f4d0 863->869 870 7ff70bf835df-7ff70bf83604 863->870 865 7ff70bf8362c-7ff70bf83640 GetLastError 864->865 866 7ff70bf8361f-7ff70bf83626 GetLastError 864->866 879 7ff70bf84a8d-7ff70bf84aa5 call 7ff70bf49140 865->879 880 7ff70bf83646-7ff70bf8365f 865->880 866->865 871 7ff70bf83751-7ff70bf83781 GetLastError 866->871 869->870 870->864 877 7ff70bf83798-7ff70bf837e6 call 7ff70bf5a0a0 871->877 878 7ff70bf83783-7ff70bf83793 HeapFree 871->878 893 7ff70bf837e8 877->893 894 7ff70bf837ff-7ff70bf8380b 877->894 878->877 879->845 880->863 883 7ff70bf83665 880->883 883->859 890 7ff70bf84cdd-7ff70bf84cf4 HeapFree 885->890 891 7ff70bf84d6c 885->891 886->885 892 7ff70bf84d6e-7ff70bf84d89 890->892 891->892 903 7ff70bf85064-7ff70bf8506c 892->903 904 7ff70bf84d8f 892->904 896 7ff70bf83810-7ff70bf83819 893->896 897 7ff70bf83867-7ff70bf8387d SetLastError GetWindowsDirectoryW 894->897 899 7ff70bf8381b-7ff70bf83838 call 7ff70bf5f4d0 896->899 900 7ff70bf8383f-7ff70bf83864 896->900 901 7ff70bf8388c-7ff70bf838a0 GetLastError 897->901 902 7ff70bf8387f-7ff70bf83886 GetLastError 897->902 899->900 900->897 908 7ff70bf84aaa-7ff70bf84ac2 call 7ff70bf49140 901->908 909 7ff70bf838a6-7ff70bf838bf 901->909 902->901 906 7ff70bf839e8-7ff70bf83a19 GetLastError 902->906 910 7ff70bf85083-7ff70bf85086 903->910 913 7ff70bf8506e-7ff70bf8507e HeapFree 903->913 904->910 911 7ff70bf83a1b-7ff70bf83a2b HeapFree 906->911 912 7ff70bf83a30-7ff70bf83a66 call 7ff70bf5a0a0 call 7ff70bf7cde0 906->912 908->845 909->896 915 7ff70bf838c5 909->915 916 7ff70bf850ba-7ff70bf850c6 call 7ff70bf884e0 910->916 917 7ff70bf85088 910->917 911->912 933 7ff70bf83bad 912->933 934 7ff70bf83a6c-7ff70bf83a9f 912->934 913->910 915->894 921 7ff70bf85115-7ff70bf8511f 916->921 917->921 925 7ff70bf85131-7ff70bf85150 call 7ff70bf90150 call 7ff70bf4a360 921->925 926 7ff70bf85121-7ff70bf8512c CloseHandle 921->926 939 7ff70bf85152-7ff70bf8517f 925->939 940 7ff70bf85181-7ff70bf85183 925->940 926->925 933->826 936 7ff70bf83aa6-7ff70bf83ab1 call 7ff70bf7da00 934->936 943 7ff70bf83abe-7ff70bf83ac5 936->943 942 7ff70bf85185-7ff70bf851a0 call 7ff70bf876f0 939->942 940->942 944 7ff70bf83acb-7ff70bf83ad6 943->944 945 7ff70bf83b97-7ff70bf83b9a 943->945 948 7ff70bf83aed-7ff70bf83b1b call 7ff70bf7e550 944->948 949 7ff70bf83ad8-7ff70bf83adb 944->949 945->933 950 7ff70bf83b9c-7ff70bf83ba8 HeapFree 945->950 956 7ff70bf83b1d-7ff70bf83b20 call 7ff70bf80100 948->956 957 7ff70bf83b25-7ff70bf83b41 call 7ff70bf87170 948->957 951 7ff70bf83add-7ff70bf83aeb HeapFree 949->951 952 7ff70bf83ab3-7ff70bf83ab9 call 7ff70bf7da00 949->952 950->933 951->952 952->943 956->957 961 7ff70bf83b54-7ff70bf83b5e 957->961 962 7ff70bf83b43-7ff70bf83b4f HeapFree 957->962 961->936 963 7ff70bf83b64-7ff70bf83b7c 961->963 962->961 964 7ff70bf83b7e-7ff70bf83b8a HeapFree 963->964 965 7ff70bf83b8f 963->965 964->965 965->945
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$FileModuleName
              • String ID: PATHlibrary\std\src\sys_common\process.rs$u${7$7
              • API String ID: 1026760046-4282765210
              • Opcode ID: d5b96f44b4a80ebda02b908a4e027d6470f1f60ae55d4ece0b73d64c2a70353f
              • Instruction ID: b2549add58cd9390d44174e2d5c2154810a34a35d2dc72b91ff3fceb9f2a421d
              • Opcode Fuzzy Hash: d5b96f44b4a80ebda02b908a4e027d6470f1f60ae55d4ece0b73d64c2a70353f
              • Instruction Fuzzy Hash: 83326561B18A8288F770AB699C443FDA291BF05788F904535DE0EEB7E5DF38B7458324
              Function 00007FF70BF44F70 Relevance: 53.3, APIs: 26, Strings: 4, Instructions: 819COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 966 7ff70bf44f70-7ff70bf45101 call 7ff70bf4a0c0 call 7ff70bf48e60 call 7ff70bf8bff0 976 7ff70bf45107-7ff70bf4512c CreateMutexA GetLastError 966->976 977 7ff70bf47182-7ff70bf471ce call 7ff70bf47bd0 CloseHandle call 7ff70bf4a030 966->977 979 7ff70bf45132-7ff70bf45160 SHGetKnownFolderPath 976->979 980 7ff70bf46240-7ff70bf4626f HeapFree 976->980 993 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 977->993 982 7ff70bf471ea-7ff70bf471f9 call 7ff70bf8fd6c 979->982 983 7ff70bf45166-7ff70bf451a7 lstrlenW call 7ff70bf5ddc0 CoTaskMemFree 979->983 991 7ff70bf47201-7ff70bf47214 call 7ff70bf4a150 982->991 990 7ff70bf451ad-7ff70bf45268 call 7ff70bf42a00 GetSystemTimePreciseAsFileTime 983->990 983->991 1000 7ff70bf4526e-7ff70bf4539f GetSystemTimePreciseAsFileTime 990->1000 1001 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 990->1001 991->993 1014 7ff70bf4743f-7ff70bf47450 HeapFree 993->1014 1015 7ff70bf47455-7ff70bf4745e 993->1015 1000->1001 1011 7ff70bf453a5-7ff70bf454bf GetSystemTimePreciseAsFileTime 1000->1011 1001->993 1011->1001 1020 7ff70bf454c5-7ff70bf455df GetSystemTimePreciseAsFileTime 1011->1020 1014->1015 1017 7ff70bf47460-7ff70bf47471 HeapFree 1015->1017 1018 7ff70bf47476-7ff70bf4747f 1015->1018 1017->1018 1021 7ff70bf47485-7ff70bf4761e HeapFree 1018->1021 1022 7ff70bf47623-7ff70bf4762c 1018->1022 1020->1001 1035 7ff70bf455e5-7ff70bf457cb call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 1020->1035 1021->1022 1023 7ff70bf4762e-7ff70bf4763f HeapFree 1022->1023 1024 7ff70bf47644-7ff70bf4764d 1022->1024 1023->1024 1029 7ff70bf47668-7ff70bf47671 1024->1029 1030 7ff70bf4764f-7ff70bf47663 HeapFree 1024->1030 1033 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1029->1033 1034 7ff70bf47673-7ff70bf47684 HeapFree 1029->1034 1030->1029 1034->1033 1051 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 1035->1051 1052 7ff70bf457d1-7ff70bf457f5 memcpy 1035->1052 1051->993 1053 7ff70bf45800-7ff70bf45826 1052->1053 1053->1053 1055 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 1053->1055 1059 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 1055->1059 1060 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 1055->1060 1059->993 1070 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1060->1070 1071 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1060->1071 1079 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1070->1079 1080 7ff70bf464c3-7ff70bf4698b 1070->1080 1071->993 1088 7ff70bf45dac-7ff70bf45df1 1079->1088 1089 7ff70bf461d5-7ff70bf461de 1079->1089 1080->1001 1080->1079 1092 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1088->1092 1093 7ff70bf4628c-7ff70bf46294 1088->1093 1090 7ff70bf461e0-7ff70bf461f1 HeapFree 1089->1090 1091 7ff70bf461f6-7ff70bf46207 1089->1091 1090->1091 1094 7ff70bf46209-7ff70bf4621a HeapFree 1091->1094 1095 7ff70bf4621f-7ff70bf46228 1091->1095 1111 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1092->1111 1112 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1092->1112 1097 7ff70bf462a2-7ff70bf462bb 1093->1097 1098 7ff70bf462c0-7ff70bf4631b 1093->1098 1094->1095 1095->980 1101 7ff70bf4622a-7ff70bf4623b HeapFree 1095->1101 1103 7ff70bf46432-7ff70bf46435 1097->1103 1098->1097 1098->1103 1101->980 1103->1080 1105 7ff70bf46275-7ff70bf46286 1103->1105 1105->1092 1105->1093 1111->1089 1112->993
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Time went backwards$AppData/Roaming/.ini$Unable to write file
              • API String ID: 0-1077562169
              • Opcode ID: a38e80168820d5b5608e183547b4f1efbaf0abb6e8190ba79164c1ce47a2bf0a
              • Instruction ID: 9c7093c7f68025635d53f47854005d611822cbaceaad0e64d94b8a59c6417936
              • Opcode Fuzzy Hash: a38e80168820d5b5608e183547b4f1efbaf0abb6e8190ba79164c1ce47a2bf0a
              • Instruction Fuzzy Hash: DE92A12261CBC181E775AB18E8557EAA3A0FF85344F804135DACE87BA9DF7DE245C710
              Function 00007FF70BF464CC Relevance: 41.0, APIs: 24, Strings: 3, Instructions: 453memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1118 7ff70bf464cc-7ff70bf464fb 1119 7ff70bf464fd-7ff70bf46515 call 7ff70bf41450 1118->1119 1120 7ff70bf46550-7ff70bf46553 1118->1120 1133 7ff70bf4651b-7ff70bf46526 1119->1133 1134 7ff70bf46f60-7ff70bf46f63 1119->1134 1122 7ff70bf46539-7ff70bf46549 1120->1122 1123 7ff70bf46555-7ff70bf46559 1120->1123 1125 7ff70bf465d9-7ff70bf46617 memset call 7ff70bf43c30 1122->1125 1126 7ff70bf45d1c-7ff70bf45d21 1123->1126 1127 7ff70bf4655f-7ff70bf46571 1123->1127 1143 7ff70bf4661d-7ff70bf46620 1125->1143 1144 7ff70bf467dc-7ff70bf467df 1125->1144 1128 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1126->1128 1129 7ff70bf45d26 call 7ff70bf41d90 1126->1129 1130 7ff70bf4658c 1127->1130 1131 7ff70bf46573-7ff70bf4658a 1127->1131 1162 7ff70bf45dac-7ff70bf45df1 1128->1162 1163 7ff70bf461d5-7ff70bf461de 1128->1163 1129->1128 1135 7ff70bf4658e-7ff70bf465ad call 7ff70bf42970 1130->1135 1131->1135 1138 7ff70bf46988-7ff70bf4698b 1133->1138 1139 7ff70bf4652c-7ff70bf46537 1133->1139 1134->1126 1145 7ff70bf465b2-7ff70bf465bb 1135->1145 1138->1128 1142 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1138->1142 1139->1122 1139->1123 1160 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1142->1160 1150 7ff70bf46980 1143->1150 1151 7ff70bf46626-7ff70bf46636 1143->1151 1147 7ff70bf472cb-7ff70bf472e3 call 7ff70bf49140 1144->1147 1148 7ff70bf467e5-7ff70bf467e8 1144->1148 1145->1126 1152 7ff70bf465c1-7ff70bf465d1 1145->1152 1147->1160 1148->1150 1154 7ff70bf467ee-7ff70bf4682f 1148->1154 1150->1138 1151->1144 1152->1125 1154->1120 1159 7ff70bf46835 1154->1159 1159->1150 1190 7ff70bf4743f-7ff70bf47450 HeapFree 1160->1190 1191 7ff70bf47455-7ff70bf4745e 1160->1191 1167 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1162->1167 1168 7ff70bf4628c-7ff70bf46294 1162->1168 1165 7ff70bf461e0-7ff70bf461f1 HeapFree 1163->1165 1166 7ff70bf461f6-7ff70bf46207 1163->1166 1165->1166 1170 7ff70bf46209-7ff70bf4621a HeapFree 1166->1170 1171 7ff70bf4621f-7ff70bf46228 1166->1171 1199 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1167->1199 1200 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1167->1200 1173 7ff70bf462a2-7ff70bf462bb 1168->1173 1174 7ff70bf462c0-7ff70bf4631b 1168->1174 1170->1171 1178 7ff70bf4622a-7ff70bf4623b HeapFree 1171->1178 1179 7ff70bf46240-7ff70bf4626f HeapFree 1171->1179 1181 7ff70bf46432-7ff70bf46435 1173->1181 1174->1173 1174->1181 1178->1179 1184 7ff70bf46275-7ff70bf46286 1181->1184 1185 7ff70bf464c3-7ff70bf464c6 1181->1185 1184->1167 1184->1168 1185->1150 1190->1191 1194 7ff70bf47460-7ff70bf47471 HeapFree 1191->1194 1195 7ff70bf47476-7ff70bf4747f 1191->1195 1194->1195 1197 7ff70bf47485-7ff70bf4761e HeapFree 1195->1197 1198 7ff70bf47623-7ff70bf4762c 1195->1198 1197->1198 1201 7ff70bf4762e-7ff70bf4763f HeapFree 1198->1201 1202 7ff70bf47644-7ff70bf4764d 1198->1202 1199->1163 1200->1160 1201->1202 1208 7ff70bf47668-7ff70bf47671 1202->1208 1209 7ff70bf4764f-7ff70bf47663 HeapFree 1202->1209 1212 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1208->1212 1213 7ff70bf47673-7ff70bf47684 HeapFree 1208->1213 1209->1208 1213->1212
              APIs
              Strings
              • Unable to write file, xrefs: 00007FF70BF471B1
              • assertion failed: filled <= self.buf.init/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\core\src\io\borrowed_buf.rs, xrefs: 00007FF70BF472CB
              • 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx, xrefs: 00007FF70BF45DE3
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$memset
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$Unable to write file$assertion failed: filled <= self.buf.init/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\core\src\io\borrowed_buf.rs
              • API String ID: 631287834-3641448576
              • Opcode ID: 273017bb11472d65fb53a3a35cc7824c80dbbbc93f7a95f503bed4864e46d8dc
              • Instruction ID: 353c526f91babbd06c010790576cc05e3fb9c0bda12fac1e73d748d461070995
              • Opcode Fuzzy Hash: 273017bb11472d65fb53a3a35cc7824c80dbbbc93f7a95f503bed4864e46d8dc
              • Instruction Fuzzy Hash: 05325C22A0CBC184E671AB19EC547EAE3A1FF85784F844535DA8E877A9DF7CE244C710
              Function 00007FF70BF452E6 Relevance: 39.1, APIs: 20, Strings: 2, Instructions: 590memorytimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1217 7ff70bf452e6-7ff70bf4539f call 7ff70bf42a00 GetSystemTimePreciseAsFileTime 1222 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1217->1222 1223 7ff70bf453a5-7ff70bf454bf GetSystemTimePreciseAsFileTime 1217->1223 1228 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1222->1228 1223->1222 1231 7ff70bf454c5-7ff70bf455df GetSystemTimePreciseAsFileTime 1223->1231 1245 7ff70bf4743f-7ff70bf47450 HeapFree 1228->1245 1246 7ff70bf47455-7ff70bf4745e 1228->1246 1231->1222 1238 7ff70bf455e5-7ff70bf457cb call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 1231->1238 1272 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 1238->1272 1273 7ff70bf457d1-7ff70bf457f5 memcpy 1238->1273 1245->1246 1248 7ff70bf47460-7ff70bf47471 HeapFree 1246->1248 1249 7ff70bf47476-7ff70bf4747f 1246->1249 1248->1249 1251 7ff70bf47485-7ff70bf4761e HeapFree 1249->1251 1252 7ff70bf47623-7ff70bf4762c 1249->1252 1251->1252 1253 7ff70bf4762e-7ff70bf4763f HeapFree 1252->1253 1254 7ff70bf47644-7ff70bf4764d 1252->1254 1253->1254 1259 7ff70bf47668-7ff70bf47671 1254->1259 1260 7ff70bf4764f-7ff70bf47663 HeapFree 1254->1260 1262 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1259->1262 1263 7ff70bf47673-7ff70bf47684 HeapFree 1259->1263 1260->1259 1263->1262 1272->1228 1274 7ff70bf45800-7ff70bf45826 1273->1274 1274->1274 1276 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 1274->1276 1280 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 1276->1280 1281 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 1276->1281 1280->1228 1291 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1281->1291 1292 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1281->1292 1300 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1291->1300 1301 7ff70bf464c3-7ff70bf4698b 1291->1301 1292->1228 1309 7ff70bf45dac-7ff70bf45df1 1300->1309 1310 7ff70bf461d5-7ff70bf461de 1300->1310 1301->1222 1301->1300 1313 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1309->1313 1314 7ff70bf4628c-7ff70bf46294 1309->1314 1311 7ff70bf461e0-7ff70bf461f1 HeapFree 1310->1311 1312 7ff70bf461f6-7ff70bf46207 1310->1312 1311->1312 1315 7ff70bf46209-7ff70bf4621a HeapFree 1312->1315 1316 7ff70bf4621f-7ff70bf46228 1312->1316 1333 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1313->1333 1334 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1313->1334 1318 7ff70bf462a2-7ff70bf462bb 1314->1318 1319 7ff70bf462c0-7ff70bf4631b 1314->1319 1315->1316 1322 7ff70bf4622a-7ff70bf4623b HeapFree 1316->1322 1323 7ff70bf46240-7ff70bf4626f HeapFree 1316->1323 1325 7ff70bf46432-7ff70bf46435 1318->1325 1319->1318 1319->1325 1322->1323 1325->1301 1327 7ff70bf46275-7ff70bf46286 1325->1327 1327->1313 1327->1314 1333->1310 1334->1228
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$Time$FilePreciseSystem
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$AppData/Roaming/.ini
              • API String ID: 1465647071-3743347642
              • Opcode ID: 8383eb04aec1f18f2dfe1c2234891d7f39b372fd37d1ff9f8c3e1245a01f2971
              • Instruction ID: a63f0484486dbde730234b86b0d21820504d47447dd0ebd2ded284739f22f3d2
              • Opcode Fuzzy Hash: 8383eb04aec1f18f2dfe1c2234891d7f39b372fd37d1ff9f8c3e1245a01f2971
              • Instruction Fuzzy Hash: 4A627E2261CBC581E771AB18E8457EAE3A0FFD9344F804125DACD83A69DF7DE285CB10
              Function 00007FF70BF45406 Relevance: 37.3, APIs: 19, Strings: 2, Instructions: 547memorytimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1340 7ff70bf45406-7ff70bf454bf call 7ff70bf42a00 GetSystemTimePreciseAsFileTime 1345 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1340->1345 1346 7ff70bf454c5-7ff70bf455df GetSystemTimePreciseAsFileTime 1340->1346 1352 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1345->1352 1346->1345 1353 7ff70bf455e5-7ff70bf457cb call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 1346->1353 1368 7ff70bf4743f-7ff70bf47450 HeapFree 1352->1368 1369 7ff70bf47455-7ff70bf4745e 1352->1369 1391 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 1353->1391 1392 7ff70bf457d1-7ff70bf457f5 memcpy 1353->1392 1368->1369 1371 7ff70bf47460-7ff70bf47471 HeapFree 1369->1371 1372 7ff70bf47476-7ff70bf4747f 1369->1372 1371->1372 1374 7ff70bf47485-7ff70bf4761e HeapFree 1372->1374 1375 7ff70bf47623-7ff70bf4762c 1372->1375 1374->1375 1376 7ff70bf4762e-7ff70bf4763f HeapFree 1375->1376 1377 7ff70bf47644-7ff70bf4764d 1375->1377 1376->1377 1382 7ff70bf47668-7ff70bf47671 1377->1382 1383 7ff70bf4764f-7ff70bf47663 HeapFree 1377->1383 1385 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1382->1385 1386 7ff70bf47673-7ff70bf47684 HeapFree 1382->1386 1383->1382 1386->1385 1391->1352 1393 7ff70bf45800-7ff70bf45826 1392->1393 1393->1393 1395 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 1393->1395 1399 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 1395->1399 1400 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 1395->1400 1399->1352 1410 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1400->1410 1411 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1400->1411 1419 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1410->1419 1420 7ff70bf464c3-7ff70bf4698b 1410->1420 1411->1352 1428 7ff70bf45dac-7ff70bf45df1 1419->1428 1429 7ff70bf461d5-7ff70bf461de 1419->1429 1420->1345 1420->1419 1432 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1428->1432 1433 7ff70bf4628c-7ff70bf46294 1428->1433 1430 7ff70bf461e0-7ff70bf461f1 HeapFree 1429->1430 1431 7ff70bf461f6-7ff70bf46207 1429->1431 1430->1431 1434 7ff70bf46209-7ff70bf4621a HeapFree 1431->1434 1435 7ff70bf4621f-7ff70bf46228 1431->1435 1452 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1432->1452 1453 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1432->1453 1437 7ff70bf462a2-7ff70bf462bb 1433->1437 1438 7ff70bf462c0-7ff70bf4631b 1433->1438 1434->1435 1441 7ff70bf4622a-7ff70bf4623b HeapFree 1435->1441 1442 7ff70bf46240-7ff70bf4626f HeapFree 1435->1442 1444 7ff70bf46432-7ff70bf46435 1437->1444 1438->1437 1438->1444 1441->1442 1444->1420 1446 7ff70bf46275-7ff70bf46286 1444->1446 1446->1432 1446->1433 1452->1429 1453->1352
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$Time$FilePreciseSystem
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$AppData/Roaming/.ini
              • API String ID: 1465647071-3743347642
              • Opcode ID: 175af3ccc28f33815543b9f952525e7fa42a9356044c30fb87950c61219f67e3
              • Instruction ID: 8fe72d973bf3908fbaae450ab9b0aeb798c3f007679c8e79001599f7873fcf04
              • Opcode Fuzzy Hash: 175af3ccc28f33815543b9f952525e7fa42a9356044c30fb87950c61219f67e3
              • Instruction Fuzzy Hash: B7625D2250CBC181E772AB18E8457EAB3A0FFD9344F844125DACD97A69DF7DE285CB10
              Function 00007FF70BF46A45 Relevance: 36.3, APIs: 22, Strings: 2, Instructions: 311memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1459 7ff70bf46a45-7ff70bf46a49 1460 7ff70bf46a74-7ff70bf46a76 1459->1460 1461 7ff70bf46a7c-7ff70bf46a84 call 7ff70bf5a0a0 1460->1461 1462 7ff70bf47083-7ff70bf47094 CloseHandle 1460->1462 1470 7ff70bf46a10-7ff70bf46a13 1461->1470 1464 7ff70bf4709a 1462->1464 1465 7ff70bf45d2d-7ff70bf45d36 1462->1465 1468 7ff70bf471a0-7ff70bf471ce call 7ff70bf4a030 1464->1468 1466 7ff70bf45d4e-7ff70bf45d56 call 7ff70bf42470 1465->1466 1472 7ff70bf45d5b-7ff70bf45da6 HeapFree * 2 1466->1472 1476 7ff70bf47345-7ff70bf47406 HeapFree call 7ff70bf41e50 1468->1476 1473 7ff70bf46a19-7ff70bf46a22 call 7ff70bf5a810 1470->1473 1474 7ff70bf46f68-7ff70bf46f70 CloseHandle 1470->1474 1481 7ff70bf45dac-7ff70bf45df1 1472->1481 1482 7ff70bf461d5-7ff70bf461de 1472->1482 1483 7ff70bf46a27-7ff70bf46a34 1473->1483 1478 7ff70bf47191-7ff70bf47199 CloseHandle 1474->1478 1502 7ff70bf4740b-7ff70bf4743d call 7ff70bf41d40 1476->1502 1478->1468 1489 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1481->1489 1490 7ff70bf4628c-7ff70bf46294 1481->1490 1487 7ff70bf461e0-7ff70bf461f1 HeapFree 1482->1487 1488 7ff70bf461f6-7ff70bf46207 1482->1488 1484 7ff70bf46a50-7ff70bf46a53 1483->1484 1485 7ff70bf46a36-7ff70bf46a40 1483->1485 1484->1478 1491 7ff70bf46a59-7ff70bf46a5f 1484->1491 1485->1459 1487->1488 1493 7ff70bf46209-7ff70bf4621a HeapFree 1488->1493 1494 7ff70bf4621f-7ff70bf46228 1488->1494 1534 7ff70bf45fc0-7ff70bf460bf call 7ff70bf8f4b0 1489->1534 1535 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1489->1535 1496 7ff70bf462a2-7ff70bf462bb 1490->1496 1497 7ff70bf462c0-7ff70bf4631b 1490->1497 1500 7ff70bf46a65-7ff70bf46a6b 1491->1500 1501 7ff70bf471d3-7ff70bf471e5 call 7ff70bf48500 1491->1501 1493->1494 1503 7ff70bf4622a-7ff70bf4623b HeapFree 1494->1503 1504 7ff70bf46240-7ff70bf4626f HeapFree 1494->1504 1506 7ff70bf46432-7ff70bf46435 1496->1506 1497->1496 1497->1506 1500->1470 1507 7ff70bf46f60-7ff70bf46f63 1500->1507 1501->1476 1523 7ff70bf4743f-7ff70bf47450 HeapFree 1502->1523 1524 7ff70bf47455-7ff70bf4745e 1502->1524 1503->1504 1511 7ff70bf46275-7ff70bf46286 1506->1511 1512 7ff70bf464c3-7ff70bf4698b 1506->1512 1517 7ff70bf45d2b 1507->1517 1518 7ff70bf45d26 call 7ff70bf41d90 1507->1518 1511->1489 1511->1490 1512->1517 1527 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1512->1527 1517->1465 1518->1517 1523->1524 1528 7ff70bf47460-7ff70bf47471 HeapFree 1524->1528 1529 7ff70bf47476-7ff70bf4747f 1524->1529 1527->1476 1528->1529 1532 7ff70bf47485-7ff70bf4761e HeapFree 1529->1532 1533 7ff70bf47623-7ff70bf4762c 1529->1533 1532->1533 1536 7ff70bf4762e-7ff70bf4763f HeapFree 1533->1536 1537 7ff70bf47644-7ff70bf4764d 1533->1537 1547 7ff70bf460c4-7ff70bf460dc call 7ff70bf8b260 1534->1547 1535->1476 1536->1537 1544 7ff70bf47668-7ff70bf47671 1537->1544 1545 7ff70bf4764f-7ff70bf47663 HeapFree 1537->1545 1548 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1544->1548 1549 7ff70bf47673-7ff70bf47684 HeapFree 1544->1549 1545->1544 1547->1482 1549->1548
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseHandle$ObjectSingleWait
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$Unable to write file
              • API String ID: 690006645-2275632151
              • Opcode ID: da6aab6754a80d3f0cb0b506d4660cca771bbd303ed3a5b860d5f8626e59dd68
              • Instruction ID: 991910bc277f09a12e9228fb22dc7d60bd05a1c6b6bbfad119ff677b903a84a1
              • Opcode Fuzzy Hash: da6aab6754a80d3f0cb0b506d4660cca771bbd303ed3a5b860d5f8626e59dd68
              • Instruction Fuzzy Hash: 6B022A2290CBC185E671AB19EC543EAE3A1FFC5744F804536DA8E876AADF7CE245C710
              Function 00007FF70BF45526 Relevance: 35.5, APIs: 18, Strings: 2, Instructions: 504memorytimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1553 7ff70bf45526-7ff70bf455df call 7ff70bf42a00 GetSystemTimePreciseAsFileTime 1558 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1553->1558 1559 7ff70bf455e5-7ff70bf457cb call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 1553->1559 1565 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1558->1565 1592 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 1559->1592 1593 7ff70bf457d1-7ff70bf457f5 memcpy 1559->1593 1580 7ff70bf4743f-7ff70bf47450 HeapFree 1565->1580 1581 7ff70bf47455-7ff70bf4745e 1565->1581 1580->1581 1583 7ff70bf47460-7ff70bf47471 HeapFree 1581->1583 1584 7ff70bf47476-7ff70bf4747f 1581->1584 1583->1584 1586 7ff70bf47485-7ff70bf4761e HeapFree 1584->1586 1587 7ff70bf47623-7ff70bf4762c 1584->1587 1586->1587 1589 7ff70bf4762e-7ff70bf4763f HeapFree 1587->1589 1590 7ff70bf47644-7ff70bf4764d 1587->1590 1589->1590 1597 7ff70bf47668-7ff70bf47671 1590->1597 1598 7ff70bf4764f-7ff70bf47663 HeapFree 1590->1598 1592->1565 1595 7ff70bf45800-7ff70bf45826 1593->1595 1595->1595 1600 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 1595->1600 1601 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1597->1601 1602 7ff70bf47673-7ff70bf47684 HeapFree 1597->1602 1598->1597 1608 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 1600->1608 1609 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 1600->1609 1602->1601 1608->1565 1619 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1609->1619 1620 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1609->1620 1628 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1619->1628 1629 7ff70bf464c3-7ff70bf4698b 1619->1629 1620->1565 1637 7ff70bf45dac-7ff70bf45df1 1628->1637 1638 7ff70bf461d5-7ff70bf461de 1628->1638 1629->1558 1629->1628 1641 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1637->1641 1642 7ff70bf4628c-7ff70bf46294 1637->1642 1639 7ff70bf461e0-7ff70bf461f1 HeapFree 1638->1639 1640 7ff70bf461f6-7ff70bf46207 1638->1640 1639->1640 1643 7ff70bf46209-7ff70bf4621a HeapFree 1640->1643 1644 7ff70bf4621f-7ff70bf46228 1640->1644 1661 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1641->1661 1662 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1641->1662 1646 7ff70bf462a2-7ff70bf462bb 1642->1646 1647 7ff70bf462c0-7ff70bf4631b 1642->1647 1643->1644 1650 7ff70bf4622a-7ff70bf4623b HeapFree 1644->1650 1651 7ff70bf46240-7ff70bf4626f HeapFree 1644->1651 1653 7ff70bf46432-7ff70bf46435 1646->1653 1647->1646 1647->1653 1650->1651 1653->1629 1655 7ff70bf46275-7ff70bf46286 1653->1655 1655->1641 1655->1642 1661->1638 1662->1565
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$Time$FilePreciseSystemmemcpy
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$AppData/Roaming/.ini
              • API String ID: 2377283123-3743347642
              • Opcode ID: 7e7ca5c1dabae207b461098cee54b61b9f074bbec7c9ebdfa2d15d3ede2d794b
              • Instruction ID: a7090699cc4373eca6dbdeab4fa4ecb102f0c71f8e2079995a768eb03946465a
              • Opcode Fuzzy Hash: 7e7ca5c1dabae207b461098cee54b61b9f074bbec7c9ebdfa2d15d3ede2d794b
              • Instruction Fuzzy Hash: 35523C3250CBC180E6729B18E8457EAB3A0FFD9344F845225DACD97A69DF7DE285CB10
              Function 00007FF70BF45646 Relevance: 29.0, APIs: 17, Strings: 2, Instructions: 461memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1668 7ff70bf45646-7ff70bf457cb call 7ff70bf42a00 call 7ff70bf802c0 call 7ff70bf48010 call 7ff70bf802c0 call 7ff70bf8bff0 1683 7ff70bf47219-7ff70bf47228 call 7ff70bf47bd0 1668->1683 1684 7ff70bf457d1-7ff70bf457f5 memcpy 1668->1684 1690 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1683->1690 1685 7ff70bf45800-7ff70bf45826 1684->1685 1685->1685 1687 7ff70bf45828-7ff70bf4583a call 7ff70bf8bff0 1685->1687 1693 7ff70bf4722d-7ff70bf4723c call 7ff70bf47bd0 1687->1693 1694 7ff70bf45840-7ff70bf45a74 call 7ff70bf43170 call 7ff70bf8bff0 1687->1694 1709 7ff70bf4743f-7ff70bf47450 HeapFree 1690->1709 1710 7ff70bf47455-7ff70bf4745e 1690->1710 1693->1690 1714 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1694->1714 1715 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1694->1715 1709->1710 1712 7ff70bf47460-7ff70bf47471 HeapFree 1710->1712 1713 7ff70bf47476-7ff70bf4747f 1710->1713 1712->1713 1716 7ff70bf47485-7ff70bf4761e HeapFree 1713->1716 1717 7ff70bf47623-7ff70bf4762c 1713->1717 1736 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1714->1736 1737 7ff70bf464c3-7ff70bf4698b 1714->1737 1715->1690 1716->1717 1718 7ff70bf4762e-7ff70bf4763f HeapFree 1717->1718 1719 7ff70bf47644-7ff70bf4764d 1717->1719 1718->1719 1725 7ff70bf47668-7ff70bf47671 1719->1725 1726 7ff70bf4764f-7ff70bf47663 HeapFree 1719->1726 1729 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1725->1729 1730 7ff70bf47673-7ff70bf47684 HeapFree 1725->1730 1726->1725 1730->1729 1748 7ff70bf45dac-7ff70bf45df1 1736->1748 1749 7ff70bf461d5-7ff70bf461de 1736->1749 1737->1736 1743 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1737->1743 1743->1690 1752 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1748->1752 1753 7ff70bf4628c-7ff70bf46294 1748->1753 1750 7ff70bf461e0-7ff70bf461f1 HeapFree 1749->1750 1751 7ff70bf461f6-7ff70bf46207 1749->1751 1750->1751 1754 7ff70bf46209-7ff70bf4621a HeapFree 1751->1754 1755 7ff70bf4621f-7ff70bf46228 1751->1755 1772 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1752->1772 1773 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1752->1773 1757 7ff70bf462a2-7ff70bf462bb 1753->1757 1758 7ff70bf462c0-7ff70bf4631b 1753->1758 1754->1755 1761 7ff70bf4622a-7ff70bf4623b HeapFree 1755->1761 1762 7ff70bf46240-7ff70bf4626f HeapFree 1755->1762 1764 7ff70bf46432-7ff70bf46435 1757->1764 1758->1757 1758->1764 1761->1762 1764->1737 1766 7ff70bf46275-7ff70bf46286 1764->1766 1766->1752 1766->1753 1772->1749 1773->1690
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseHandle$memcpy$ErrorLastObjectSingleWaitmemset
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$AppData/Roaming/.ini
              • API String ID: 2001734730-3743347642
              • Opcode ID: ba7e995fbeff491864ed8ad2bbaab3f9635f396bd4e85a0dd0b06119a68f8960
              • Instruction ID: 355162d08b507dc53f519d8217ed0fa073749c9453416b6083d7c757d87efa12
              • Opcode Fuzzy Hash: ba7e995fbeff491864ed8ad2bbaab3f9635f396bd4e85a0dd0b06119a68f8960
              • Instruction Fuzzy Hash: 3552293250CBC184E6729B18E8457EAB3A0FFD9344F844225DACD97A69DF7DE285CB10
              Function 00007FF70BF459C2 Relevance: 24.3, APIs: 15, Strings: 1, Instructions: 344memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1911 7ff70bf459c2-7ff70bf459c5 1912 7ff70bf459c7-7ff70bf459d0 HeapFree 1911->1912 1913 7ff70bf459d5-7ff70bf45a74 call 7ff70bf8bff0 1911->1913 1912->1913 1917 7ff70bf45a7a-7ff70bf45d16 memset call 7ff70bf41450 1913->1917 1918 7ff70bf47241-7ff70bf47250 call 7ff70bf47c30 1913->1918 1929 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1917->1929 1930 7ff70bf464c3-7ff70bf4698b 1917->1930 1924 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 1918->1924 1946 7ff70bf4743f-7ff70bf47450 HeapFree 1924->1946 1947 7ff70bf47455-7ff70bf4745e 1924->1947 1948 7ff70bf45dac-7ff70bf45df1 1929->1948 1949 7ff70bf461d5-7ff70bf461de 1929->1949 1930->1929 1939 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 1930->1939 1939->1924 1946->1947 1950 7ff70bf47460-7ff70bf47471 HeapFree 1947->1950 1951 7ff70bf47476-7ff70bf4747f 1947->1951 1954 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 1948->1954 1955 7ff70bf4628c-7ff70bf46294 1948->1955 1952 7ff70bf461e0-7ff70bf461f1 HeapFree 1949->1952 1953 7ff70bf461f6-7ff70bf46207 1949->1953 1950->1951 1956 7ff70bf47485-7ff70bf4761e HeapFree 1951->1956 1957 7ff70bf47623-7ff70bf4762c 1951->1957 1952->1953 1960 7ff70bf46209-7ff70bf4621a HeapFree 1953->1960 1961 7ff70bf4621f-7ff70bf46228 1953->1961 1987 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 1954->1987 1988 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 1954->1988 1963 7ff70bf462a2-7ff70bf462bb 1955->1963 1964 7ff70bf462c0-7ff70bf4631b 1955->1964 1956->1957 1958 7ff70bf4762e-7ff70bf4763f HeapFree 1957->1958 1959 7ff70bf47644-7ff70bf4764d 1957->1959 1958->1959 1970 7ff70bf47668-7ff70bf47671 1959->1970 1971 7ff70bf4764f-7ff70bf47663 HeapFree 1959->1971 1960->1961 1972 7ff70bf4622a-7ff70bf4623b HeapFree 1961->1972 1973 7ff70bf46240-7ff70bf4626f HeapFree 1961->1973 1975 7ff70bf46432-7ff70bf46435 1963->1975 1964->1963 1964->1975 1976 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 1970->1976 1977 7ff70bf47673-7ff70bf47684 HeapFree 1970->1977 1971->1970 1972->1973 1975->1930 1979 7ff70bf46275-7ff70bf46286 1975->1979 1977->1976 1979->1954 1979->1955 1987->1949 1988->1924
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeapmemset
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
              • API String ID: 2097932597-821382732
              • Opcode ID: e55fc153c49a6a938ceaa88a84e1cf16457adcd85d11625fa41fb6843aa9c602
              • Instruction ID: 5df3bf4ed3eb44348ae336c1db8bca0e22adc60e43faa32f0543ed051246f5dd
              • Opcode Fuzzy Hash: e55fc153c49a6a938ceaa88a84e1cf16457adcd85d11625fa41fb6843aa9c602
              • Instruction Fuzzy Hash: F822193250CBC584E672AB18E8453EAF3A0FFD9344F845225DAC953A69DF7DE285CB10
              Function 00007FF70BF4663B Relevance: 21.3, APIs: 13, Strings: 1, Instructions: 301memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1994 7ff70bf4663b-7ff70bf46647 1996 7ff70bf4664d-7ff70bf46681 call 7ff70bf41d90 call 7ff70bf43c30 1994->1996 1997 7ff70bf46f60-7ff70bf46f63 1994->1997 2009 7ff70bf46687-7ff70bf4668a 1996->2009 2010 7ff70bf467dc-7ff70bf467df 1996->2010 1999 7ff70bf45d1c-7ff70bf45d21 1997->1999 2000 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 1999->2000 2001 7ff70bf45d26 call 7ff70bf41d90 1999->2001 2019 7ff70bf45dac-7ff70bf45df1 2000->2019 2020 7ff70bf461d5-7ff70bf461de 2000->2020 2001->2000 2012 7ff70bf46980-7ff70bf4698b 2009->2012 2013 7ff70bf46690-7ff70bf466a0 2009->2013 2014 7ff70bf472cb-7ff70bf472e3 call 7ff70bf49140 2010->2014 2015 7ff70bf467e5-7ff70bf467e8 2010->2015 2012->2000 2023 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 2012->2023 2013->2010 2030 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 2014->2030 2015->2012 2018 7ff70bf467ee-7ff70bf4682f 2015->2018 2024 7ff70bf46550-7ff70bf46553 2018->2024 2025 7ff70bf46835 2018->2025 2028 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 2019->2028 2029 7ff70bf4628c-7ff70bf46294 2019->2029 2026 7ff70bf461e0-7ff70bf461f1 HeapFree 2020->2026 2027 7ff70bf461f6-7ff70bf46207 2020->2027 2023->2030 2035 7ff70bf46539-7ff70bf46549 2024->2035 2036 7ff70bf46555-7ff70bf46559 2024->2036 2025->2012 2026->2027 2032 7ff70bf46209-7ff70bf4621a HeapFree 2027->2032 2033 7ff70bf4621f-7ff70bf46228 2027->2033 2073 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 2028->2073 2074 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 2028->2074 2037 7ff70bf462a2-7ff70bf462bb 2029->2037 2038 7ff70bf462c0-7ff70bf4631b 2029->2038 2075 7ff70bf4743f-7ff70bf47450 HeapFree 2030->2075 2076 7ff70bf47455-7ff70bf4745e 2030->2076 2032->2033 2043 7ff70bf4622a-7ff70bf4623b HeapFree 2033->2043 2044 7ff70bf46240-7ff70bf4626f HeapFree 2033->2044 2046 7ff70bf465d9-7ff70bf46617 memset call 7ff70bf43c30 2035->2046 2036->1999 2047 7ff70bf4655f-7ff70bf46571 2036->2047 2050 7ff70bf46432-7ff70bf46435 2037->2050 2038->2037 2038->2050 2043->2044 2046->2010 2062 7ff70bf4661d-7ff70bf46620 2046->2062 2048 7ff70bf4658c 2047->2048 2049 7ff70bf46573-7ff70bf4658a 2047->2049 2054 7ff70bf4658e-7ff70bf465ad call 7ff70bf42970 2048->2054 2049->2054 2055 7ff70bf46275-7ff70bf46286 2050->2055 2056 7ff70bf464c3-7ff70bf464c6 2050->2056 2064 7ff70bf465b2-7ff70bf465bb 2054->2064 2055->2028 2055->2029 2056->2012 2062->2012 2066 7ff70bf46626-7ff70bf46636 2062->2066 2064->1999 2069 7ff70bf465c1-7ff70bf465d1 2064->2069 2066->2010 2069->2046 2073->2020 2074->2030 2075->2076 2079 7ff70bf47460-7ff70bf47471 HeapFree 2076->2079 2080 7ff70bf47476-7ff70bf4747f 2076->2080 2079->2080 2083 7ff70bf47485-7ff70bf4761e HeapFree 2080->2083 2084 7ff70bf47623-7ff70bf4762c 2080->2084 2083->2084 2085 7ff70bf4762e-7ff70bf4763f HeapFree 2084->2085 2086 7ff70bf47644-7ff70bf4764d 2084->2086 2085->2086 2091 7ff70bf47668-7ff70bf47671 2086->2091 2092 7ff70bf4764f-7ff70bf47663 HeapFree 2086->2092 2093 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 2091->2093 2094 7ff70bf47673-7ff70bf47684 HeapFree 2091->2094 2092->2091 2094->2093
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
              • API String ID: 3298025750-821382732
              • Opcode ID: aa511c3704208593301ac787b9fa7563f335581086a5a5270e480f876c3a2eda
              • Instruction ID: a029ec5fee0ec33f43069920ab44e5d90ea60f24373128f5dcd45cad1576bc5b
              • Opcode Fuzzy Hash: aa511c3704208593301ac787b9fa7563f335581086a5a5270e480f876c3a2eda
              • Instruction Fuzzy Hash: 46F1273261CBC184E671AB19E8547EAE3A0FF85744F844135DA8E87BA9DF7DE244CB10
              Function 00007FF70BF466A5 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 241memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2097 7ff70bf466a5-7ff70bf466b6 2099 7ff70bf466bc-7ff70bf466cb call 7ff70bf41d90 2097->2099 2100 7ff70bf46f60-7ff70bf46f63 2097->2100 2099->2100 2107 7ff70bf46670-7ff70bf46681 call 7ff70bf43c30 2099->2107 2102 7ff70bf45d1c-7ff70bf45d21 2100->2102 2103 7ff70bf45d2b-7ff70bf45da6 call 7ff70bf42470 HeapFree * 2 2102->2103 2104 7ff70bf45d26 call 7ff70bf41d90 2102->2104 2122 7ff70bf45dac-7ff70bf45df1 2103->2122 2123 7ff70bf461d5-7ff70bf461de 2103->2123 2104->2103 2112 7ff70bf46687-7ff70bf4668a 2107->2112 2113 7ff70bf467dc-7ff70bf467df 2107->2113 2115 7ff70bf46980-7ff70bf4698b 2112->2115 2116 7ff70bf46690-7ff70bf466a0 2112->2116 2117 7ff70bf472cb-7ff70bf472e3 call 7ff70bf49140 2113->2117 2118 7ff70bf467e5-7ff70bf467e8 2113->2118 2115->2103 2126 7ff70bf470eb-7ff70bf47132 call 7ff70bf4a030 2115->2126 2116->2113 2133 7ff70bf47345-7ff70bf4743d HeapFree call 7ff70bf41e50 call 7ff70bf41d40 2117->2133 2118->2115 2121 7ff70bf467ee-7ff70bf4682f 2118->2121 2127 7ff70bf46550-7ff70bf46553 2121->2127 2128 7ff70bf46835 2121->2128 2131 7ff70bf45df7-7ff70bf45fba call 7ff70bf48010 * 2 call 7ff70bf43bd0 call 7ff70bf8bff0 2122->2131 2132 7ff70bf4628c-7ff70bf46294 2122->2132 2129 7ff70bf461e0-7ff70bf461f1 HeapFree 2123->2129 2130 7ff70bf461f6-7ff70bf46207 2123->2130 2126->2133 2138 7ff70bf46539-7ff70bf46549 2127->2138 2139 7ff70bf46555-7ff70bf46559 2127->2139 2128->2115 2129->2130 2135 7ff70bf46209-7ff70bf4621a HeapFree 2130->2135 2136 7ff70bf4621f-7ff70bf46228 2130->2136 2176 7ff70bf45fc0-7ff70bf460dc call 7ff70bf8f4b0 call 7ff70bf8b260 2131->2176 2177 7ff70bf47255-7ff70bf47271 call 7ff70bf47bd0 2131->2177 2140 7ff70bf462a2-7ff70bf462bb 2132->2140 2141 7ff70bf462c0-7ff70bf4631b 2132->2141 2178 7ff70bf4743f-7ff70bf47450 HeapFree 2133->2178 2179 7ff70bf47455-7ff70bf4745e 2133->2179 2135->2136 2146 7ff70bf4622a-7ff70bf4623b HeapFree 2136->2146 2147 7ff70bf46240-7ff70bf4626f HeapFree 2136->2147 2149 7ff70bf465d9-7ff70bf46617 memset call 7ff70bf43c30 2138->2149 2139->2102 2150 7ff70bf4655f-7ff70bf46571 2139->2150 2153 7ff70bf46432-7ff70bf46435 2140->2153 2141->2140 2141->2153 2146->2147 2149->2113 2165 7ff70bf4661d-7ff70bf46620 2149->2165 2151 7ff70bf4658c 2150->2151 2152 7ff70bf46573-7ff70bf4658a 2150->2152 2157 7ff70bf4658e-7ff70bf465ad call 7ff70bf42970 2151->2157 2152->2157 2158 7ff70bf46275-7ff70bf46286 2153->2158 2159 7ff70bf464c3-7ff70bf464c6 2153->2159 2167 7ff70bf465b2-7ff70bf465bb 2157->2167 2158->2131 2158->2132 2159->2115 2165->2115 2169 7ff70bf46626-7ff70bf46636 2165->2169 2167->2102 2172 7ff70bf465c1-7ff70bf465d1 2167->2172 2169->2113 2172->2149 2176->2123 2177->2133 2178->2179 2182 7ff70bf47460-7ff70bf47471 HeapFree 2179->2182 2183 7ff70bf47476-7ff70bf4747f 2179->2183 2182->2183 2186 7ff70bf47485-7ff70bf4761e HeapFree 2183->2186 2187 7ff70bf47623-7ff70bf4762c 2183->2187 2186->2187 2188 7ff70bf4762e-7ff70bf4763f HeapFree 2187->2188 2189 7ff70bf47644-7ff70bf4764d 2187->2189 2188->2189 2194 7ff70bf47668-7ff70bf47671 2189->2194 2195 7ff70bf4764f-7ff70bf47663 HeapFree 2189->2195 2196 7ff70bf47689-7ff70bf476ac HeapFree call 7ff70bf90150 2194->2196 2197 7ff70bf47673-7ff70bf47684 HeapFree 2194->2197 2195->2194 2197->2196
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
              • API String ID: 3298025750-821382732
              • Opcode ID: a50f15cbf05c0c28286c5578edda99c3c77aa18966c97af55211d458bf930a51
              • Instruction ID: e3031e1caf02123bee0b300c33dc926b80cc294a8b9b86ae20087dfde46e26b1
              • Opcode Fuzzy Hash: a50f15cbf05c0c28286c5578edda99c3c77aa18966c97af55211d458bf930a51
              • Instruction Fuzzy Hash: 28D1183260CBC185E771AB19E8543EAB3A0FF85744F804135DA8E87AA9DF7DE245CB50
              Function 00007FF70BF88550 Relevance: 18.5, APIs: 12, Instructions: 457memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2207 7ff70bf88550-7ff70bf885a4 2208 7ff70bf885b0-7ff70bf885c2 GetCurrentProcessId 2207->2208 2209 7ff70bf885c4 2208->2209 2210 7ff70bf885f8-7ff70bf88675 call 7ff70bf48010 2208->2210 2211 7ff70bf885d0-7ff70bf885f6 ProcessPrng 2209->2211 2214 7ff70bf88677-7ff70bf88687 HeapFree 2210->2214 2215 7ff70bf8868c-7ff70bf886b5 2210->2215 2211->2210 2211->2211 2214->2215 2216 7ff70bf886d0-7ff70bf886e6 2215->2216 2217 7ff70bf886b7-7ff70bf886be 2215->2217 2220 7ff70bf887a6-7ff70bf887ba call 7ff70bf8bff0 2216->2220 2218 7ff70bf886f0-7ff70bf88702 2217->2218 2219 7ff70bf886c0-7ff70bf886c4 2217->2219 2223 7ff70bf88704-7ff70bf88715 2218->2223 2224 7ff70bf88745-7ff70bf8874e 2218->2224 2222 7ff70bf88751-7ff70bf88756 2219->2222 2232 7ff70bf887c0-7ff70bf887d5 2220->2232 2233 7ff70bf88c56-7ff70bf88c5b 2220->2233 2225 7ff70bf88759-7ff70bf88799 2222->2225 2227 7ff70bf88aa4-7ff70bf88ab7 2223->2227 2228 7ff70bf8871b-7ff70bf8873e 2223->2228 2224->2222 2229 7ff70bf88c5f-7ff70bf88c69 call 7ff70bf47bd0 2225->2229 2230 7ff70bf8879f-7ff70bf887a2 2225->2230 2227->2222 2231 7ff70bf88abd-7ff70bf88ae7 2227->2231 2228->2222 2234 7ff70bf88740 2228->2234 2239 7ff70bf88c6e-7ff70bf88c77 2229->2239 2230->2220 2231->2225 2235 7ff70bf887f3-7ff70bf887f6 2232->2235 2233->2229 2234->2231 2237 7ff70bf88880-7ff70bf88884 2235->2237 2238 7ff70bf887fc-7ff70bf88800 2235->2238 2240 7ff70bf88a00-7ff70bf88a3f call 7ff70bf8fd24 2237->2240 2241 7ff70bf8888a-7ff70bf88892 2237->2241 2242 7ff70bf88850-7ff70bf88854 2238->2242 2243 7ff70bf88802-7ff70bf88808 2238->2243 2244 7ff70bf88c79-7ff70bf88cae 2239->2244 2245 7ff70bf88ccb-7ff70bf88cde call 7ff70bf90150 2239->2245 2271 7ff70bf88a45-7ff70bf88a50 GetLastError 2240->2271 2272 7ff70bf88b67-7ff70bf88b6a 2240->2272 2248 7ff70bf88900-7ff70bf88908 2241->2248 2249 7ff70bf88894-7ff70bf888a9 2241->2249 2242->2237 2246 7ff70bf88856-7ff70bf8885d 2242->2246 2251 7ff70bf887e0 2243->2251 2252 7ff70bf8880a-7ff70bf8883e 2243->2252 2262 7ff70bf88cb0-7ff70bf88cb9 HeapFree 2244->2262 2263 7ff70bf88cbe-7ff70bf88cc1 2244->2263 2254 7ff70bf88863-7ff70bf8886c 2246->2254 2255 7ff70bf8893b-7ff70bf8894d 2246->2255 2260 7ff70bf887e6-7ff70bf887f0 2248->2260 2257 7ff70bf888af-7ff70bf888eb 2249->2257 2258 7ff70bf88c4d 2249->2258 2259 7ff70bf887e3 2251->2259 2252->2257 2264 7ff70bf88840 2252->2264 2254->2251 2267 7ff70bf88872 2254->2267 2265 7ff70bf8894f-7ff70bf88963 2255->2265 2266 7ff70bf88993-7ff70bf889a5 2255->2266 2269 7ff70bf8890d 2257->2269 2270 7ff70bf888ed-7ff70bf888fe 2257->2270 2268 7ff70bf88c4f-7ff70bf88c54 call 7ff70bf47bd0 2258->2268 2259->2260 2260->2235 2262->2263 2263->2245 2273 7ff70bf88cc3-7ff70bf88cc6 CloseHandle 2263->2273 2264->2258 2274 7ff70bf889b0-7ff70bf889c6 2265->2274 2275 7ff70bf88965-7ff70bf8898b 2265->2275 2266->2251 2276 7ff70bf889ab 2266->2276 2267->2252 2268->2239 2278 7ff70bf8890f-7ff70bf8892c call 7ff70bf4e820 2269->2278 2270->2278 2279 7ff70bf88a56-7ff70bf88a59 2271->2279 2280 7ff70bf88aec-7ff70bf88b0d 2271->2280 2281 7ff70bf88b6c-7ff70bf88b78 HeapFree 2272->2281 2282 7ff70bf88b7d-7ff70bf88bd6 call 7ff70bf7c000 2272->2282 2273->2245 2274->2243 2286 7ff70bf889cc-7ff70bf889f2 2274->2286 2275->2243 2283 7ff70bf88991 2275->2283 2276->2274 2304 7ff70bf88932-7ff70bf88936 2278->2304 2305 7ff70bf88c43-7ff70bf88c4b 2278->2305 2289 7ff70bf88a70-7ff70bf88a72 2279->2289 2290 7ff70bf88a5b-7ff70bf88a61 2279->2290 2284 7ff70bf88b0f-7ff70bf88b1b HeapFree 2280->2284 2285 7ff70bf88b20-7ff70bf88b2e 2280->2285 2281->2282 2293 7ff70bf88bdb-7ff70bf88bde 2282->2293 2283->2286 2284->2285 2294 7ff70bf88b30-7ff70bf88b39 HeapFree 2285->2294 2295 7ff70bf88b3e-7ff70bf88b42 2285->2295 2286->2251 2296 7ff70bf889f8 2286->2296 2289->2280 2292 7ff70bf88a74-7ff70bf88a79 2289->2292 2298 7ff70bf88a7b-7ff70bf88a85 2290->2298 2292->2280 2292->2298 2299 7ff70bf88be0-7ff70bf88c00 2293->2299 2300 7ff70bf88c0b-7ff70bf88c2a 2293->2300 2294->2295 2302 7ff70bf88b44-7ff70bf88b47 CloseHandle 2295->2302 2303 7ff70bf88b4c-7ff70bf88b66 2295->2303 2296->2252 2298->2208 2301 7ff70bf88a8b-7ff70bf88a9f HeapFree 2298->2301 2299->2294 2306 7ff70bf88c06 2299->2306 2300->2303 2307 7ff70bf88c30-7ff70bf88c3e HeapFree 2300->2307 2301->2208 2302->2303 2304->2259 2305->2268 2306->2295 2307->2303
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Process$CurrentFreeHeapPrng
              • String ID:
              • API String ID: 2687294623-0
              • Opcode ID: fab8dd7ec52847f4d955bf86790b075d06826c0ba5b08403dcbc7f7fb067722b
              • Instruction ID: 6aa34fd8c4e6fbc47b91135d899107dea672d06b0a5308b6b680d0bd8acb2acc
              • Opcode Fuzzy Hash: fab8dd7ec52847f4d955bf86790b075d06826c0ba5b08403dcbc7f7fb067722b
              • Instruction Fuzzy Hash: 0612DF22A08A8189EB14EF29DC103B967A0FF44798F944636DA6F977E5DF7CE245C310
              Function 00007FF70BF41180 Relevance: 10.6, APIs: 7, Instructions: 137sleepstringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
              • String ID:
              • API String ID: 3806033187-0
              • Opcode ID: 2f4b3cf683d1774178c16a341d2cb85f8fb19929ae89948ea2184860e8cf4e4b
              • Instruction ID: fdbdc9ecf731d18bc5f87e6db978a7f87f78ead7731e501a6d0e47c2ce960dc0
              • Opcode Fuzzy Hash: 2f4b3cf683d1774178c16a341d2cb85f8fb19929ae89948ea2184860e8cf4e4b
              • Instruction Fuzzy Hash: 16516936A0864285F710BB2DEC50A79A7A1AF84B94F954131CA0ED77A6DF6CF680C724
              Function 00007FF70BF5A810 Relevance: 3.1, APIs: 2, Instructions: 62synchronizationCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorObjectSingleStatusWait
              • String ID:
              • API String ID: 4189389217-0
              • Opcode ID: 8a6107b900afb63b4f8dd730b117374fbcb467abde2a9b639d697b08e8a0f19a
              • Instruction ID: b3672cc7eb3e759cebcbe47e537c50d8c60cf18c7f03df29c68da46565effce0
              • Opcode Fuzzy Hash: 8a6107b900afb63b4f8dd730b117374fbcb467abde2a9b639d697b08e8a0f19a
              • Instruction Fuzzy Hash: BF219622F14A8189E710DB78DC403E977A1EF58358F948231EA5E937A5EF38E2D58750
              Function 00007FF70BF81EE3 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 179memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1779 7ff70bf81ee3-7ff70bf81ee6 1780 7ff70bf834ce 1779->1780 1781 7ff70bf81eec-7ff70bf81eef 1779->1781 1784 7ff70bf834d1-7ff70bf834fc call 7ff70bf7e550 1780->1784 1782 7ff70bf81ef5-7ff70bf81ef9 1781->1782 1783 7ff70bf834c3 1781->1783 1785 7ff70bf834c9-7ff70bf834cc 1782->1785 1786 7ff70bf81eff-7ff70bf81f17 call 7ff70bf49140 1782->1786 1783->1785 1783->1786 1790 7ff70bf834fe-7ff70bf83502 call 7ff70bf80100 1784->1790 1791 7ff70bf83507-7ff70bf83523 call 7ff70bf87170 1784->1791 1785->1780 1785->1784 1795 7ff70bf84bcf-7ff70bf84c3d CloseHandle * 3 1786->1795 1790->1791 1798 7ff70bf83536-7ff70bf83588 1791->1798 1799 7ff70bf83525-7ff70bf83531 HeapFree 1791->1799 1801 7ff70bf84c9d-7ff70bf84cbd call 7ff70bf88490 call 7ff70bf88430 1795->1801 1802 7ff70bf84c3f-7ff70bf84c4b CloseHandle 1795->1802 1805 7ff70bf8358a 1798->1805 1806 7ff70bf8359f-7ff70bf835ab 1798->1806 1799->1798 1824 7ff70bf84cd4-7ff70bf84cd7 1801->1824 1825 7ff70bf84cbf-7ff70bf84ccf HeapFree 1801->1825 1802->1801 1808 7ff70bf835b0-7ff70bf835b9 1805->1808 1809 7ff70bf83607-7ff70bf8361d SetLastError GetSystemDirectoryW 1806->1809 1813 7ff70bf835bb-7ff70bf835d8 call 7ff70bf5f4d0 1808->1813 1814 7ff70bf835df-7ff70bf83604 1808->1814 1810 7ff70bf8362c-7ff70bf83640 GetLastError 1809->1810 1811 7ff70bf8361f-7ff70bf83626 GetLastError 1809->1811 1822 7ff70bf84a8d-7ff70bf84aa5 call 7ff70bf49140 1810->1822 1823 7ff70bf83646-7ff70bf8365f 1810->1823 1811->1810 1815 7ff70bf83751-7ff70bf83781 GetLastError 1811->1815 1813->1814 1814->1809 1820 7ff70bf83798-7ff70bf837e6 call 7ff70bf5a0a0 1815->1820 1821 7ff70bf83783-7ff70bf83793 HeapFree 1815->1821 1836 7ff70bf837e8 1820->1836 1837 7ff70bf837ff-7ff70bf8380b 1820->1837 1821->1820 1822->1795 1823->1808 1827 7ff70bf83665 1823->1827 1830 7ff70bf84cdd-7ff70bf84cf4 HeapFree 1824->1830 1831 7ff70bf84d6c 1824->1831 1825->1824 1827->1806 1832 7ff70bf84d6e-7ff70bf84d89 1830->1832 1831->1832 1841 7ff70bf85064-7ff70bf8506c 1832->1841 1842 7ff70bf84d8f 1832->1842 1839 7ff70bf83810-7ff70bf83819 1836->1839 1840 7ff70bf83867-7ff70bf8387d SetLastError GetWindowsDirectoryW 1837->1840 1843 7ff70bf8381b-7ff70bf83838 call 7ff70bf5f4d0 1839->1843 1844 7ff70bf8383f-7ff70bf83864 1839->1844 1845 7ff70bf8388c-7ff70bf838a0 GetLastError 1840->1845 1846 7ff70bf8387f-7ff70bf83886 GetLastError 1840->1846 1847 7ff70bf85083-7ff70bf85086 1841->1847 1849 7ff70bf8506e-7ff70bf8507e HeapFree 1841->1849 1842->1847 1843->1844 1844->1840 1852 7ff70bf84aaa-7ff70bf84ac2 call 7ff70bf49140 1845->1852 1853 7ff70bf838a6-7ff70bf838bf 1845->1853 1846->1845 1850 7ff70bf839e8-7ff70bf83a19 GetLastError 1846->1850 1856 7ff70bf850ba-7ff70bf850c6 call 7ff70bf884e0 1847->1856 1857 7ff70bf85088 1847->1857 1849->1847 1854 7ff70bf83a1b-7ff70bf83a2b HeapFree 1850->1854 1855 7ff70bf83a30-7ff70bf83a66 call 7ff70bf5a0a0 call 7ff70bf7cde0 1850->1855 1852->1795 1853->1839 1859 7ff70bf838c5 1853->1859 1854->1855 1875 7ff70bf83bad-7ff70bf84a88 call 7ff70bf49140 1855->1875 1876 7ff70bf83a6c-7ff70bf83a9f 1855->1876 1862 7ff70bf85115-7ff70bf8511f 1856->1862 1857->1862 1859->1837 1866 7ff70bf85131-7ff70bf85150 call 7ff70bf90150 call 7ff70bf4a360 1862->1866 1867 7ff70bf85121-7ff70bf8512c CloseHandle 1862->1867 1882 7ff70bf85152-7ff70bf8517f 1866->1882 1883 7ff70bf85181-7ff70bf85183 1866->1883 1867->1866 1875->1795 1878 7ff70bf83aa6-7ff70bf83ab1 call 7ff70bf7da00 1876->1878 1888 7ff70bf83abe-7ff70bf83ac5 1878->1888 1885 7ff70bf85185-7ff70bf851a0 call 7ff70bf876f0 1882->1885 1883->1885 1891 7ff70bf83acb-7ff70bf83ad6 1888->1891 1892 7ff70bf83b97-7ff70bf83b9a 1888->1892 1893 7ff70bf83aed-7ff70bf83b1b call 7ff70bf7e550 1891->1893 1894 7ff70bf83ad8-7ff70bf83adb 1891->1894 1892->1875 1895 7ff70bf83b9c-7ff70bf83ba8 HeapFree 1892->1895 1901 7ff70bf83b1d-7ff70bf83b20 call 7ff70bf80100 1893->1901 1902 7ff70bf83b25-7ff70bf83b37 call 7ff70bf87170 1893->1902 1896 7ff70bf83add-7ff70bf83aeb HeapFree 1894->1896 1897 7ff70bf83ab3-7ff70bf83ab9 call 7ff70bf7da00 1894->1897 1895->1875 1896->1897 1897->1888 1901->1902 1905 7ff70bf83b3c-7ff70bf83b41 1902->1905 1906 7ff70bf83b54-7ff70bf83b5e 1905->1906 1907 7ff70bf83b43-7ff70bf83b4f HeapFree 1905->1907 1906->1878 1908 7ff70bf83b64-7ff70bf83b7c 1906->1908 1907->1906 1909 7ff70bf83b7e-7ff70bf83b8a HeapFree 1908->1909 1910 7ff70bf83b8f 1908->1910 1909->1910 1910->1892
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$ErrorFreeHeapLast$DirectorySystem
              • String ID: assertion failed: is_code_point_boundary(self, new_len)$R<${7$7
              • API String ID: 198379017-1219563792
              • Opcode ID: 9a08db128281fd67ef1bc79175e1f0d0c7fa5e96cb7c325d4cafa98b39e4be97
              • Instruction ID: a9c2568a20d5bd4f6dc9cbe1fc3963ccb4a453ce27006fececfc5a80b0137c9f
              • Opcode Fuzzy Hash: 9a08db128281fd67ef1bc79175e1f0d0c7fa5e96cb7c325d4cafa98b39e4be97
              • Instruction Fuzzy Hash: 2F817762A18A8288FB20AB69DC443FDA291BF45788F900535DE0EE77F5DF38B7418215
              Function 00007FF70BF8B21E Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 122memorysynchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2200 7ff70bf8b21e-7ff70bf8b226 2201 7ff70bf8b228-7ff70bf8b235 HeapFree 2200->2201 2202 7ff70bf8b23a 2200->2202 2201->2202 2203 7ff70bf8b243-7ff70bf8b25d HeapFree call 7ff70bf90150 2202->2203 2204 7ff70bf8b23e call 7ff70bf87010 2202->2204 2204->2203
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseFreeHandleHeap$ErrorLastObjectSingleWait
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
              • API String ID: 3984667017-821382732
              • Opcode ID: 0589053d7fdc4ab34842e09529d76e857bc79feadd2d1a825856b015f2653f76
              • Instruction ID: 7e9c7d52d8eb74baa2eb006e671419b7ac7b4800f9f234474deb49b975a78527
              • Opcode Fuzzy Hash: 0589053d7fdc4ab34842e09529d76e857bc79feadd2d1a825856b015f2653f76
              • Instruction Fuzzy Hash: 49515222604BC188E761AF35DC553E96360FF4578CF844531DE4E9BBA6CF39A285C350
              Function 00007FF70BF8A8E0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 239COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx$assertion failed: old_left_len + count <= CAPACITY$called `Result::unwrap()` on an `Err` value
              • API String ID: 3510742995-4224073696
              • Opcode ID: 6cf25e6f971429a25d4612359daab4356b557b7407081abd336c18b852390a2d
              • Instruction ID: 1511795602e8541015886b23777e9ca76114463561dd6fa72096baaeb0012057
              • Opcode Fuzzy Hash: 6cf25e6f971429a25d4612359daab4356b557b7407081abd336c18b852390a2d
              • Instruction Fuzzy Hash: C9C1D462A15BC582EB459F28E8013E9A774FF58B98F849336DE4D53361EF38A295C300
              Function 00007FF70BF7C000 Relevance: 13.7, APIs: 9, Instructions: 181memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorFreeHeapLast$FileHandle$CloseCreateInformation
              • String ID:
              • API String ID: 2929975209-0
              • Opcode ID: f246aef1d5592c61cca5ff9bce33cd5e42abfbc348b596a56001a0e298a46806
              • Instruction ID: d8f03605087aa1efe07b8aa4fea00374059a52158bca6d54e68ed4274af87773
              • Opcode Fuzzy Hash: f246aef1d5592c61cca5ff9bce33cd5e42abfbc348b596a56001a0e298a46806
              • Instruction Fuzzy Hash: 0771D061A5C25246FB60E62D9D003B9A791EF05784F844570EE4ED3AE5DF7CFBA18320
              Function 00007FF70BF836B3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$FreeHeap$DirectoryWindows
              • String ID: u
              • API String ID: 3501643275-1900653220
              • Opcode ID: 14fac850f010c89a92b6d4b1e798783cbd06fb4f3f36861bbd50b07f58335f84
              • Instruction ID: 29ff4ac004e7234053fe905dfeb2967ca1d4fc9d3cedf10c64d90718ee01fc00
              • Opcode Fuzzy Hash: 14fac850f010c89a92b6d4b1e798783cbd06fb4f3f36861bbd50b07f58335f84
              • Instruction Fuzzy Hash: 59417852A08AD188E730AE39DC053FA6290FF05798F800535D91EEB7E5DF38E3458715
              Function 00007FF70BF8BB30 Relevance: 10.1, APIs: 8, Instructions: 117memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$ErrorFreeHeapLast
              • String ID:
              • API String ID: 2056089037-0
              • Opcode ID: 1323ba4dda3ab545486889ff6b4c9a5f81c7ad8fe403f0b451cb9e8398cacb66
              • Instruction ID: 1b861a233715ce45c4180204a7d99e5dcf4bc7103e19a0e16012aaf17c83ffab
              • Opcode Fuzzy Hash: 1323ba4dda3ab545486889ff6b4c9a5f81c7ad8fe403f0b451cb9e8398cacb66
              • Instruction Fuzzy Hash: 74419422A0864185EB20EB26DD513B9A7A1BF89784F844931DF4F977A7DF3DF6418320
              Function 00007FF70BF83913 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: PATHlibrary\std\src\sys_common\process.rs$48
              • API String ID: 3298025750-3442816736
              • Opcode ID: cd614ac63f60a9090a05703ef0da84831ca5f9613e0c7d819f5e20255e6128b8
              • Instruction ID: a1be92c3f65a88c940d77ba1ca9c7ac5bb41a7484a7ecfca2da0c30a2987ee6e
              • Opcode Fuzzy Hash: cd614ac63f60a9090a05703ef0da84831ca5f9613e0c7d819f5e20255e6128b8
              • Instruction Fuzzy Hash: 75310265A05AC684EB30EF25CC543F99391FF44B88F845431DA0E9B7A9DF38A345C354
              Function 00007FF70BF476B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41threadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: DescriptionThread
              • String ID: main
              • API String ID: 2285587249-3207122276
              • Opcode ID: 741f6ca0450cfe1ac35866d149c43a81e5f9707f8f110dddb499210cde841b2f
              • Instruction ID: fb4b071a1d13f50de6f70e5b6a39df637b4177e52084e054581e6c11d73c36ae
              • Opcode Fuzzy Hash: 741f6ca0450cfe1ac35866d149c43a81e5f9707f8f110dddb499210cde841b2f
              • Instruction Fuzzy Hash: 8F013C22A14602D9FA10FB68EC512ED6764AF40348FD00536D90E976B6DF68BB45C360
              Function 00007FF70BF8BD00 Relevance: 3.1, APIs: 2, Instructions: 92fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorFileLastRead
              • String ID:
              • API String ID: 1948546556-0
              • Opcode ID: 19565dbab92082279646286e654a81747c1703d4ce92d11a166ae075c0508e8c
              • Instruction ID: 5a522fe98bbe31a0015dff1222236e70a466dfe2905857c4dfa5bb48f4066049
              • Opcode Fuzzy Hash: 19565dbab92082279646286e654a81747c1703d4ce92d11a166ae075c0508e8c
              • Instruction Fuzzy Hash: 5C319062B08B8599EB149B69D8503BD6762EF05794F808431EF4EA37D6DF3DE6908320
              Function 00007FF70BF42970 Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: AllocHeap
              • String ID:
              • API String ID: 4292702814-0
              • Opcode ID: fc250e30dabcf331e30d67b912fa89095ecf2697009bf7f080b2e88e9263060b
              • Instruction ID: 8250d12d620e539587743dbeb0eb36f302654dc74bfb78bb4394abd034935930
              • Opcode Fuzzy Hash: fc250e30dabcf331e30d67b912fa89095ecf2697009bf7f080b2e88e9263060b
              • Instruction Fuzzy Hash: C001AC31A1864541FB65671AAD447B9D190AF48384F988035EEDEC77E0CFBCB5C1D221
              Function 00007FF70BF47758 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: cdae0ccbd79fa23490185fc1d973eac0c3468866581d28c2de2e20de8232cf7d
              • Instruction ID: 91fb2214458dcf1ed01c7f9fbd8bc4c17f81cc1e87bfacbab29774ca94b59219
              • Opcode Fuzzy Hash: cdae0ccbd79fa23490185fc1d973eac0c3468866581d28c2de2e20de8232cf7d
              • Instruction Fuzzy Hash: 8B012C21F0861285FA15B7299C543BCA2A1AF45B84FD84535CE0ED73A6DF7CBB81C360
              Function 00007FF70BF878D5 Relevance: 1.3, APIs: 1, Instructions: 33COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Process$CloseCurrentFreeHandleHeapPrng
              • String ID:
              • API String ID: 4199747799-0
              • Opcode ID: ffecd02bc165d056e1df3a4a3a4f8ee474a8dba6972c3d8a7b3b0b8424de3abc
              • Instruction ID: effa0970481427fb6d600c1c62c6a88bec4b3c72f39e1f66abf3c8965178c108
              • Opcode Fuzzy Hash: ffecd02bc165d056e1df3a4a3a4f8ee474a8dba6972c3d8a7b3b0b8424de3abc
              • Instruction Fuzzy Hash: 79F01D2360468145E651AE29ED503A892959F44BE8FA88431DE1E97BF5DF3CBAC68320

              Non-executed Functions

              Function 00007FF70BF5FB80 Relevance: 100.7, APIs: 54, Strings: 2, Instructions: 2748COMMON
              Download Yara Rule
              APIs
              Strings
              • .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesUtf8Errorvalid_up_toerror_lenNoneSome, xrefs: 00007FF70BF60C3D
              • .debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwolibrary\std\src\..\..\backtrace\src\symbolize\gimli.rs, xrefs: 00007FF70BF633A8
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesUtf8Errorvalid_up_toerror_lenNoneSome$.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwolibrary\std\src\..\..\backtrace\src\symbolize\gimli.rs
              • API String ID: 3510742995-2604783721
              • Opcode ID: 2424e01f5310c213d65bb995b264aa3373c71ab3c3361559744c5a35afdb436b
              • Instruction ID: 0c1c98da1adbc9245a3a3f9d06f2b898893132d4bf6032d4bbdd9799d4c2e76b
              • Opcode Fuzzy Hash: 2424e01f5310c213d65bb995b264aa3373c71ab3c3361559744c5a35afdb436b
              • Instruction Fuzzy Hash: 3D632E22A05BC588E770AF29DC507E973A0FB49788F905235CE4D9BB69DF38A395C350
              Function 00007FF70BF87090 Relevance: 51.7, APIs: 34, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 081c533b1187a7a56198e133adf082e73e232c32b2c22459d8fc4c3dd6291131
              • Instruction ID: 62a58c0798e2493d155f61079715dd9cfcb5b4601b2f2e6a72eeb0b2c7e8a907
              • Opcode Fuzzy Hash: 081c533b1187a7a56198e133adf082e73e232c32b2c22459d8fc4c3dd6291131
              • Instruction Fuzzy Hash: 6862BA12A08BC185E761AF299C443F9A3A4FF45788F949136DE4EA77A5DF78B381C310
              Function 00007FF70BF8C060 Relevance: 49.7, APIs: 26, Strings: 2, Instructions: 744memoryfileprocessCOMMON
              Download Yara Rule
              APIs
              Strings
              • stack backtrace:, xrefs: 00007FF70BF8C297
              • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF70BF8CB3E
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$ErrorLast$CloseHandle$FileModule32UnmapViewmemset$CaptureContextCreateCurrentDirectoryEntryFirstFunctionLookupNextSnapshotToolhelp32
              • String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
              • API String ID: 858481261-3192684347
              • Opcode ID: b8f33b972ad8612b5aa0b7664f3e3c976bb4db7b3752d110da04b1e3a5869522
              • Instruction ID: 67c1fff610f86c5d273f24d8833ef3521c42f7c5405fb39631d015593e376c1c
              • Opcode Fuzzy Hash: b8f33b972ad8612b5aa0b7664f3e3c976bb4db7b3752d110da04b1e3a5869522
              • Instruction Fuzzy Hash: 34824362A09BC188EB709F29DC403E967A0FF45748F844535DA4E9BBA5DF38E385C361
              Function 00007FF70BF87819 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 385COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
              • String ID: RUST_MIN_STACK$failed to spawn thread
              • API String ID: 120317985-917136298
              • Opcode ID: 90d9a2d9c4181bc2e1c4cb1085905c2892fee0c2b0706e11d09b34cf33207d67
              • Instruction ID: 9d39e108de1c015b82b6af1280750412cf175ed15937c402151b92e2848fa84d
              • Opcode Fuzzy Hash: 90d9a2d9c4181bc2e1c4cb1085905c2892fee0c2b0706e11d09b34cf33207d67
              • Instruction Fuzzy Hash: 27F16F22A0968285FB11BB299C403B9A361BF45784FD44535EE4EA77B6DF3CBB41C360
              Function 00007FF70BF89040 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 357memorythreadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CurrentThread
              • String ID: main
              • API String ID: 1184698198-3207122276
              • Opcode ID: a3d3748d4534dfa11ec2eadc8d003c1020e6edfa91e40bf6b3836f9c042fe793
              • Instruction ID: 80b331a4d1d3c0205313e8d1a15f2dcdd28a31fde994052631e21ace646cc040
              • Opcode Fuzzy Hash: a3d3748d4534dfa11ec2eadc8d003c1020e6edfa91e40bf6b3836f9c042fe793
              • Instruction Fuzzy Hash: 24E1A322A09A8285E731FB299C457F9A3A0FF44784F809535DE5E977A5CF7CB281C320
              Function 00007FF70BF81900 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 303memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$ErrorLast$FreeHeap$FullNamePathmemcpy
              • String ID: .exeprogram not found$assertion failed: is_code_point_boundary(self, new_len)${7$7
              • API String ID: 3556615546-4050981301
              • Opcode ID: 4420a046adc7649c15506276128256bc5267943e8c0cd9f97db03ce8d364e179
              • Instruction ID: c2f5f8fa2742c9a686a7ed62265add866775b75e93ddd47c1d88e8fb8a738c2a
              • Opcode Fuzzy Hash: 4420a046adc7649c15506276128256bc5267943e8c0cd9f97db03ce8d364e179
              • Instruction Fuzzy Hash: 58D19A62B18A9248FB30AB69DC543FDA691AF45784F944135CA0FA7BE5DF3CB7418320
              Function 00007FF70BF69E80 Relevance: 25.8, APIs: 20, Instructions: 794COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID:
              • API String ID: 3510742995-0
              • Opcode ID: 094b7608727381d5594b2b989919fcff53681c9dcc38eaded5df67d7cce5dcd0
              • Instruction ID: 8c6bae0baa2ff7b6db8c9c7a85b0a363d53add17e4056daf8cd00f23f579a9dd
              • Opcode Fuzzy Hash: 094b7608727381d5594b2b989919fcff53681c9dcc38eaded5df67d7cce5dcd0
              • Instruction Fuzzy Hash: B9826E32A08AC189E7719F29DC443E967A1FF59788F844135DE4E9BBA9DF38A741C310
              Function 00007FF70BF64A70 Relevance: 23.2, APIs: 17, Instructions: 1949memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 03ea4dda623083ea11e1b9fe16ef65971f2ade20d3d8b59e57a05caace76ebee
              • Instruction ID: 409254fa5ff574d090412b66334879fb0aaef68782925a986ec36d47fbfdb694
              • Opcode Fuzzy Hash: 03ea4dda623083ea11e1b9fe16ef65971f2ade20d3d8b59e57a05caace76ebee
              • Instruction Fuzzy Hash: 96239262608BC589E7719F29DC403E973A4FB19798F844235DE4E9BBA9DF38A351C310
              Function 00007FF70BF41E50 Relevance: 22.8, APIs: 18, Instructions: 328memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 832b1aaf252861e8ec0bb78fa4880744f5922126a88cb00769e513366d24d6f8
              • Instruction ID: e739a7915d94f3dc9e3c4f1251c5fcda3d2af2b77713fbd3808c3dd58fef2d25
              • Opcode Fuzzy Hash: 832b1aaf252861e8ec0bb78fa4880744f5922126a88cb00769e513366d24d6f8
              • Instruction Fuzzy Hash: 04D18E21A1964282F965AB1E9C447B99691BF46B90F840632DE1FE77F1CF7CF781C220
              Function 00007FF70BF6DAD0 Relevance: 22.7, APIs: 17, Instructions: 1479memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Heap$Free$Alloc
              • String ID:
              • API String ID: 3901518246-0
              • Opcode ID: 8898dd4a3a851e29bbfcb523715dba699e5a0b971423c1fd2c1e9ad2915715d8
              • Instruction ID: 02a03fc56659894ff2e65adec709471f2647e3c84e989dcae5aa2a3b57fe4d55
              • Opcode Fuzzy Hash: 8898dd4a3a851e29bbfcb523715dba699e5a0b971423c1fd2c1e9ad2915715d8
              • Instruction Fuzzy Hash: 37F26D76A08AC589EB70DF29DC443E963A1FB58788F904535CE4E8B7A9DF38A754C310
              Function 00007FF70BF46270 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 189timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Time$FilePreciseSystem
              • String ID: Time went backwards
              • API String ID: 1802150274-1709607482
              • Opcode ID: 0bec3a40da61d8438c99fa949578612385452b18353217109eee2e4eaeba50f9
              • Instruction ID: 9c788fc2dc6b2a335787c51aa1a2ff2c2678efabee6a2a70ca6cff4f858961ac
              • Opcode Fuzzy Hash: 0bec3a40da61d8438c99fa949578612385452b18353217109eee2e4eaeba50f9
              • Instruction Fuzzy Hash: 1D81A061A0C68281EA24FB29AC54BB9A291EF86784FD04532D94EC77B5CF7DF641C320
              Function 00007FF70BF5BAC0 Relevance: 18.5, APIs: 11, Strings: 1, Instructions: 491memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FF70BF5BB44, 00007FF70BF5BF7F
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Value$FreeHeap
              • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
              • API String ID: 911738859-4235933832
              • Opcode ID: a0d8a6eeb873da11d49522f6d5bc7e7d3c7737bbf60e4d7fb552ecb3c94d4274
              • Instruction ID: c32901eb314c32345f881d2c57f97ade384671a00a5e3b17dd4918d700139900
              • Opcode Fuzzy Hash: a0d8a6eeb873da11d49522f6d5bc7e7d3c7737bbf60e4d7fb552ecb3c94d4274
              • Instruction Fuzzy Hash: 96123922B0865646E724AF1998407B8A761EF54BA0F884235DF5F877E6DF3CBB41C360
              Function 00007FF70BF5CCF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 268windowCOMMON
              Download Yara Rule
              APIs
              Strings
              • NTDLL.DLL, xrefs: 00007FF70BF5CD3C
              • assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF70BF5D10C
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorFormatLastMessagememset
              • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs
              • API String ID: 3213201652-2010291737
              • Opcode ID: 5cfaac2d35587050a710241c3ed98f7814f7fc4211814e84ea9f50d7ae8c55bb
              • Instruction ID: f581c6319a9c3036f5ed5dc8bf7cc418a1804995e4d42513b7a3074ab04de862
              • Opcode Fuzzy Hash: 5cfaac2d35587050a710241c3ed98f7814f7fc4211814e84ea9f50d7ae8c55bb
              • Instruction Fuzzy Hash: 06C17D26A0A78285F775AB29DC407FCA691EF44784F844035DA4F87BA9DF7CB3819360
              Function 00007FF70BF88000 Relevance: 12.2, APIs: 8, Instructions: 246memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Heap$AllocFree
              • String ID:
              • API String ID: 1379380650-0
              • Opcode ID: eab782f6e584dbfaad2f76994c065b33d67d4514fdf2740142c3f7e3350fe91a
              • Instruction ID: dd4738a61968099ca77dde68fb4077cb0dc5fe26af04cdc24270bc5f9d4a021c
              • Opcode Fuzzy Hash: eab782f6e584dbfaad2f76994c065b33d67d4514fdf2740142c3f7e3350fe91a
              • Instruction Fuzzy Hash: A591C361A09A5280EA15BB6E9C143B99290BF45BE4FC48631DD1FA77F1DF3CB241C324
              Function 00007FF70BF441F8 Relevance: 11.0, APIs: 4, Strings: 3, Instructions: 518COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: corrupt deflate streamC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\flate2-1.0.34\src\bufreader.rs$K.$R
              • API String ID: 3510742995-2722369248
              • Opcode ID: 5f21559d235a3068a96a9e5ac9dd20004edb2d7a7f0554b88ccfc571d952d006
              • Instruction ID: 2c09d2503d8ec98903897c5e9b9f70d873011ba9eb5e2be245b3cb225d36e2a8
              • Opcode Fuzzy Hash: 5f21559d235a3068a96a9e5ac9dd20004edb2d7a7f0554b88ccfc571d952d006
              • Instruction Fuzzy Hash: 4B32953260CBC181E6649B29E9007EAE364FF85790F855131DE9EA37A5DFBCE684C710
              Function 00007FF70BF69A10 Relevance: 9.0, APIs: 7, Instructions: 228memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy$FreeHeap
              • String ID:
              • API String ID: 4250714341-0
              • Opcode ID: f575465bbac070721a341c81fea821d1629ff62149a2946d8364052882f95c77
              • Instruction ID: 00a087083267aaf70b0dabaae18529d0661b8d9d7ff086a5246f999f134edfb5
              • Opcode Fuzzy Hash: f575465bbac070721a341c81fea821d1629ff62149a2946d8364052882f95c77
              • Instruction Fuzzy Hash: 04A16062B08B8195E748EB2AAD003ADB7A4FF0C784F848539DE5E97765DF78B560C310
              Function 00007FF70BF6A06A Relevance: 8.9, APIs: 7, Instructions: 157memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 5b198271ebfd2b478c46cdffd2b9fefaba426ca391e6655075fbf95dd7df01bf
              • Instruction ID: c38297b032b6823ed6976429a89ff72a6b0e69945007ae41c85330d2674bcec3
              • Opcode Fuzzy Hash: 5b198271ebfd2b478c46cdffd2b9fefaba426ca391e6655075fbf95dd7df01bf
              • Instruction Fuzzy Hash: 8061A231A08A8285F775AF299C543F9A291FF49748F958135DE0E9BAA6CF3CB740D310
              Function 00007FF70BF6A2E7 Relevance: 7.6, APIs: 6, Instructions: 111memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: d465f973f0ac4c44a0af7e979da7d22d7ec5c3a29f8078f37cf608f135e1bec5
              • Instruction ID: 7832a640f940348e92db2304d8a43e028838c5f77d813902d1b5067dfe4b0414
              • Opcode Fuzzy Hash: d465f973f0ac4c44a0af7e979da7d22d7ec5c3a29f8078f37cf608f135e1bec5
              • Instruction Fuzzy Hash: 30519271A08B8185F7359F2AAC547F9A2A1FF48788F914135DE1E9BAA5CF3CB250C350
              Function 00007FF70BF6A419 Relevance: 7.6, APIs: 6, Instructions: 108memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 74489b23fbd8285f85adc6dba59407899b101c4c96249c3d9e50dff1cf522c93
              • Instruction ID: 864c48ba4ba4c5faecb0046cb87abc4d66d26c37a019fb16c98e0e8f4e615e0d
              • Opcode Fuzzy Hash: 74489b23fbd8285f85adc6dba59407899b101c4c96249c3d9e50dff1cf522c93
              • Instruction Fuzzy Hash: 4B418F71A08A8185F739AF299C543F9A2A1FF48788F905535DE1E9B6A5CF3CB340C351
              Function 00007FF70BF4EC30 Relevance: 5.7, APIs: 4, Instructions: 744COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID:
              • API String ID: 3510742995-0
              • Opcode ID: 2a42d840af4a2e126e4f950783cc7813c5c70efe4583739894dc56b35076103c
              • Instruction ID: 341918460973f6fa20d98b9cfe9bc684d4dd953a53d015b959c56f3ba6fb901d
              • Opcode Fuzzy Hash: 2a42d840af4a2e126e4f950783cc7813c5c70efe4583739894dc56b35076103c
              • Instruction Fuzzy Hash: 9E620832A1869286D7289F19E844BBAF761FF80784F905135DB4A93BA4DF3DF605CB10
              Function 00007FF70BF7A700 Relevance: 4.7, APIs: 3, Instructions: 964COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f661d4266f7952d41f91aba0b69599c471090614c3bef5cd16f9562f39b6714f
              • Instruction ID: d4c4db861ea36a86d47677319d11ddfda1071c8fa534b553e140f32337011c5d
              • Opcode Fuzzy Hash: f661d4266f7952d41f91aba0b69599c471090614c3bef5cd16f9562f39b6714f
              • Instruction Fuzzy Hash: 9C82E562B04AD592EB11DF29D5006EC6720FB54BD8F869322EF6E57391EF38E695C300
              Function 00007FF70BF729B0 Relevance: 4.5, APIs: 3, Instructions: 736COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1fbc8af6f86a41f0d7fa6958acc39f510d7a7c67c0421f0aa707026c0b21926f
              • Instruction ID: 982eb338fb20df75144f8e2242f6b1641aba51d9ffbb3d48772254e23e39bd6b
              • Opcode Fuzzy Hash: 1fbc8af6f86a41f0d7fa6958acc39f510d7a7c67c0421f0aa707026c0b21926f
              • Instruction Fuzzy Hash: 7662D763E04B8583E610DF2999005A9A360FB557E8F869721EE6E537E6DF38F2D1C310
              Function 00007FF70BF75850 Relevance: 4.5, APIs: 3, Instructions: 714COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5961472602105d3b4e0820a3d1bf4a4f820746add002c32f6e90b777a5c11fa
              • Instruction ID: 1c8828a5ae0a35525257a5f4f4ef6098fd6c1a38cbfd43bcdb8ddf8ea3a37878
              • Opcode Fuzzy Hash: a5961472602105d3b4e0820a3d1bf4a4f820746add002c32f6e90b777a5c11fa
              • Instruction Fuzzy Hash: 4362D552E04BD482E7108F29D9016E96760FB687D8F85A321EF6E577A6EF34E2D5C300
              Function 00007FF70BF77750 Relevance: 4.4, APIs: 3, Instructions: 677COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c995f62f72a9c930a31ea296b51bb16da292989f99509fbd80623d8c88b41c1
              • Instruction ID: d8c6b09ddd4cebf742514dbead732f86856d7195a20f6a381d5a1ab10675d244
              • Opcode Fuzzy Hash: 2c995f62f72a9c930a31ea296b51bb16da292989f99509fbd80623d8c88b41c1
              • Instruction Fuzzy Hash: 4552B452E14BC482E7119F299A012E86760FB687D8F45A721EF6E537A6EF34F6D1C300
              Function 00007FF70BF73D80 Relevance: 4.4, APIs: 3, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6fc1435016672211b0f0a99cb0e0272d930ee24e3b0002a6ce688b0ff90cf1c3
              • Instruction ID: a4667c7e4e1377651023392b86e2db89dbfbfc6e92e8eb057ce032f7d69e5dde
              • Opcode Fuzzy Hash: 6fc1435016672211b0f0a99cb0e0272d930ee24e3b0002a6ce688b0ff90cf1c3
              • Instruction Fuzzy Hash: CB52D772A14B8592DB10DF29D9046EC7364FB58B98F819722DF6D533A1EF38E2A5C310
              Function 00007FF70BF4F06B Relevance: 4.3, APIs: 3, Instructions: 522COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: bc73b658119167331c1b2a998e938b2038956dfeda5b681f5bd7e518e0a77230
              • Instruction ID: fb8c6d22319facf63b1085bdd48d64c9272c201562dabec2a9d886ddd11a3c72
              • Opcode Fuzzy Hash: bc73b658119167331c1b2a998e938b2038956dfeda5b681f5bd7e518e0a77230
              • Instruction Fuzzy Hash: 142215326186D587D7248F29E840BAAB7A5FB80784F905135DB8A53FA8DF3DE605CF00
              Function 00007FF70BF87240 Relevance: 4.1, APIs: 3, Instructions: 387COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e4cdfb1d69d3770508cd6a74153053b71dbc6ff3a51dabf9d2ab66261702e26
              • Instruction ID: fb10b8451ca62561faab0acbdb03899411c3b901aacf00471b60e986edcd2d94
              • Opcode Fuzzy Hash: 9e4cdfb1d69d3770508cd6a74153053b71dbc6ff3a51dabf9d2ab66261702e26
              • Instruction Fuzzy Hash: 9BE1F452A18A4281FB25BB299C0037EE761BF51788FA45531DE6FA76B0DF3CFA518310
              Function 00007FF70BF8F660 Relevance: 4.1, Strings: 3, Instructions: 307COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: Authenti$GenuineI$HygonGen
              • API String ID: 0-696657513
              • Opcode ID: a71d41e7c14610208c7c696cbff29d5dfac8f482083e3896bc893fc3e407d0f9
              • Instruction ID: 37bf2864fe7c1126073e00d5efc248f4c230220997ca159758350e1347f48be3
              • Opcode Fuzzy Hash: a71d41e7c14610208c7c696cbff29d5dfac8f482083e3896bc893fc3e407d0f9
              • Instruction Fuzzy Hash: 229169A3B2595106FF1C8595BC36BB98882B7987C8E48A03DED1FD7BC4DD7CDA118200
              Function 00007FF70BF8F680 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: Authenti$GenuineI$HygonGen
              • API String ID: 0-696657513
              • Opcode ID: 2002262d51ec2bc504e4e34ffa63138f47d174864dd59b56124724e21b148153
              • Instruction ID: fd110a6be0884f707dbbd00fc976f4f7d9e52ab1dc5cc88d495b7a566682a9cb
              • Opcode Fuzzy Hash: 2002262d51ec2bc504e4e34ffa63138f47d174864dd59b56124724e21b148153
              • Instruction Fuzzy Hash: 46916AA3B2595106FB5C85A5BC32BB94882B7587D8F48A03DED5FD7BC4DD7CDA118200
              Function 00007FF70BF52045 Relevance: 4.0, APIs: 3, Instructions: 255memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: fcd3d0efb1f5784aacd4379dc4dc4caefbd5ae0f14b134f793828b5866bd293b
              • Instruction ID: 44802355d3b4b1beb1066487d09ff92f0dd1e882357856684c4bc896fbd4842e
              • Opcode Fuzzy Hash: fcd3d0efb1f5784aacd4379dc4dc4caefbd5ae0f14b134f793828b5866bd293b
              • Instruction Fuzzy Hash: 92A19122B14A9584FA10EB65C8406B9ABA0FF44794FC54632DF5F93B94CF78B795C320
              Function 00007FF70BF4F166 Relevance: 3.5, APIs: 2, Instructions: 1009COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 379e1f2b26004c28adbbccb6b928b3d8d89a6caecf6b9223589284d144015c6e
              • Instruction ID: 2f6895f594271cec0f58f1c600c7f489976cdf1acd869753d2ab66670b3784fb
              • Opcode Fuzzy Hash: 379e1f2b26004c28adbbccb6b928b3d8d89a6caecf6b9223589284d144015c6e
              • Instruction Fuzzy Hash: 0592F432A1869286E7249B29E8447BDB7A1FF85780F805135DB4B83BA4DF3DF644CB10
              Function 00007FF70BF43200 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 438memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              • invalid gzip headercorrupt gzip stream does not have a matching checksum/rust/deps\gimli-0.29.0\src\read\abbrev.rs, xrefs: 00007FF70BF438DE
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: invalid gzip headercorrupt gzip stream does not have a matching checksum/rust/deps\gimli-0.29.0\src\read\abbrev.rs
              • API String ID: 3298025750-2581265369
              • Opcode ID: 12dd0000b9741ecafd5701b43a96d83cf5593bb815b88ee3ebaec5e46ce3bd2f
              • Instruction ID: fb5c5af4b6189bc1b05f8bf665df488ba12a6dbe3a6da8faf21dfc2ada32b524
              • Opcode Fuzzy Hash: 12dd0000b9741ecafd5701b43a96d83cf5593bb815b88ee3ebaec5e46ce3bd2f
              • Instruction Fuzzy Hash: E6023962A192E186E750AB29C944BB9BBE0FF05780F844435CB4E877A1CF7CF265C724
              Function 00007FF70BF53120 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 398COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID: punycode{-0
              • API String ID: 2221118986-3751456247
              • Opcode ID: 1c80e3d8096a56ba32515e314ad7f43fdf4af0c3ddbdefca559fc97e9211175d
              • Instruction ID: efe3d97f7c02cff73e62988614811bb1a41e5f317c0ab2baa6ff96b9ad33692e
              • Opcode Fuzzy Hash: 1c80e3d8096a56ba32515e314ad7f43fdf4af0c3ddbdefca559fc97e9211175d
              • Instruction Fuzzy Hash: 13E11262B0868546EB609B2DD8947E8A692BF45BD4F808231CE1F47BE4DF3CF7468314
              Function 00007FF70BF4EB70 Relevance: 3.2, APIs: 2, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f553d0e43c41328c2131ce458ba17ad8c1489a820ca3e177096260597bdbcbc
              • Instruction ID: 48593ab55b7d4534aa006fad319696641593f34d895ee4d0e3cfb9331f56b8bb
              • Opcode Fuzzy Hash: 4f553d0e43c41328c2131ce458ba17ad8c1489a820ca3e177096260597bdbcbc
              • Instruction Fuzzy Hash: 19524A726186D287D7249F29E841BBAB7A0FF80784F905135DA4A93BA4DF3DE604CB10
              Function 00007FF70BF72260 Relevance: 2.9, APIs: 2, Instructions: 441COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c6422c233cded2edaa081361f6664ca18b8689f13ed0b4d9e4cda86eda9ab2e
              • Instruction ID: 08fb1f84d3ada7ee8440cbf8cd4a7a3866944d5a376219d6c91ffc856742890d
              • Opcode Fuzzy Hash: 4c6422c233cded2edaa081361f6664ca18b8689f13ed0b4d9e4cda86eda9ab2e
              • Instruction Fuzzy Hash: 46020762A48AC482EB70DF299C483F96351FB557D8F945632DE1E4B7A5DF38E3418310
              Function 00007FF70BF73660 Relevance: 2.9, APIs: 2, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb5de990fdb3ff99e2c2ebf4f6c34786e3c2ca0818e7ea8fe1dd8cf2d9ca3250
              • Instruction ID: b2045d9fc2280a5214f5042219435af64bdc43e5fb3a733b99534d93c527c57b
              • Opcode Fuzzy Hash: bb5de990fdb3ff99e2c2ebf4f6c34786e3c2ca0818e7ea8fe1dd8cf2d9ca3250
              • Instruction Fuzzy Hash: 2802D562B54A9591EB60DF29C8483E9A360FB54B98F804232DE1E877A4DF39E746D304
              Function 00007FF70BF75160 Relevance: 2.9, APIs: 2, Instructions: 420COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a65790fcf127a60a6dfc643d845c94e4bb37cd3bec8b6620014b594cfb15634f
              • Instruction ID: 0091b8b0c3e19127de3d193fb0a308b7c12e37b516497bc259cdf64e5b188e39
              • Opcode Fuzzy Hash: a65790fcf127a60a6dfc643d845c94e4bb37cd3bec8b6620014b594cfb15634f
              • Instruction Fuzzy Hash: E0F1F362B58AC486EB70DF2998493E96751FB647D8F805631DE1E8B7E4DF78E281C300
              Function 00007FF70BF77060 Relevance: 2.9, APIs: 2, Instructions: 419COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68bdb06c9ff469164e65eb1e82bedc4299c6a944af94d4cd855afef690eefabb
              • Instruction ID: 25bce14620fa6b3113640d61ec94610cc13e9b6f83c975533b36859095e68fdd
              • Opcode Fuzzy Hash: 68bdb06c9ff469164e65eb1e82bedc4299c6a944af94d4cd855afef690eefabb
              • Instruction Fuzzy Hash: CFF1E662B64AC486EB70EF299C483E96751FB547D8F904631DE1E8B7A4DF78EA41C300
              Function 00007FF70BF50E10 Relevance: 2.8, APIs: 2, Instructions: 285COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: 1bd3e3c541807ec5dc169c02fddcea0787afade87c466de906325d471705629b
              • Instruction ID: 8582cf821753f53bb1bbc0406724ade38ed27650e709305101888ef55c88a0f1
              • Opcode Fuzzy Hash: 1bd3e3c541807ec5dc169c02fddcea0787afade87c466de906325d471705629b
              • Instruction Fuzzy Hash: DDC1F433A185958BD3648F18E480BEDB760FB84B48F814124DB8A93BA4DF39B756CF50
              Function 00007FF70BF4F5F5 Relevance: 2.8, APIs: 2, Instructions: 261COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: 3d191ee08877cc9ceb6fd58726cb7387d729f4a393a3e782f321f710343ab96b
              • Instruction ID: 5f74a229335174b4bb04d3da7577ec72d7a4c962494dbc1d3d4c3965d09a5620
              • Opcode Fuzzy Hash: 3d191ee08877cc9ceb6fd58726cb7387d729f4a393a3e782f321f710343ab96b
              • Instruction Fuzzy Hash: 84C1B472A185D58BD3649B18E440BEEB764FB80B48F404125EB8A53BA4DF3DF616CF10
              Function 00007FF70BF5DDC0 Relevance: 2.7, APIs: 2, Instructions: 187memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeapmemcpy
              • String ID:
              • API String ID: 673829100-0
              • Opcode ID: 3416d9698319905465fe0696e28087df37b05ec46ed99b73c33183398eab2f93
              • Instruction ID: 8bc22ca41acc148a764c0732cd5161ed7b12dd1d225739efc0c0e064337d586b
              • Opcode Fuzzy Hash: 3416d9698319905465fe0696e28087df37b05ec46ed99b73c33183398eab2f93
              • Instruction Fuzzy Hash: FB610412A0969189FB11A6698C817BD5B91EF15788F848935DF0F8B7DACF3CA380D360
              Function 00007FF70BF70420 Relevance: 2.1, APIs: 1, Instructions: 801COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72f58929845ba75e2495db8b6bb7f9560d4bb48c218957fdaeeb386b83d7c954
              • Instruction ID: 24e6c4000d7e2836b0cb026a87b3924e262a6af7371e410d75d5653d36898202
              • Opcode Fuzzy Hash: 72f58929845ba75e2495db8b6bb7f9560d4bb48c218957fdaeeb386b83d7c954
              • Instruction Fuzzy Hash: 83828C72608BC589E764DF29DC447ED77A4FB08B88F408126DA4E9BBA4DF38E655C310
              Function 00007FF70BF4B760 Relevance: 1.6, APIs: 1, Instructions: 349COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcmp
              • String ID:
              • API String ID: 1475443563-0
              • Opcode ID: e77533640b5f5d7a89481f17dd3f79b7a2ba17af06bfed731f28687b5d678de7
              • Instruction ID: 238b2632b294cb03191a721dfb191c9a12d8076e777729d77331f8bc72e53221
              • Opcode Fuzzy Hash: e77533640b5f5d7a89481f17dd3f79b7a2ba17af06bfed731f28687b5d678de7
              • Instruction Fuzzy Hash: E8C10262B1C6A542FA15DA298D14EBAB651BF00B90FC08530DE4F83BD2DFBCF6559310
              Function 00007FF70BF4BE10 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: 00000000
              • API String ID: 0-3221785859
              • Opcode ID: a1ef1c64581025e4cb4340c3c28e15756b0c330bd242eed194a7b4871b1e706b
              • Instruction ID: 76fffcd455b12b1e74fc7ece1bb3f9f1872d32aa3f1c66bd421d9ab91cd54b1c
              • Opcode Fuzzy Hash: a1ef1c64581025e4cb4340c3c28e15756b0c330bd242eed194a7b4871b1e706b
              • Instruction Fuzzy Hash: 6BC17851F1964285F725DE6D9C00BB9A652EF91384F88A132DD0B87AA4DFBCF782C310
              Function 00007FF70BF4F816 Relevance: 1.6, APIs: 1, Instructions: 301COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: fb9eea819760d4bf2613d27a3a66ea62acc653b5e01ca993179c1ecf9d2e731e
              • Instruction ID: ad98d4dd0c4fe0782e51322d4539a3ce25546240fecffb4b448d0536a5cad444
              • Opcode Fuzzy Hash: fb9eea819760d4bf2613d27a3a66ea62acc653b5e01ca993179c1ecf9d2e731e
              • Instruction Fuzzy Hash: 8AC114327182D186D3648F29A841BAAB790FB85790F546135DFAA57F98CF3EE600CF00
              Function 00007FF70BF8E1C0 Relevance: 1.5, APIs: 1, Instructions: 223COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID:
              • API String ID: 3510742995-0
              • Opcode ID: 3516a3dc4c79510be3055b4154e086e5b211148515d7ee128a08519066b33ecf
              • Instruction ID: 9a1ecf7ae6ae9f140ff9cb74b8ba61ae48ce879f2ce7caa946c2ff0778c99352
              • Opcode Fuzzy Hash: 3516a3dc4c79510be3055b4154e086e5b211148515d7ee128a08519066b33ecf
              • Instruction Fuzzy Hash: 3C81C432F0465286FB40EB699C047BDA660BF05798F848535DE1EA7BA5DF78FA81C310
              Function 00007FF70BF4A950 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: 0123456789abcdef
              • API String ID: 0-1757737011
              • Opcode ID: 89e098db116266587f0fb3e7d331108f4357dfa55f58f9cd23858fdbaf26ab6f
              • Instruction ID: f276e7f15f06db2b5517c07d245c52bbfa6f32751d08b64346463f3727aed3c5
              • Opcode Fuzzy Hash: 89e098db116266587f0fb3e7d331108f4357dfa55f58f9cd23858fdbaf26ab6f
              • Instruction Fuzzy Hash: 1F513957B2DAE19AE311873C840066C7F62DFD6748F48C0A5CB854BBAACBADD205D721
              Function 00007FF70BF6C5B0 Relevance: .6, Instructions: 643COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09b83806e05523c94b193beb7f49ba70408051c34eda2f1dd708b59c489c014d
              • Instruction ID: f21832165e82d96a0f71f497976b7afb1a13bde5e8ffa12cc1b17689936ba52c
              • Opcode Fuzzy Hash: 09b83806e05523c94b193beb7f49ba70408051c34eda2f1dd708b59c489c014d
              • Instruction Fuzzy Hash: 6A428B72F08A518AEB14DBA8E8402AD77B0FB0874CF904929DE9ED7B94CF74E255C350
              Function 00007FF70BF5E3B0 Relevance: .3, Instructions: 344COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bce7204daeef29dff8f3a80bf71d3f48e2744d66b1ea519dc9158edf6b28b2a
              • Instruction ID: a25adef869feb48901facd3c5e484e4db8a9656c0cea7d7f59a277fb373ebdd7
              • Opcode Fuzzy Hash: 6bce7204daeef29dff8f3a80bf71d3f48e2744d66b1ea519dc9158edf6b28b2a
              • Instruction Fuzzy Hash: EDC15AB2D1C7A244F7619A289C80779EA815F12761FD49230CB7F972F1CB6CBB568320
              Function 00007FF70BF5ED20 Relevance: .3, Instructions: 291COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acfba774abf7276f9fb15aaa5032e0675e514ec202505599bb64ba29f12840e5
              • Instruction ID: b114733f1324f3c1a71dc3ac1593f80f509e2c2ca7d986b2753aa4748cbc523c
              • Opcode Fuzzy Hash: acfba774abf7276f9fb15aaa5032e0675e514ec202505599bb64ba29f12840e5
              • Instruction Fuzzy Hash: F8B10822A1969645FB619B3C9D802FDA7A2AF01788FC54431DB4F839B5DF7CB7858220
              Function 00007FF70BF4F69D Relevance: .3, Instructions: 290COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d13c2548d549eeb638b3d185abcdd67c1b474db85d2a416c2774818a476c8cfe
              • Instruction ID: ea09bc4295ec5144da48fe9bec3e4a306093d87a39bfc9efb85a09f4eb5094b0
              • Opcode Fuzzy Hash: d13c2548d549eeb638b3d185abcdd67c1b474db85d2a416c2774818a476c8cfe
              • Instruction Fuzzy Hash: 9DB148766182E187D7248F39A8417BABB90EB81790F545135DF9A97FA4CF3EE6009B00
              Function 00007FF70BF4FC94 Relevance: .3, Instructions: 286COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: cee71ac72c60d04b5cba96a66f9f4e610a009ee572ada1ed30881e412a4a8ef1
              • Instruction ID: 8d3cd5fbe0835fa4c8edf05f6d96a312375d2f975edde59f5216c5d4f5c5451d
              • Opcode Fuzzy Hash: cee71ac72c60d04b5cba96a66f9f4e610a009ee572ada1ed30881e412a4a8ef1
              • Instruction Fuzzy Hash: A1C10723A287D186D3648F29A8417B9B7A0FBC5780F546235DF9957FA5CF39E280CB00
              Function 00007FF70BF4F9A5 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a6204ff5e38150e91f7e73f9c58db9070573147e83803d36cd3a70a84000ec5
              • Instruction ID: 04a3da7d062a80b606328bf5b026f01534b4703fbc6312bc1f594cfc73669f14
              • Opcode Fuzzy Hash: 7a6204ff5e38150e91f7e73f9c58db9070573147e83803d36cd3a70a84000ec5
              • Instruction Fuzzy Hash: 04B126767282D187D7248F29A841BAABB90FB85790F546135DF9A57F98CE3DD2048B00
              Function 00007FF70BF489F0 Relevance: .3, Instructions: 273COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 535dba28bf8d3bf0e80b5de355c32a372374cb8b2971fc28e71cca372fa45f7d
              • Instruction ID: 3393b7320a7f6ffbd78f40d33c77a11ff0c59dec46377cacc6c3d47cefc27c71
              • Opcode Fuzzy Hash: 535dba28bf8d3bf0e80b5de355c32a372374cb8b2971fc28e71cca372fa45f7d
              • Instruction Fuzzy Hash: E591AB92E29BA602F623533D6801AB4D6005F637E4E84D732FD7A72BE4D729B7438210
              Function 00007FF70BF4FA24 Relevance: .3, Instructions: 273COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56d6463ae4d219d60d1ea27e3e42e34068a0d8fcc70f09c93554dfe72da5ce66
              • Instruction ID: b0c90d3f7530c392d11fab3736406a7a45bf6492f00d848e312e07b983d55ba3
              • Opcode Fuzzy Hash: 56d6463ae4d219d60d1ea27e3e42e34068a0d8fcc70f09c93554dfe72da5ce66
              • Instruction Fuzzy Hash: 22B127766282E187D3248E39A841B7ABB95EB81380F546135DFAA57F94CF3DE2449B00
              Function 00007FF70BF4F37A Relevance: .3, Instructions: 273COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51df8d1a3f6e4c7202f7c2da6f54e8ab482d836707c5679b65a9a72de1f438c6
              • Instruction ID: efafd03267c73bfcdb2f4f84c9e4ea64c6036eeb56b91e9bf6272cfebc081bea
              • Opcode Fuzzy Hash: 51df8d1a3f6e4c7202f7c2da6f54e8ab482d836707c5679b65a9a72de1f438c6
              • Instruction Fuzzy Hash: 5DA158677282E187D7248E39A845BAAA795EB85380F54A135DF6A57F98CE3DD200CB00
              Function 00007FF70BF4EF8C Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b1a37ff43404ce2ad8070a3ae223b03e16c0cc9985cd4a43c2a803768d6d1ee
              • Instruction ID: 528d08f1e4fd0c65a2c174d29bcd0e6981bc4d568212a63cfe8aedb3796e0d1f
              • Opcode Fuzzy Hash: 8b1a37ff43404ce2ad8070a3ae223b03e16c0cc9985cd4a43c2a803768d6d1ee
              • Instruction Fuzzy Hash: 67A148777282D187D3248F38A841BAAB795EB81390F546135DFAA57FD8CE3ED6048B00
              Function 00007FF70BF4EFFB Relevance: .3, Instructions: 258COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d3cec4432a61695bb0309a8f18f3ffb058f112ad8320d7a0da36550dff50e1e
              • Instruction ID: 5b46d7d7ce1886116fe5bd5cba454ca6e2b2f2b283ad244f8d4bdb6250ca30bf
              • Opcode Fuzzy Hash: 6d3cec4432a61695bb0309a8f18f3ffb058f112ad8320d7a0da36550dff50e1e
              • Instruction Fuzzy Hash: 68A136777282D187D3248F38A841BAAB795EB81390F546135DFAA57F98CF3ED6008B00
              Function 00007FF70BF4F7AB Relevance: .3, Instructions: 254COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e761381df0813a4ab3b9d2822e81ad812bd25deb85d199fadd20027ac00f306d
              • Instruction ID: 91eefe69bd22dda4ca6bb10741b025d86e13840929c7adbb35b7df51c551a3a6
              • Opcode Fuzzy Hash: e761381df0813a4ab3b9d2822e81ad812bd25deb85d199fadd20027ac00f306d
              • Instruction Fuzzy Hash: B9A127677282E187D7248F39E841B7AA794EB85780F546135DF6A53F94CF3EE6009B00
              Function 00007FF70BF4F5A6 Relevance: .2, Instructions: 249COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a161eb6f186a3d7b58392d0386994bf3935da1a1620191dd0920f028242e15fc
              • Instruction ID: d4b4d127d85af7f64e8f60e43258572c9d545fa346a6be87b1cf6a387c8dd1a4
              • Opcode Fuzzy Hash: a161eb6f186a3d7b58392d0386994bf3935da1a1620191dd0920f028242e15fc
              • Instruction Fuzzy Hash: 8AA136777282E187D7248F39A841B6AB794EB81390F546135DFAA57F98CE3ED204CB00
              Function 00007FF70BF7B1D0 Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8f901f81c64e261c09830aaf8aad8411e21dbf914f9fb465acb66cbe63b6fc1
              • Instruction ID: 8636f77a0be8eecd38887b61538b9e82e8a153eb8dd2611782423b67d7a1e4de
              • Opcode Fuzzy Hash: d8f901f81c64e261c09830aaf8aad8411e21dbf914f9fb465acb66cbe63b6fc1
              • Instruction Fuzzy Hash: E291C263F04DE493E751CF29D6006986320F368BD8B865322DF6E63661EB31E6DAC301
              Function 00007FF70BF4F583 Relevance: .2, Instructions: 236COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7595f02a6b37935b35af64baa5502a40fb11560eb911eaf0a39271783e8fb8ce
              • Instruction ID: cefe73b87b8b0b655961f5ee677dba2793b086799f107bb70198e3c7efcb6a49
              • Opcode Fuzzy Hash: 7595f02a6b37935b35af64baa5502a40fb11560eb911eaf0a39271783e8fb8ce
              • Instruction Fuzzy Hash: E39137777282E187D7248F39A841BAAB794EB81780F546135DFAA57F94CE3ED204DB00
              Function 00007FF70BF4C880 Relevance: .2, Instructions: 230COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc2c9882e002a6dc874753fc75ae4e9246f2714e90a0247fd31239c808dc4721
              • Instruction ID: fe821842f28f21b50ec48db8843d86613f1892b04298a3367e7f1b69c708c449
              • Opcode Fuzzy Hash: bc2c9882e002a6dc874753fc75ae4e9246f2714e90a0247fd31239c808dc4721
              • Instruction Fuzzy Hash: 99C142B35181E04AD3CB9BB5D4A4ABE7FE1F70D74EF8A5181EBC647082C624A5B0D721
              Function 00007FF70BF4CCD0 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4e7f3f3bcca403729843a5c0b3de3723b424b3592c6be7ed06da7e3766603d7
              • Instruction ID: 9f50cc23ac3da3d7eb6800e950ce79a3b7885b20c45310713d99ae2d03fa3d19
              • Opcode Fuzzy Hash: d4e7f3f3bcca403729843a5c0b3de3723b424b3592c6be7ed06da7e3766603d7
              • Instruction Fuzzy Hash: A051D7DAC1DF8946EA03173D94423A2F350FFFB6A4E50E712FDF472AA0E75462946214
              Function 00007FF70BF79F90 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a789e7a0edc7235af72bbfcabab38d6db3044e8756b1f5a0be30dc2a5074b6f
              • Instruction ID: 67ec57586ce2f235d8881b665d7306fc9cf08be527ad061c412068ad21506cc5
              • Opcode Fuzzy Hash: 9a789e7a0edc7235af72bbfcabab38d6db3044e8756b1f5a0be30dc2a5074b6f
              • Instruction Fuzzy Hash: DD41BE72614BC485EB30CE29D8593EA6350F7547A8F405236DE5E4BBE8DF389286C300
              Function 00007FF70BF6A60F Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8427622aa82a8297200548051b0489680062c8c4293eaef9665472d708ac7978
              • Instruction ID: a38710e86daaf226dae36b377c1baf6a24e1e1b64f2b4dd9ebb8c6eaee1ee9f1
              • Opcode Fuzzy Hash: 8427622aa82a8297200548051b0489680062c8c4293eaef9665472d708ac7978
              • Instruction Fuzzy Hash: CE114422F2859182E7749E269D51BFD6190FB28784F90A031DD0FA7F95CF30AB019210
              Function 00007FF70BF8164F Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 275memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CompareOrdinalString
              • String ID: {7$7
              • API String ID: 3984308579-1926627445
              • Opcode ID: 3599017be973c8672f603d8653ddcd3894688191a38a31e31afc8b144755900c
              • Instruction ID: 15f2a1cf021e8f46b277b64149af74753ffa42dc73fa19b9cb54ebd31578c2b6
              • Opcode Fuzzy Hash: 3599017be973c8672f603d8653ddcd3894688191a38a31e31afc8b144755900c
              • Instruction Fuzzy Hash: 27D17272A08A8289E720AF29DC543FD63A4FF45748F904235CB5EAB7A5DF38A745C314
              Function 00007FF70BF8FEE0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ExceptionRaiseUnwindabort
              • String ID: CCG $CCG $CCG!$CCG!$CCG"
              • API String ID: 4140830120-3297834124
              • Opcode ID: 135484072d5581ac36c5dc09a9332a93ebe9ce7295ede1f61817a70cbf9df904
              • Instruction ID: ef1ccfcd96ec6865444d7efa66873358ddbb5c558a432bb82dbafec5a93681a1
              • Opcode Fuzzy Hash: 135484072d5581ac36c5dc09a9332a93ebe9ce7295ede1f61817a70cbf9df904
              • Instruction Fuzzy Hash: 9551AA33A14B8186E7609B59E8406ADB360FB99B84F505336EE8E53768DF3DE5C1C700
              Function 00007FF70BF86620 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 470COMMON
              Download Yara Rule
              APIs
              Strings
              • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FF70BF86F7B
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}
              • API String ID: 3510742995-2944714439
              • Opcode ID: a2ad88294636571da40fddae128df14d06289af9b7b0149272d4936c9baeccba
              • Instruction ID: 304cefea942bdeafa88db824344e5a131a61bd3a2ff8d177a178c9b41c4c904c
              • Opcode Fuzzy Hash: a2ad88294636571da40fddae128df14d06289af9b7b0149272d4936c9baeccba
              • Instruction Fuzzy Hash: D6327032614BC185D721DF28EC403E973A4FB58788F948236DE8EAB7A5DF75A295C310
              Function 00007FF70BF8929D Relevance: 13.7, APIs: 9, Instructions: 153fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FileFreeHeapReadSleepmemset
              • String ID:
              • API String ID: 959912050-0
              • Opcode ID: 8cefcd7b69cae342e1784de3254475d63ee132d05345a7fed4f7ccfa5498c82e
              • Instruction ID: 040dd3a6eceea07919a9772c3c0f7a2cbe4b52f4503dbf5885a710fddc1d6b94
              • Opcode Fuzzy Hash: 8cefcd7b69cae342e1784de3254475d63ee132d05345a7fed4f7ccfa5498c82e
              • Instruction Fuzzy Hash: 5561A321A096C285E735AF299C157FDA3A0FF44784F809131DE5EABBE6CF7CB2508210
              Function 00007FF70BF892EF Relevance: 13.6, APIs: 9, Instructions: 145fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FileSleep$FreeHeapReadWritememset
              • String ID:
              • API String ID: 260789996-0
              • Opcode ID: e91fb54056584472c897e9fda6aad73c43e0922cd615629d6a27d2e97ca4c68f
              • Instruction ID: 843a78fb879cd02aab84a3831d3da2020b9a6b34c78b943ab4cc274768399740
              • Opcode Fuzzy Hash: e91fb54056584472c897e9fda6aad73c43e0922cd615629d6a27d2e97ca4c68f
              • Instruction Fuzzy Hash: 5251A321A046C285E735AF299C157FDA3A0FF44784F849135DE5E9BBEACF7CA250C210
              Function 00007FF70BF5F6C0 Relevance: 13.6, APIs: 9, Instructions: 141fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Handle$CloseFile$CreateCurrentDuplicateMappingProcessView
              • String ID:
              • API String ID: 4228182923-0
              • Opcode ID: 0f5039412bdb236f233fc04f66422dfd78f0f7b2e0b0311fa1c9b26f87d66416
              • Instruction ID: 13f9994959a1eb48848274495a118ab7d3b0ba6468c342f94044fa245f9b6ad8
              • Opcode Fuzzy Hash: 0f5039412bdb236f233fc04f66422dfd78f0f7b2e0b0311fa1c9b26f87d66416
              • Instruction Fuzzy Hash: A3518322A0878189F720AF69E8453FAA7A0BF44358F540134EF8E93B95DF3CA355C350
              Function 00007FF70BF892DA Relevance: 13.6, APIs: 9, Instructions: 133fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FileSleep$ReadWritememset
              • String ID:
              • API String ID: 707912041-0
              • Opcode ID: 26b9b7fbd0d2eb9aac5ec8856e62cee3b8e2f3798734da55571f22baaf9b0114
              • Instruction ID: fc342f08d0a5abf7981984087127deba51870f6f585ca87beb4ed9afd16efcee
              • Opcode Fuzzy Hash: 26b9b7fbd0d2eb9aac5ec8856e62cee3b8e2f3798734da55571f22baaf9b0114
              • Instruction Fuzzy Hash: 5451C721A086C289E735AF299C157FDA390FF44784F809135DE5E9BBEACF7CA240D210
              Function 00007FF70BF907E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: QueryVirtual
              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
              • API String ID: 1804819252-1534286854
              • Opcode ID: be8ac271a98b09870be635d9cc157bee4b16184b687af30bca4c52f805541d78
              • Instruction ID: 4f43cbc28a2e4425fa7f2d60441748385478302e334b47a9590714df95ac6c52
              • Opcode Fuzzy Hash: be8ac271a98b09870be635d9cc157bee4b16184b687af30bca4c52f805541d78
              • Instruction Fuzzy Hash: E851A272A09B4691FB10AB29EC406AAE760FF85B94F954130DE4D873A5DF3CF681C760
              Function 00007FF70BF8A110 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 208COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
              • API String ID: 3510742995-1889375005
              • Opcode ID: 2b54de1b1b8e60e89deb9ba20f26fd54115bde391c6272c93286eb1e49405ff5
              • Instruction ID: fb8a1d927c4fac71b789abd7075be2984e8b22a4d50dc01c9b0676ce19cbbcc0
              • Opcode Fuzzy Hash: 2b54de1b1b8e60e89deb9ba20f26fd54115bde391c6272c93286eb1e49405ff5
              • Instruction Fuzzy Hash: C0B1B622A15BC586EB519F28E8017E9A374FF54788F549222DF4D53662EF39F296C300
              Function 00007FF70BF84C09 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 74memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID: {7$7
              • API String ID: 2735614835-1926627445
              • Opcode ID: 25da20a8c936778239d79c7c0a335825f743d924bd046f60dae7e016ef1025f4
              • Instruction ID: cbef51e0772463572c685446a049964646016fcf28a97d6884ca073138c7fd1c
              • Opcode Fuzzy Hash: 25da20a8c936778239d79c7c0a335825f743d924bd046f60dae7e016ef1025f4
              • Instruction Fuzzy Hash: DC315A22D08A8289FB30BB69DC543FC62A1FF55748F904435CA0EE76B5CF3876518265
              Function 00007FF70BF6398E Relevance: 12.1, APIs: 8, Instructions: 71memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: a63ed27c1214a4b14f55ebd5615a42411dfb98f4807cc20c48b5fee9be11f9a7
              • Instruction ID: 60395aa5ffc196e780045e94c6986ac25644b0a04a159ca125b96560815872c2
              • Opcode Fuzzy Hash: a63ed27c1214a4b14f55ebd5615a42411dfb98f4807cc20c48b5fee9be11f9a7
              • Instruction Fuzzy Hash: 9331FD1590858685FA21FB2E8C553F8A291FF8AB84F844531D90EDB7B6CF3CB340D225
              Function 00007FF70BF4E230 Relevance: 11.6, APIs: 9, Instructions: 315memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy$FreeHeap
              • String ID:
              • API String ID: 4250714341-0
              • Opcode ID: 45842b4339ca2b045d9bee31fae516f5edb776454679fbd0b9dfb8aa19356dec
              • Instruction ID: d05e4ab27879f651d821198ad0c4f3c54f7fb5fadc9318625ec9d836a5b991b6
              • Opcode Fuzzy Hash: 45842b4339ca2b045d9bee31fae516f5edb776454679fbd0b9dfb8aa19356dec
              • Instruction Fuzzy Hash: 62F17D22A04B8596E705AF29EC013E9A3B0FF58788F849535DF8D57765EF38E2A5C310
              Function 00007FF70BF5B670 Relevance: 11.4, APIs: 9, Instructions: 121memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Value$FreeHeap
              • String ID:
              • API String ID: 911738859-0
              • Opcode ID: 85bbc15fc1ebaa046b61417b08d81f20248c1d2587a9ed4e36aa19e3940323f7
              • Instruction ID: b6072840a2a9a7ebad9792e68dbac2bf5e6f4668ff38c099d34c2e4334099f47
              • Opcode Fuzzy Hash: 85bbc15fc1ebaa046b61417b08d81f20248c1d2587a9ed4e36aa19e3940323f7
              • Instruction Fuzzy Hash: 0041BE21B0955285F9157F2D9D91279D294AF88B90F884435CE0EC77B2DF2CBB528260
              Function 00007FF70BF42C30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 225COMMON
              Download Yara Rule
              APIs
              Strings
              • gzip header field too longC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\flate2-1.0.34\src\gz\mod.rs, xrefs: 00007FF70BF430B7
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy
              • String ID: gzip header field too longC:\Users\win10-x64\.cargo\registry\src\index.crates.io-6f17d22bba15001f\flate2-1.0.34\src\gz\mod.rs
              • API String ID: 3510742995-830788762
              • Opcode ID: 7286af12c886f34a6815a37156630822c208f5438fbcb798c6020cebb24b2e97
              • Instruction ID: c13df2cd452adb7fdef3b556bae58e6127c619a82b2a84063ab2fd018aaf3356
              • Opcode Fuzzy Hash: 7286af12c886f34a6815a37156630822c208f5438fbcb798c6020cebb24b2e97
              • Instruction Fuzzy Hash: 2381E522B1865281EA21AF1DED00679E7A4AF45BD4F984132EE4E837B5DF7CF641C324
              Function 00007FF70BF823C7 Relevance: 10.7, APIs: 7, Instructions: 187memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorFreeHeapLast$CloseDirectoryHandleSystemmemcpy
              • String ID:
              • API String ID: 2002207641-0
              • Opcode ID: ce39a456989328700bd2cca109d5e3d456ae625c9b1511dc647ec30eed44b11b
              • Instruction ID: 0a059288502337e973256b9b0b0f4b1a5e5739f66f116afb12b443913dbbcc3d
              • Opcode Fuzzy Hash: ce39a456989328700bd2cca109d5e3d456ae625c9b1511dc647ec30eed44b11b
              • Instruction Fuzzy Hash: EF914D22A04AD188E770AF298C543FE6290FF44759F801135CA5EEBBE9DF78A7818710
              Function 00007FF70BF59C84 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 161memoryCOMMON
              Download Yara Rule
              APIs
              • WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF70BF59D0E
                • Part of subcall function 00007FF70BF5B670: TlsGetValue.KERNEL32(?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B692
                • Part of subcall function 00007FF70BF5B670: TlsGetValue.KERNEL32(?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B6E2
                • Part of subcall function 00007FF70BF5B670: TlsSetValue.KERNEL32(?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B6F2
                • Part of subcall function 00007FF70BF5B670: HeapFree.KERNEL32(?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B708
              • HeapFree.KERNEL32 ref: 00007FF70BF59E48
              • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF70BF59E98
              • HeapFree.KERNEL32 ref: 00007FF70BF59F63
              • WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF70BF59FB9
              Strings
              • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF70BF59F25
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: AddressFreeHeapValueWake$Single
              • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
              • API String ID: 67810484-63010627
              • Opcode ID: 49a16d2f7584417641bdad57b782a9a1083f31e15deaba7a1fabd3bac70ca67b
              • Instruction ID: f2d45ca70f6caf8825a919ce3a92ed9a7ee33e5ecff4212415cdb57997390213
              • Opcode Fuzzy Hash: 49a16d2f7584417641bdad57b782a9a1083f31e15deaba7a1fabd3bac70ca67b
              • Instruction Fuzzy Hash: 1D811621D0DA42C4FA15BB6C9C843B9A3A0AF50314F958635DA4ED72F2DF6CB785C364
              Function 00007FF70BF89360 Relevance: 10.6, APIs: 7, Instructions: 115fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FileSleep$ErrorLastReadWritememset
              • String ID:
              • API String ID: 3673338832-0
              • Opcode ID: 63633aa21e4c9c3c832b9211643d9239d2b176e497f9717979e8d30022969992
              • Instruction ID: efd37b12598570afae8a81c26879fdd94d3aa48d14050dbb6fea30d33326bb39
              • Opcode Fuzzy Hash: 63633aa21e4c9c3c832b9211643d9239d2b176e497f9717979e8d30022969992
              • Instruction Fuzzy Hash: 6B41B5316056C289E731AF299C157F9A390FF48788F809135DE5AABBE9CF78A341D210
              Function 00007FF70BF637D2 Relevance: 10.6, APIs: 7, Instructions: 86memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 3136c251756a824a1c4da772a144c648d52fb52b4d2451b07b244137261f4589
              • Instruction ID: b5ac9b542cd928a0a9ba109600bb2b14465b20fa2d1f68795593ab00e4237d2a
              • Opcode Fuzzy Hash: 3136c251756a824a1c4da772a144c648d52fb52b4d2451b07b244137261f4589
              • Instruction Fuzzy Hash: 5541FB15A085C288FA60BB2D8C513F9A291EF89788FC04532DD4FCB6B6DF2CB744D265
              Function 00007FF70BF90150 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: abort$CaptureContextExceptionRaiseUnwind
              • String ID: CCG
              • API String ID: 4122134289-1584390748
              • Opcode ID: 40714f1369d40f2dcd0c9bccb3414b4fbbc41d4a0e64868ed1a0e0bacf7b32b0
              • Instruction ID: c2499a539d87e2d85c992920506236a2b6d57afabbbcbfcb7b110a7b128c85e8
              • Opcode Fuzzy Hash: 40714f1369d40f2dcd0c9bccb3414b4fbbc41d4a0e64868ed1a0e0bacf7b32b0
              • Instruction Fuzzy Hash: EA318432A08BC5C6E7209F28E8403A9B771FBD9788F509225DA8D53765DF79D191CB00
              Function 00007FF70BF84C2B Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID: {7$7
              • API String ID: 2735614835-1926627445
              • Opcode ID: d82d32e71efa8ff4c0a8f9dec4e2bf8e6d87026777e7b03c51a4ffe0a0e72a9c
              • Instruction ID: cc8486526894a0e9affe76f3b50ca5807583d5a844cf1024eebacdb5a86e295e
              • Opcode Fuzzy Hash: d82d32e71efa8ff4c0a8f9dec4e2bf8e6d87026777e7b03c51a4ffe0a0e72a9c
              • Instruction Fuzzy Hash: 5C314762E08A8289FB30EB69DC543FC62A1FF55748F944035CA0EE76B5CF38B6518264
              Function 00007FF70BF6377D Relevance: 10.6, APIs: 7, Instructions: 67memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 3a3d9be1b41b6371a8a0fd4b3eb0e85b70948cc45b32b9fce096510bad0f438c
              • Instruction ID: 7c60e42b5638c32ccb2841533ac61bf6a01908a620a0dc0fd009a3bfd32ed1b0
              • Opcode Fuzzy Hash: 3a3d9be1b41b6371a8a0fd4b3eb0e85b70948cc45b32b9fce096510bad0f438c
              • Instruction Fuzzy Hash: 8531DC1590898688FA21BB2D8C553F8A291FF89B88FC04531D90EDB6B6DF2CB744D225
              Function 00007FF70BF63765 Relevance: 10.6, APIs: 7, Instructions: 66memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 6e3a1e799ce844a5220b484934a543c848ddd601065d3916d3957b1dde4acb21
              • Instruction ID: 9528c56ba89f68edb2be474d18ccd9b0b1ee3be00d0391f7e43ed0933888e352
              • Opcode Fuzzy Hash: 6e3a1e799ce844a5220b484934a543c848ddd601065d3916d3957b1dde4acb21
              • Instruction Fuzzy Hash: 8531DD159089C688FA21FB2D8C553F8A291FF89B88FC04531D90EDB6B6DF2CB344D225
              Function 00007FF70BF63767 Relevance: 10.6, APIs: 7, Instructions: 66memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 2f8b77e301784d2700b29fbe67406063dc2da2be08cd3d9b2d608a4d929b61f4
              • Instruction ID: 9528c56ba89f68edb2be474d18ccd9b0b1ee3be00d0391f7e43ed0933888e352
              • Opcode Fuzzy Hash: 2f8b77e301784d2700b29fbe67406063dc2da2be08cd3d9b2d608a4d929b61f4
              • Instruction Fuzzy Hash: 8531DD159089C688FA21FB2D8C553F8A291FF89B88FC04531D90EDB6B6DF2CB344D225
              Function 00007FF70BF63798 Relevance: 10.6, APIs: 7, Instructions: 66memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: a8837c4f59a2f801573ef16270148fd532aeb64307f85a84df12ea1bb5daeedd
              • Instruction ID: b2816bbdbe1c0eda76d9768ed330542b94fed01f86f0952364388504eeb24f22
              • Opcode Fuzzy Hash: a8837c4f59a2f801573ef16270148fd532aeb64307f85a84df12ea1bb5daeedd
              • Instruction Fuzzy Hash: 2231DD159089C688FA21FB2D8C513F8A291FF89B88FC04531D90EDB6B6DF2CB344D265
              Function 00007FF70BF637A2 Relevance: 10.6, APIs: 7, Instructions: 66memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 52f7fe07d4f51796c42f9bbdc704e0724c5473624f9b6565b8a3a6dbb224e4ea
              • Instruction ID: a36e4f1629c2de164308c11ad1c57df556098e12d6361075c7abfe5ddb5ce6e6
              • Opcode Fuzzy Hash: 52f7fe07d4f51796c42f9bbdc704e0724c5473624f9b6565b8a3a6dbb224e4ea
              • Instruction Fuzzy Hash: 2331DD15A089C684FA21FB2D8C513F8A291FF89788FC04531D90EDB6B6DF2CB744D265
              Function 00007FF70BF6388D Relevance: 10.6, APIs: 7, Instructions: 65memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 4884abac71921c7bbe0d5711fe7964fdba0dc42c78fc5aff65921d706d0c043c
              • Instruction ID: f64bac476290e7c9554a419da47175f95da1f7678e8b4df8d264108f0480f524
              • Opcode Fuzzy Hash: 4884abac71921c7bbe0d5711fe7964fdba0dc42c78fc5aff65921d706d0c043c
              • Instruction Fuzzy Hash: 6A310E159089C284FA21FB2D8C513F8A291FF89B88F804532D90EDB6B6CF2CB344D225
              Function 00007FF70BF638A2 Relevance: 10.6, APIs: 7, Instructions: 65memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: acae7ce9b2f343f9e2528a9160d29f4814b6020c0c8c6575ac9d31962669ee3e
              • Instruction ID: 23099970cbd7b56ef1283b5d21f9c44d3ceec0300cbafdb41f6f72fab8f5339c
              • Opcode Fuzzy Hash: acae7ce9b2f343f9e2528a9160d29f4814b6020c0c8c6575ac9d31962669ee3e
              • Instruction Fuzzy Hash: DC310E159089C684FA21FB2D8C513F8A291FF89B88F804532D90EDB7B6DF2CB344D265
              Function 00007FF70BF63769 Relevance: 10.6, APIs: 7, Instructions: 64memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: a4f489f6228b02d204550801d6def3d40fc7a7edeb9186eb3771f85c415f7875
              • Instruction ID: 9d34a6dcba90858b7605835ea3eb685bb1bc61df4e34b5ad6457cabd39bdbded
              • Opcode Fuzzy Hash: a4f489f6228b02d204550801d6def3d40fc7a7edeb9186eb3771f85c415f7875
              • Instruction Fuzzy Hash: BC31EE159085C684FA21FB2D8C513F8A291FF89B88F804531D90EDB6B6CF3CB344D265
              Function 00007FF70BF63886 Relevance: 10.6, APIs: 7, Instructions: 62memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: b7a02e22d6e641e5163871720629014bbc534639a897073240fb0652dbf0041f
              • Instruction ID: 966070948b9e63ab62c1b26de23dac32651ea2b50b822116ad22674da29ac53b
              • Opcode Fuzzy Hash: b7a02e22d6e641e5163871720629014bbc534639a897073240fb0652dbf0041f
              • Instruction Fuzzy Hash: CF31DC159089C684FA21BB2D8C553F8A291FF89B88F844531D90EDB7B6CF2CB344D265
              Function 00007FF70BF638E5 Relevance: 10.6, APIs: 7, Instructions: 62memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: a4f0b1417807055bc53ac5b4e188fc2b8e008d30eec10c24f83ab5118a0750e3
              • Instruction ID: 4949d33fa96f574c3a456e348f654aae6c3dfeecd337b0d741951d8123aa3e5b
              • Opcode Fuzzy Hash: a4f0b1417807055bc53ac5b4e188fc2b8e008d30eec10c24f83ab5118a0750e3
              • Instruction Fuzzy Hash: DB310E159089C684FA21FB2D8C513F8A291FF8AB88F804531D90EDB7B6CF2CB340D265
              Function 00007FF70BF8A07D Relevance: 10.2, APIs: 8, Instructions: 193memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy$FreeHeap
              • String ID:
              • API String ID: 4250714341-0
              • Opcode ID: a6da8d967567df53af164070d0f9000ff92821031c2990ea022b2b441efc05b2
              • Instruction ID: 7aaad4b1ffdceadf286150771ff5a027b34d064f27f61fc04305099e9b36abd9
              • Opcode Fuzzy Hash: a6da8d967567df53af164070d0f9000ff92821031c2990ea022b2b441efc05b2
              • Instruction Fuzzy Hash: D591C422A04BC485EB519F2CAD053F9A374FF55788F45A222DF8D57626EF39A2D6C300
              Function 00007FF70BF8A09E Relevance: 10.2, APIs: 8, Instructions: 191memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy$FreeHeap
              • String ID:
              • API String ID: 4250714341-0
              • Opcode ID: 6e0cee7b56c98c2e0fc8dbac96c5c463adb29bb491ee882e391ad2d3b93c3292
              • Instruction ID: d2c78d4ea154f4610e93c89a6608d6da4016d477a1fa7cd50768b064e1a23c53
              • Opcode Fuzzy Hash: 6e0cee7b56c98c2e0fc8dbac96c5c463adb29bb491ee882e391ad2d3b93c3292
              • Instruction Fuzzy Hash: A691C322A04BC485EB519F2CAD053F9A374FF55788F45A222DF8D57626EF39A2D6C300
              Function 00007FF70BF47373 Relevance: 10.1, APIs: 8, Instructions: 59memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: dee29feee70484cec1e92bca16f3f8b96e51971b3c688b118b773bb8341bcc02
              • Instruction ID: 55e2d4b48748ff4a92582ff900cc443813479d0e20d78c29afb5aeaa64c846a7
              • Opcode Fuzzy Hash: dee29feee70484cec1e92bca16f3f8b96e51971b3c688b118b773bb8341bcc02
              • Instruction Fuzzy Hash: 5731072190CA82C0F665FB2AAC583B9E6A1FF85740F854532C94ED76B6CF7CF640C221
              Function 00007FF70BF89C69 Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorFreeHeapLast$FullNamePath
              • String ID:
              • API String ID: 2157454263-0
              • Opcode ID: 27a5ef83ea687e1d4eb2a73f52de38ff02e1f376d46067112582cb38d01811b6
              • Instruction ID: 2df560196a4f890850176d8480764cfbeb57643a164c765090c901ac13a69476
              • Opcode Fuzzy Hash: 27a5ef83ea687e1d4eb2a73f52de38ff02e1f376d46067112582cb38d01811b6
              • Instruction Fuzzy Hash: B041B322A04AC289E735AF69DC443F9A694BF05788F805135ED4EEB7E5CFB8B3008310
              Function 00007FF70BF89C8A Relevance: 9.1, APIs: 6, Instructions: 100memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$FreeHeap$FullNamePath
              • String ID:
              • API String ID: 554372815-0
              • Opcode ID: ffc5b18fb0d2eec24c59ad1d00cf9e37bee9150fa91c337d04add6273bcefe13
              • Instruction ID: 26f23a59dcccd66e1486e7dc5a722288f8a2deaba75a8311d769b20f084ee26e
              • Opcode Fuzzy Hash: ffc5b18fb0d2eec24c59ad1d00cf9e37bee9150fa91c337d04add6273bcefe13
              • Instruction Fuzzy Hash: 2441A322A04AC289E735AF69DC443F9A695BF05798F905135ED4EEB7E5CFB8B3408310
              Function 00007FF70BF63921 Relevance: 9.1, APIs: 6, Instructions: 61memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 420fb7fe631db7dcfbcc42b4f71273a2d6f39b06ac2b4bdeba29ede57430ce4a
              • Instruction ID: d147d3db4954e371190a3e5d47f710c236d3aeaf4d388c05c4aa00e44b067c3e
              • Opcode Fuzzy Hash: 420fb7fe631db7dcfbcc42b4f71273a2d6f39b06ac2b4bdeba29ede57430ce4a
              • Instruction Fuzzy Hash: 6821DD15A0898684FA21BB2D8C553F9A291FF89B84FC04531D90EDB7B6DF3CB344D265
              Function 00007FF70BF6381F Relevance: 9.1, APIs: 6, Instructions: 61memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 703ec572f6f85e3f6a0b439ccf3f844154a473c8c3aa68473ac4516b86adcaf4
              • Instruction ID: 459c728393cbde6a0d51c77f497b20b9e06f7524dd064c6872b1373003e45eab
              • Opcode Fuzzy Hash: 703ec572f6f85e3f6a0b439ccf3f844154a473c8c3aa68473ac4516b86adcaf4
              • Instruction Fuzzy Hash: AA21DD11A0858288FA61BB2D8C553F99291EF8AB84F844531DD4ECB7B6DF2CB744D264
              Function 00007FF70BF63984 Relevance: 9.1, APIs: 6, Instructions: 54memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 64bbc111073063581bea2c3985178d1a04ddb7d4742d16a7d7f52464e5ee350f
              • Instruction ID: 8b2853b4829c676c99faf85fe6342dae16daa06dab5f460c72ed90508e379804
              • Opcode Fuzzy Hash: 64bbc111073063581bea2c3985178d1a04ddb7d4742d16a7d7f52464e5ee350f
              • Instruction Fuzzy Hash: 4C21E015A0858684FA21FB2D8C513F9A291FF89B88FC04531D90EDB7B6DF2CB340D265
              Function 00007FF70BF638B8 Relevance: 9.1, APIs: 6, Instructions: 54memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: bfeaaa632c296e3f8621f327360ce7a640c4870f20d28c3d6655a0f679851ae2
              • Instruction ID: 7f00f26dfcdcd63aaae7fb3585594d6907a4fac9a0db1767cb243397680f9486
              • Opcode Fuzzy Hash: bfeaaa632c296e3f8621f327360ce7a640c4870f20d28c3d6655a0f679851ae2
              • Instruction Fuzzy Hash: 8121E015A0858684FA21FB2E8C513F8A291EF89B88FC04531D90EDB7B6DF2CB340D265
              Function 00007FF70BF8CBEF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130memoryfileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID: s [... omitted frame ...]
              • API String ID: 238406573-3732609013
              • Opcode ID: ee85f8c006c748b9bd7a0105d1b60ffe9b1c892a442a2e7b1b7b467d6cfefb3f
              • Instruction ID: 766a58110553ee49f69206f68c5238475287ef797d38aebaeefd42dc54359ffe
              • Opcode Fuzzy Hash: ee85f8c006c748b9bd7a0105d1b60ffe9b1c892a442a2e7b1b7b467d6cfefb3f
              • Instruction Fuzzy Hash: A2516432604B8189E761DF29D8403ED77A0FF45798F944036EA4E97B65DF38E255C360
              Function 00007FF70BF6F700 Relevance: 8.8, APIs: 7, Instructions: 65memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabort
              • String ID:
              • API String ID: 390735245-0
              • Opcode ID: 34dbebc7c78b1c023a29775259c3f1e72f77bac56463266e103e804f5468ded6
              • Instruction ID: a2c0617fdf798db42e38078e85da7ad6ba1c9a7de59fc798dbf3c8b526a788e6
              • Opcode Fuzzy Hash: 34dbebc7c78b1c023a29775259c3f1e72f77bac56463266e103e804f5468ded6
              • Instruction Fuzzy Hash: F821EC24A0858285F625FB7AAC553F99291AF8AB84F854531DC0EDB7B7CF3CB301C220
              Function 00007FF70BF4735E Relevance: 8.8, APIs: 7, Instructions: 56memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: f708118281b378f45de1b5e0396bad8f41d494b26e975bfaa26cce619da403f9
              • Instruction ID: 406426c0ed4d49ce0d722ede33a342e2193e2247cdd0e92718389fe0579f8132
              • Opcode Fuzzy Hash: f708118281b378f45de1b5e0396bad8f41d494b26e975bfaa26cce619da403f9
              • Instruction Fuzzy Hash: 5831F42190CA82C0F665FB2AAC583F9E6A1EF85740F854532C94ED76B6CF7CF640C621
              Function 00007FF70BF47349 Relevance: 8.8, APIs: 7, Instructions: 54memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 7355492f84146b3a617a6f483c56936af22390e821d90f0b5a61840aa0d2fc16
              • Instruction ID: f995709c4a3d88c3bc424a1d22620beb5fb874cfde9785a2035b339695a28df3
              • Opcode Fuzzy Hash: 7355492f84146b3a617a6f483c56936af22390e821d90f0b5a61840aa0d2fc16
              • Instruction Fuzzy Hash: 8621E92190CA81C0F665FB299C583F9E6A1EF85744F854532C94ED76B6CF7CF640C621
              Function 00007FF70BF473E4 Relevance: 8.8, APIs: 7, Instructions: 54memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 53b342abefc8a77f474b157a9c45aae41c38c8a1d8633b6f30177c59952dbbbc
              • Instruction ID: 0680e8ee62ce97c251159c5f9f7352d8897d80f1d5aaa003c2fdcacdd92f57c8
              • Opcode Fuzzy Hash: 53b342abefc8a77f474b157a9c45aae41c38c8a1d8633b6f30177c59952dbbbc
              • Instruction Fuzzy Hash: 4B31182190CA81C0F675FB2AAC583B9E6A1EF85744F854936C94ED76B6CF7CF640C620
              Function 00007FF70BF473A3 Relevance: 8.8, APIs: 7, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 0b117a8037fca4a6e7957b995a34e346a0f43819fad2c86d4eca377d0c8fc790
              • Instruction ID: 617b30c593fc7f8461e67c9edb95ca3032035a544c082638565f0c22f4d759fd
              • Opcode Fuzzy Hash: 0b117a8037fca4a6e7957b995a34e346a0f43819fad2c86d4eca377d0c8fc790
              • Instruction Fuzzy Hash: A021F821908A81C0F665FB2AAC583F9E6A1EF85744F854532C94ED76B6CF7CF640C621
              Function 00007FF70BF473FB Relevance: 8.8, APIs: 7, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: b821e4b1d224e31ebed2144adbc8048eb6b8c233479fd2f72dec1a218349dbd2
              • Instruction ID: 8c20f31f0b92611b0f5ac6b0d264e6378a886e32b6e9faf6ad15714c25f4222d
              • Opcode Fuzzy Hash: b821e4b1d224e31ebed2144adbc8048eb6b8c233479fd2f72dec1a218349dbd2
              • Instruction Fuzzy Hash: 4521F82190CA81C0F665FB2AAC583F9E6A1EF85744F854532C94ED76B6CF7CF640C621
              Function 00007FF70BF4741A Relevance: 8.8, APIs: 7, Instructions: 52memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: e07557184b1b24cc4ff5fc3c14f753ecec2f93e4d480dc32f29bd3d8c17f01e2
              • Instruction ID: 7d50a1f4d3173917f057f7c7488c8a1ac61b59c793e7074d82d18e2dd50ac47e
              • Opcode Fuzzy Hash: e07557184b1b24cc4ff5fc3c14f753ecec2f93e4d480dc32f29bd3d8c17f01e2
              • Instruction Fuzzy Hash: 39212921908A81C0F670FB2AAC583B9E6A1EFC5744F854532C94D976B6CF3CF640C610
              Function 00007FF70BF837F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$DirectoryWindows
              • String ID: u
              • API String ID: 1506654308-1900653220
              • Opcode ID: a0b3f6e6080eed171053848dde9b1b659cf3d27061f2f8fbdde922d0b76e5e43
              • Instruction ID: 3dae4eb317e7f4e79a6048fd07ab0b2df997160e04472d27aa12c9db3691d69e
              • Opcode Fuzzy Hash: a0b3f6e6080eed171053848dde9b1b659cf3d27061f2f8fbdde922d0b76e5e43
              • Instruction Fuzzy Hash: 3E11E312B18AD24DEA3079399D043BAA2806F05BE4F800630ED1EF7BF5DF28F7004225
              Function 00007FF70BF473B5 Relevance: 8.8, APIs: 7, Instructions: 50memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 7515a1c7dcbd5be949f7bb8a6f30a55287bd00bfa6d55f8bf19bbe93ced1f3ce
              • Instruction ID: ebd87ed2c5864190b15ba6b241da9a6fcd81d186f01e8a4834158cfd8140c434
              • Opcode Fuzzy Hash: 7515a1c7dcbd5be949f7bb8a6f30a55287bd00bfa6d55f8bf19bbe93ced1f3ce
              • Instruction Fuzzy Hash: 2D212B2190CA81C0F665BB2E9C583B9E691EF85744F854932C94ED76B6CF7CF640C220
              Function 00007FF70BF47578 Relevance: 8.8, APIs: 7, Instructions: 46memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseHandle
              • String ID:
              • API String ID: 1910495013-0
              • Opcode ID: 11fc9671ca122b237ff7eda928d20d25c9d073e64d4e4bc2e71223c8483dc3af
              • Instruction ID: d482b96bf4d9958c00690cef42985d9951afe1fbc761dc860ff6707aae05147d
              • Opcode Fuzzy Hash: 11fc9671ca122b237ff7eda928d20d25c9d073e64d4e4bc2e71223c8483dc3af
              • Instruction Fuzzy Hash: C921182190CA82C4F624F72A9C583B9A291EFC9740F854532C90ED72B6CF7CF641C220
              Function 00007FF70BF5A900 Relevance: 7.6, APIs: 5, Instructions: 148COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
              • String ID:
              • API String ID: 1956605914-0
              • Opcode ID: f61aff8a7efbc3c38248a9a7de030c056a6fc29629569f6036ed9405dffe6824
              • Instruction ID: 9c309e552bb2ebb55b3f051af089c4bbbdcbc64c12c8afeb454997da31cc46a8
              • Opcode Fuzzy Hash: f61aff8a7efbc3c38248a9a7de030c056a6fc29629569f6036ed9405dffe6824
              • Instruction Fuzzy Hash: 2751E232A0869385F730AB689D443F9E251AF44794F844231DA8E97BE9DF7CB3958360
              Function 00007FF70BF82329 Relevance: 7.6, APIs: 5, Instructions: 96memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$DirectoryFreeHeapSystem
              • String ID:
              • API String ID: 696374338-0
              • Opcode ID: ba8efff030f1aa3e82883a9afa0edc9954895418f11f03a7f5befc6b633ef255
              • Instruction ID: 76aad4112c226e7a367311b0eaebfd18e45eab72043dc208519cb578689bf1d2
              • Opcode Fuzzy Hash: ba8efff030f1aa3e82883a9afa0edc9954895418f11f03a7f5befc6b633ef255
              • Instruction Fuzzy Hash: 33419332A04AD249E7746E398C543FEA290BF05758F900135D95FEBBEADF78B7418221
              Function 00007FF70BF898B2 Relevance: 7.6, APIs: 5, Instructions: 91memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$FreeFullHeapNamePath
              • String ID:
              • API String ID: 526175943-0
              • Opcode ID: 49441c9f758ab407e467c699cfe8349d18b407c2d4457a80d850ca3a9a29de37
              • Instruction ID: bfc598e8541f08b791d5d65613c877cbb4c6b624e664bd613045539b61b373b9
              • Opcode Fuzzy Hash: 49441c9f758ab407e467c699cfe8349d18b407c2d4457a80d850ca3a9a29de37
              • Instruction Fuzzy Hash: D031BF21A08BC14AE771AF699C443F9A794BF05BD8F905131DD5EE7796CFB8A3448310
              Function 00007FF70BF81E3B Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$DirectoryFreeHeapSystem
              • String ID:
              • API String ID: 696374338-0
              • Opcode ID: debc36fd3d51dc7c2d255a4a3ba722c4feec581de879dd3ae0ef2162771a5b6c
              • Instruction ID: 78684ab241fa97e1acd3e4aa458ca97f12b8464d5ddd702ed215ec53f42ee169
              • Opcode Fuzzy Hash: debc36fd3d51dc7c2d255a4a3ba722c4feec581de879dd3ae0ef2162771a5b6c
              • Instruction Fuzzy Hash: 3631C811B08AC248E730AA399D483FAA280AF05798F900635DD1EEBBE5DF38F3405215
              Function 00007FF70BF84C9A Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 64memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID: {7$7
              • API String ID: 2735614835-1926627445
              • Opcode ID: 6b8a37a6ebb4f17bc4e7824ee6ec36d887c62efd8e5f58b8f0a107410fb84b34
              • Instruction ID: 704a79c2273f7cf67bd43ee569a0f931a5748aba7529b045d0c50915f4353be0
              • Opcode Fuzzy Hash: 6b8a37a6ebb4f17bc4e7824ee6ec36d887c62efd8e5f58b8f0a107410fb84b34
              • Instruction Fuzzy Hash: EB314462E08A8189FB20EB69DC543FC62A1FF54748F944136CA0EA76B5CF38B651C260
              Function 00007FF70BF637FA Relevance: 7.6, APIs: 5, Instructions: 61memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: cf8749d3cda7562b75bbb9c5b7a8f01e43666b4adf0563c1c946980acdda4a38
              • Instruction ID: bebe5a2bea38b874566907b451454f69d48a6fc01f6c50260f4870908fceae9f
              • Opcode Fuzzy Hash: cf8749d3cda7562b75bbb9c5b7a8f01e43666b4adf0563c1c946980acdda4a38
              • Instruction Fuzzy Hash: 4321FA15A0858688FA61BB2D8C513FDA290EF89784F844531DD4FCB7B6CF2CB744D265
              Function 00007FF70BF63891 Relevance: 7.6, APIs: 5, Instructions: 51memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 7ddc85a45af425da16d06d5721f6f42bfbd98e342d40f4110a6684f36d7a0d96
              • Instruction ID: bc8af3ed0f0b4335bd2a1acbe6ae3cc94284eaa9f3979679ae86799e9b8a9c95
              • Opcode Fuzzy Hash: 7ddc85a45af425da16d06d5721f6f42bfbd98e342d40f4110a6684f36d7a0d96
              • Instruction Fuzzy Hash: 1721E715A089C284FA21BB2D8D513F9A291EF89B84F844531DD4FCBAB6DF2CB740D261
              Function 00007FF70BF877ED Relevance: 7.6, APIs: 5, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorHandleLast$CurrentDuplicateProcess
              • String ID:
              • API String ID: 3697983210-0
              • Opcode ID: cb21ce82905716ef01b49402226ee27abad3944cca710d8f85a779e0a737418a
              • Instruction ID: a319086a46cc3e4d09769340c3fecc65148f5c10101529ca02181a338637e16c
              • Opcode Fuzzy Hash: cb21ce82905716ef01b49402226ee27abad3944cca710d8f85a779e0a737418a
              • Instruction Fuzzy Hash: E1119122B1824148FB50FA69A8053A99190AF453F8F900631EE6ED77E9DF7CE7918360
              Function 00007FF70BF638BD Relevance: 7.5, APIs: 5, Instructions: 48memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 93142b05058684150f23588d4d8c4624b9b4e2e794b76991026e223286eb4af5
              • Instruction ID: adfa1532bd55c1eda96446f1bcca1f957767ffab3c4a5e19605e8fad24477599
              • Opcode Fuzzy Hash: 93142b05058684150f23588d4d8c4624b9b4e2e794b76991026e223286eb4af5
              • Instruction Fuzzy Hash: 56110B15A085C284FA21BB2D8D513F9A291EF89B84F844531DD0FCB7B6CF2CB340D261
              Function 00007FF70BF63888 Relevance: 7.5, APIs: 5, Instructions: 47memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 043da2b1c4856106fb468ba3a509735d0026a6da3ca329d4d3c60016e5c72f2f
              • Instruction ID: 02b5564deed23ebe605324708f072b8e4c8de4158bb7406f38ae72f7d6bd0abe
              • Opcode Fuzzy Hash: 043da2b1c4856106fb468ba3a509735d0026a6da3ca329d4d3c60016e5c72f2f
              • Instruction Fuzzy Hash: 1911FC15A0868684FA25BB3D8D513F89291EF89B84F844931DD0FDB7B6CF2CB340D221
              Function 00007FF70BF4757A Relevance: 7.5, APIs: 6, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: d83a4c6ca15db8fa52ad3dd03f2c0b056d9efd09d7e2497ab0136425b325bc27
              • Instruction ID: 72169472fb313334f50d374dd330dcd62177beea821f346982619c1127b8fec2
              • Opcode Fuzzy Hash: d83a4c6ca15db8fa52ad3dd03f2c0b056d9efd09d7e2497ab0136425b325bc27
              • Instruction Fuzzy Hash: 0721E52190CA82C0F625F72AAC583F9A2A1FFC5740F854532D94ED76A68F7CF640C620
              Function 00007FF70BF6396B Relevance: 7.5, APIs: 5, Instructions: 44memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 376f7044994c17d6ae1e7d9665443716b65e08be05fdd315d0c9aab9cfe8164e
              • Instruction ID: 52be0e6c23971d9b68d4c165731f901c36e1ebbc5ccf8b8691803a87b38cd08d
              • Opcode Fuzzy Hash: 376f7044994c17d6ae1e7d9665443716b65e08be05fdd315d0c9aab9cfe8164e
              • Instruction Fuzzy Hash: 9011DA15A0858684FA21BB2D8C513F9A291FF8AB84F804531D90FDB7B7DF2CB340D261
              Function 00007FF70BF4738E Relevance: 7.5, APIs: 6, Instructions: 44memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 034c671884cff5254ac4c2e1212e26c1dbec84057426bffb9799b2e5e4fba7c2
              • Instruction ID: 1bd4af43dec4e74cbb42ed0e220fe4f59c98d362c1c388e0708841d0340096ae
              • Opcode Fuzzy Hash: 034c671884cff5254ac4c2e1212e26c1dbec84057426bffb9799b2e5e4fba7c2
              • Instruction Fuzzy Hash: 5921F42190CA82C0F621B72AAC583B9A291FFC5740F954A32D94ED76B6CF7CF640C621
              Function 00007FF70BF47590 Relevance: 7.5, APIs: 6, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 2fbbd6cb58c588b201a6f494ccf6b8e014f5bf37341d64f484e2575d569665e2
              • Instruction ID: 324bdff54add74895d5e29a9237152b76e51afc381a6ab30f3050b67aab07220
              • Opcode Fuzzy Hash: 2fbbd6cb58c588b201a6f494ccf6b8e014f5bf37341d64f484e2575d569665e2
              • Instruction Fuzzy Hash: C211082190CA82C4F621F72AAC583B9A2A1EFC5740F854932C94ED76A6CF3CF640C620
              Function 00007FF70BF473BF Relevance: 7.5, APIs: 6, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 9a905142c1721a6ef2d49716538fc57d9772bab3eef0aa53a14babe7e784b963
              • Instruction ID: 180348e8b674ebb9facc6faa546bf8faf99d5b27b5a0507445c8add70131fee2
              • Opcode Fuzzy Hash: 9a905142c1721a6ef2d49716538fc57d9772bab3eef0aa53a14babe7e784b963
              • Instruction Fuzzy Hash: 7D21FC2190CA81C0F665B72A9C583B9E6A1EF85744F854932C94E976B6CF7CF640C611
              Function 00007FF70BF473F6 Relevance: 7.5, APIs: 6, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 2ea968d529a7cd708b4976445e4a061b885d07d3d212b96915712a7f075d8b8f
              • Instruction ID: 324bdff54add74895d5e29a9237152b76e51afc381a6ab30f3050b67aab07220
              • Opcode Fuzzy Hash: 2ea968d529a7cd708b4976445e4a061b885d07d3d212b96915712a7f075d8b8f
              • Instruction Fuzzy Hash: C211082190CA82C4F621F72AAC583B9A2A1EFC5740F854932C94ED76A6CF3CF640C620
              Function 00007FF70BF638FE Relevance: 7.5, APIs: 5, Instructions: 42memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: b37ee9b22fb22b3c7af1cb756f734694d68ec954f36568a0699e4b959ab50175
              • Instruction ID: c00c3843c5b8d64ee2e484b3d341b12ce10ab0752f62f85104bd14a677baa21d
              • Opcode Fuzzy Hash: b37ee9b22fb22b3c7af1cb756f734694d68ec954f36568a0699e4b959ab50175
              • Instruction Fuzzy Hash: C711FB15A0858684FA21BB2D8C513F89291EF8AB84F804531D90FDB7B7CF2CB340D261
              Function 00007FF70BF8E750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 396COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF70BF5C440: TlsGetValue.KERNEL32(?,?,?,?,00007FF70BF5F62F,?,?,?,?,?,00007FF70BF8DF38), ref: 00007FF70BF5C45B
                • Part of subcall function 00007FF70BF5C440: TlsGetValue.KERNEL32(?,?,?,?,00007FF70BF5F62F,?,?,?,?,?,00007FF70BF8DF38), ref: 00007FF70BF5C493
                • Part of subcall function 00007FF70BF5C440: TlsSetValue.KERNEL32(?,?,?,?,00007FF70BF5F62F,?,?,?,?,?,00007FF70BF8DF38), ref: 00007FF70BF5C4A3
                • Part of subcall function 00007FF70BF5C440: HeapFree.KERNEL32(?,?,?,?,00007FF70BF5F62F,?,?,?,?,?,00007FF70BF8DF38), ref: 00007FF70BF5C4B9
                • Part of subcall function 00007FF70BF5C440: TlsGetValue.KERNEL32(?,?,?,?,00007FF70BF5F62F,?,?,?,?,?,00007FF70BF8DF38), ref: 00007FF70BF5C4DE
              • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF70BF8EB45
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Value$AddressFreeHeapSingleWake
              • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $main
              • API String ID: 1083202064-896199136
              • Opcode ID: f9a0f1f85fbee7d955c78e20b6a1f6d6b4150e22f5b0a4b1185ccbb65642faa9
              • Instruction ID: 670366999e748cc7058c59d05dc6e61198fbf3036f209346b173db52c198fc41
              • Opcode Fuzzy Hash: f9a0f1f85fbee7d955c78e20b6a1f6d6b4150e22f5b0a4b1185ccbb65642faa9
              • Instruction Fuzzy Hash: 04027C32A09A4288FB11AB68DC403BCB7A0AF54748F844535DA4EA77B5DF7CB645C3A0
              Function 00007FF70BF909C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualProtect.KERNEL32(00007FF70C007110,00007FF70C007118,00000001,?,?,?,?,?,00007FF70BF41224,?,?,?,00007FF70BF413E6), ref: 00007FF70BF90B9D
              Strings
              • Unknown pseudo relocation protocol version %d., xrefs: 00007FF70BF90D16
              • Unknown pseudo relocation bit size %d., xrefs: 00007FF70BF90CF4
              • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF70BF90D0A
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
              • API String ID: 544645111-1286557213
              • Opcode ID: 41768ffb2055e6bfc11d63cde0ab11bb9d486a8f57cdd5f0ce7d589997f24474
              • Instruction ID: f1e71b8d31c8fe36592938707a6b06dd0e21a73c2412033b139a7936eec06005
              • Opcode Fuzzy Hash: 41768ffb2055e6bfc11d63cde0ab11bb9d486a8f57cdd5f0ce7d589997f24474
              • Instruction Fuzzy Hash: 1791D332E0955286FB146B3CDC4027AE261AF55B64F948232CD2ED77E4DF2CFA42C660
              Function 00007FF70BF90D73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID:
              • String ID: CCG
              • API String ID: 0-1584390748
              • Opcode ID: dbd9d111a5669cd2bf2efc6b2073521b9fd0603913579ef3ce38b1c08506464b
              • Instruction ID: cf4d32a0ac8580873a9f9dff72b58a0f8fce6b34084c0e255cd736b4b94259e5
              • Opcode Fuzzy Hash: dbd9d111a5669cd2bf2efc6b2073521b9fd0603913579ef3ce38b1c08506464b
              • Instruction Fuzzy Hash: D6215A61E0D14342FAB9727D8C5137991829F49764F994836CA1FC73E5DF2CBE918221
              Function 00007FF70BF7FB60 Relevance: 6.3, APIs: 5, Instructions: 66memoryCOMMON
              Download Yara Rule
              APIs
              • TlsGetValue.KERNEL32(?,-00000001,00000000,?,00007FF70BF8E8D4), ref: 00007FF70BF7FB7F
              • TlsGetValue.KERNEL32(?,-00000001,00000000,?,00007FF70BF8E8D4), ref: 00007FF70BF7FBB7
              • TlsSetValue.KERNEL32(?,-00000001,00000000,?,00007FF70BF8E8D4), ref: 00007FF70BF7FBC7
              • HeapFree.KERNEL32(?,-00000001,00000000,?,00007FF70BF8E8D4), ref: 00007FF70BF7FBF3
                • Part of subcall function 00007FF70BF7FC40: HeapFree.KERNEL32(?,?,00000000,?,00007FF70BF8ED90), ref: 00007FF70BF7FC62
              • TlsGetValue.KERNEL32(?,-00000001,00000000,?,00007FF70BF8E8D4), ref: 00007FF70BF7FC18
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Value$FreeHeap
              • String ID:
              • API String ID: 911738859-0
              • Opcode ID: 930dd95f1b2a8d666c0d90a8c22c2d8dfc812323e6d70c9803e03cd977be52b6
              • Instruction ID: f406b5d653606e853f0b1548129f3e404385d7891d1645d8af1be88421f3a003
              • Opcode Fuzzy Hash: 930dd95f1b2a8d666c0d90a8c22c2d8dfc812323e6d70c9803e03cd977be52b6
              • Instruction Fuzzy Hash: A521BE21B5919385F911BB2D9C203B89680AF98BA0FD84475E90FC33F2CF2CBA418260
              Function 00007FF70BF5B750 Relevance: 6.3, APIs: 5, Instructions: 66memoryCOMMON
              Download Yara Rule
              APIs
              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B76F
              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B7A7
              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B7B7
              • HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF70BF5B870), ref: 00007FF70BF5B7E3
                • Part of subcall function 00007FF70BF59680: HeapFree.KERNEL32(?,?,?,?,00007FF70BF5C1D4), ref: 00007FF70BF596AC
              • TlsGetValue.KERNEL32(?,?,00000000,?,00007FF70BF8E87A), ref: 00007FF70BF5B808
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Value$FreeHeap
              • String ID:
              • API String ID: 911738859-0
              • Opcode ID: e4e84df30dea04e06bb1e5ef9aba0e555712826e080e683da224d935dc48115f
              • Instruction ID: 211b959faab0d314b0db70473ec1b71d0a26fc98e81590679e85f0a023304d36
              • Opcode Fuzzy Hash: e4e84df30dea04e06bb1e5ef9aba0e555712826e080e683da224d935dc48115f
              • Instruction Fuzzy Hash: D1218B21B1955685F9557F2DAC503B99295AF88B90FC84435CA0EC77F2CF2CBB528260
              Function 00007FF70BF473CF Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 455687c0bca1a2310574e1a924cd63b6752ba95bc4f6fc50533558e99e694125
              • Instruction ID: 604516c52665261a57239a6c29495eccc46095d49a97b5522e1270ff05dd6762
              • Opcode Fuzzy Hash: 455687c0bca1a2310574e1a924cd63b6752ba95bc4f6fc50533558e99e694125
              • Instruction Fuzzy Hash: 0811D82190CA82C0F621F72A9C587BAE691EF85740FD14532D94ED76B68F7CF640C621
              Function 00007FF70BF47536 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: aa7d47b09e98c22b2269b98a0dcee40b9068f70a783ba861d74744096969fbf4
              • Instruction ID: 443ae4ec1bf29af80e7ef1e1035fe81ea1585c0371fb82ce1420a3365a4882cb
              • Opcode Fuzzy Hash: aa7d47b09e98c22b2269b98a0dcee40b9068f70a783ba861d74744096969fbf4
              • Instruction Fuzzy Hash: 8D110A21908A82C0F625F72EAC583B9E691EF85780F854532D90ED76B6CF7CF641C220
              Function 00007FF70BF475FE Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 3017c116c417c25d60c6954b831a4659602b94aa8dde9069e5d6a42179b2654b
              • Instruction ID: 13c2bce7a9b7cc1593c589ce7cd4289113fe90b7432946c8c5d24aae4051b1c6
              • Opcode Fuzzy Hash: 3017c116c417c25d60c6954b831a4659602b94aa8dde9069e5d6a42179b2654b
              • Instruction Fuzzy Hash: C0112B2190CA81C0F661F72EAC583B9A291FF85740F854532D90E876A6CF7CF240C210
              Function 00007FF70BF473C7 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 34e24a4308ba548872749a7009e35c017b88a9aa6af595fa7f83a9b9bdee9b88
              • Instruction ID: c641915aed888041ecf55a4b3b6137a4c4c915a19ae2a7a826c53f3986b01e76
              • Opcode Fuzzy Hash: 34e24a4308ba548872749a7009e35c017b88a9aa6af595fa7f83a9b9bdee9b88
              • Instruction Fuzzy Hash: 1311FB2190CA81C0F665B72EAC583B9E7A2EF85744F854932C94E976B6CF7CF640C621
              Function 00007FF70BF47526 Relevance: 6.3, APIs: 5, Instructions: 35memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 10075be0c6199d2ab77cc228284232a8b30908eaf3c7e349c5fa7ae827d645aa
              • Instruction ID: 3536e9602c6be36835b1544292cbb8521ee236d4d0cf8e425eea2d0782c64931
              • Opcode Fuzzy Hash: 10075be0c6199d2ab77cc228284232a8b30908eaf3c7e349c5fa7ae827d645aa
              • Instruction Fuzzy Hash: 9511E82190CA82C0F625F72A9C583B9A691EF89780F954932C90ED76A6CF3CF240C620
              Function 00007FF70BF8B973 Relevance: 6.3, APIs: 5, Instructions: 32memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: e9ef149de9fbee0d2938a667657c3efa07ae671f395f31509dbb4ec5cc19c406
              • Instruction ID: b3a7da7dcb510728dfaf92a49ed2f654c2bf912347f926eaf7bdefdb5b7ec268
              • Opcode Fuzzy Hash: e9ef149de9fbee0d2938a667657c3efa07ae671f395f31509dbb4ec5cc19c406
              • Instruction Fuzzy Hash: C201A11190858288F624BB69CC553F89251BF85744FD04532D90FDB6B7CF2DB355D261
              Function 00007FF70BF8B984 Relevance: 6.3, APIs: 5, Instructions: 32memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 47bb6d40049739b18fcadc30ea62c97bb9f934f8113c57f08f35b336e448eef9
              • Instruction ID: 17c07ee00df66a2a2a8aff3ab7e4201cb04332e543f0db0b3c80dc5891251ef7
              • Opcode Fuzzy Hash: 47bb6d40049739b18fcadc30ea62c97bb9f934f8113c57f08f35b336e448eef9
              • Instruction Fuzzy Hash: A201EC1190868288FB24BB29CC553F89261BF86748FC04532D90FDB6B7CF2DB355C261
              Function 00007FF70BF8B99A Relevance: 6.3, APIs: 5, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: c29c3b832bca9d28470a81a69af99700f44eb9ea2522b0eaf28f843945270432
              • Instruction ID: ec30908410a32423a1b5eeea48e495dedc1bffea0b39c5a681a0b85f867fa602
              • Opcode Fuzzy Hash: c29c3b832bca9d28470a81a69af99700f44eb9ea2522b0eaf28f843945270432
              • Instruction Fuzzy Hash: 6901CD1190868288FA24BB29CC553F89261BF86748FC04531D90FDB6B7CF2DB355C261
              Function 00007FF70BF8B9A7 Relevance: 6.3, APIs: 5, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 6f0ae900e55b2d5182218e69e8d5b7b9369f4d6f20b8836759a5946f795e6885
              • Instruction ID: 971ce50395c771bfe7a074c9203bff4d12ee3df07e53e8642e10d5b6f3ffce7b
              • Opcode Fuzzy Hash: 6f0ae900e55b2d5182218e69e8d5b7b9369f4d6f20b8836759a5946f795e6885
              • Instruction Fuzzy Hash: 42F0CD1190868288FA24FB29CC553F89261AF86748FC04531D90FDB6B7CF2DB355C261
              Function 00007FF70BF8B9BF Relevance: 6.3, APIs: 5, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 89c9dc396dc350b72907a0c88a41c3f631680b3af6913bea3c3c2067d745ccc5
              • Instruction ID: 58c82db8be21b7bcc813dd1147e86477d171fa7f183c685f5bf7b330f168f2cc
              • Opcode Fuzzy Hash: 89c9dc396dc350b72907a0c88a41c3f631680b3af6913bea3c3c2067d745ccc5
              • Instruction Fuzzy Hash: D2F0791190868288FA64BB29CC553F89261BF86788FC45531D90FDB6B7CF2DB355C261
              Function 00007FF70BF807C2 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 195memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: 0123456789ABCDEFxxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
              • API String ID: 3298025750-821382732
              • Opcode ID: d63d7fb8526d75263699c5182c4d0a8c15ccd391964f2962f1b7e0947f2a3323
              • Instruction ID: bee607adcb597f0fe6dba23e3f6682e74bc34365653e3e6eedb73bb03f663516
              • Opcode Fuzzy Hash: d63d7fb8526d75263699c5182c4d0a8c15ccd391964f2962f1b7e0947f2a3323
              • Instruction Fuzzy Hash: 0181D762A05B8185EB51DF29EC407F9A364FF55BA4F844232DE5EA77E0CF38A294C350
              Function 00007FF70BF5A520 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 181COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Handle$CloseErrorLast
              • String ID: called `Result::unwrap()` on an `Err` value
              • API String ID: 2105119405-2333694755
              • Opcode ID: d4ac7ec5db51b3f8c127804e841b93d11b80d149a4fded8551d7c9ed8bb2ee96
              • Instruction ID: d5dc91310a05f1b6619287a243e08c252af6c52bf499bb779e56e6b272fe25c5
              • Opcode Fuzzy Hash: d4ac7ec5db51b3f8c127804e841b93d11b80d149a4fded8551d7c9ed8bb2ee96
              • Instruction Fuzzy Hash: 6081A461A0869248FB11AB68DC803F8AB61AF05798F845131DF4F976A5DF7CF3A5C360
              Function 00007FF70BF43DDD Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 140memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeapmemcpymemset
              • String ID: K.
              • API String ID: 2272576838-728371101
              • Opcode ID: e05f89735e7ed9fcf30019d4b351aad2346042745082eb837b783e00175f8499
              • Instruction ID: 83951fb21a587981ecc4381b81eb8ee44a9e5eecd5d90cf93976473acba71522
              • Opcode Fuzzy Hash: e05f89735e7ed9fcf30019d4b351aad2346042745082eb837b783e00175f8499
              • Instruction Fuzzy Hash: 7371C522A18BD481E3219F29D9047FAB364FF99744F46A220DFD953762EF79E2858300
              Function 00007FF70BF63C90 Relevance: 6.1, APIs: 4, Instructions: 67memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 38862cd1b4e7bf1654301836ba7c3c0f64c1ddbce80bf3a2a176c2d2ac05077f
              • Instruction ID: 93efbf29f7c7abd633c8f6b55456fdb7f7dd65ed5b2baf411c8ad55b0fd14d0a
              • Opcode Fuzzy Hash: 38862cd1b4e7bf1654301836ba7c3c0f64c1ddbce80bf3a2a176c2d2ac05077f
              • Instruction Fuzzy Hash: 3D214222A0994181E525EB1E9C443B9D790FF4D794F994531DE0E973A1DF3CF692C214
              Function 00007FF70BF8BA50 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$CreateErrorEventLast
              • String ID:
              • API String ID: 3743700123-0
              • Opcode ID: 65d497d0519e09c695c71a7357ce55d86473c3ed03b428ed9c34bf3e351a30b6
              • Instruction ID: d7ce8aa1b9c8687c7ec298a78b824fa13353023eb34732cbe88922193755f6e2
              • Opcode Fuzzy Hash: 65d497d0519e09c695c71a7357ce55d86473c3ed03b428ed9c34bf3e351a30b6
              • Instruction Fuzzy Hash: 7B110223B0474146F719AB26A940378A650BF89790F484134DF4E43BA2DF3CB2E28320
              Function 00007FF70BF7CE96 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$EnvironmentVariable
              • String ID:
              • API String ID: 2691138088-0
              • Opcode ID: 2e4a4a6bdcca84d57be218b8e781fb6e3f070b3e9e993e98e13d1ddb2548602b
              • Instruction ID: 9a4a5da709b61f0521be7c48aab03b9a09e007534de307b8d818c170b67d71ba
              • Opcode Fuzzy Hash: 2e4a4a6bdcca84d57be218b8e781fb6e3f070b3e9e993e98e13d1ddb2548602b
              • Instruction Fuzzy Hash: B611B251B146D209E630A9698C047F89380AF057D4FC00931EE2EEB7E5CF78F3508220
              Function 00007FF70BF81D16 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$FileModuleName
              • String ID:
              • API String ID: 1026760046-0
              • Opcode ID: a951cf1c7c90ac1515328ebeb580c5fdf9a2bfe330b2670d55b3f629e70645c6
              • Instruction ID: 9351806112c87629da050c7aca12f7a0f44904d58d44634417758224200c8a7c
              • Opcode Fuzzy Hash: a951cf1c7c90ac1515328ebeb580c5fdf9a2bfe330b2670d55b3f629e70645c6
              • Instruction Fuzzy Hash: C6118212B18A8248E67069399D443BAD2816F197E4F940735DD2EF7BE5EF28F3014611
              Function 00007FF70BF83596 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ErrorLast$DirectorySystem
              • String ID:
              • API String ID: 860285823-0
              • Opcode ID: 14e42709039d77a6fab31815b90511b50f0ca60799f2f680064bff08d195b5a8
              • Instruction ID: 69c46f69a26bcd2c43ccd010cfcadfa073e55cd15ab65de2da31a92a840802b5
              • Opcode Fuzzy Hash: 14e42709039d77a6fab31815b90511b50f0ca60799f2f680064bff08d195b5a8
              • Instruction Fuzzy Hash: E311A311B18AD249EA7079399D043BAA2806F15BE8F900630ED1EFBBF5DF28F7404616
              Function 00007FF70BF7FF45 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID: RUST_BACKTRACEfailed to write the buffered data$lluf$mluf
              • API String ID: 3298025750-1637427070
              • Opcode ID: d4a1ccac562697bb9a49c2bfbaef99e06686e78cf6fb61e78dc1395619155d93
              • Instruction ID: 7adcb0374533c15ddbda509a6097567730b74c47b097dde5e2a2e09065bff994
              • Opcode Fuzzy Hash: d4a1ccac562697bb9a49c2bfbaef99e06686e78cf6fb61e78dc1395619155d93
              • Instruction Fuzzy Hash: E101C026E0929385FA24EB7D8CA03F8A6519F42744F954676D90F876A4CF2CF384D3B1
              Function 00007FF70BF6388F Relevance: 6.0, APIs: 4, Instructions: 34memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 19d9eb28e32f92424eeff2c7bbe3f1e8e003a599196b0422d30e3d2f9126a005
              • Instruction ID: dcbd975244aed8676ef6b5862083c987c72303e5326870e595150ab17df3c386
              • Opcode Fuzzy Hash: 19d9eb28e32f92424eeff2c7bbe3f1e8e003a599196b0422d30e3d2f9126a005
              • Instruction Fuzzy Hash: 9701E51590858688FA20BB2E8D553F8E291EF8AB84F804531D90FCB7B7CF2CB340D221
              Function 00007FF70BF6387E Relevance: 6.0, APIs: 4, Instructions: 33memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: fb0238057e2bece123a812b5ae573347c79e44139a827011bf7b3c39cb378620
              • Instruction ID: f7b6228f3c2626018a30c3c163d43e4b50768da005b5851c26b7322f31fc0869
              • Opcode Fuzzy Hash: fb0238057e2bece123a812b5ae573347c79e44139a827011bf7b3c39cb378620
              • Instruction Fuzzy Hash: CC01081590858684FA21BB2E8D553F8E291EF8AB84F804531D90FCB7B7CF2CB340D221
              Function 00007FF70BF84FC5 Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: Free$Heap$CloseEnvironmentHandleStrings
              • String ID:
              • API String ID: 2554599491-0
              • Opcode ID: aef6abe44ce4fee4c482c7f044aee957b8c08b034e45a164712759efaa02035b
              • Instruction ID: 64e75c3d12ba2516f0366d869cc4d2e4758cdd0f1e41da1e2cfa140610798906
              • Opcode Fuzzy Hash: aef6abe44ce4fee4c482c7f044aee957b8c08b034e45a164712759efaa02035b
              • Instruction Fuzzy Hash: E3F01D11A0C98285FA21BB2ECC651B99291AF95B84FD04431D90FEB2B6DF2CB7058261
              Function 00007FF70BF51E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID: CCG $TSUR
              • API String ID: 3997070919-2088351922
              • Opcode ID: ff13d274191363dc3ffd4c1d8a84b5e74d43b27635978a24f9ef8e045896b1af
              • Instruction ID: 42cfb8346fe5d61b5ef89f133631a804da3e68186a04c908c1aa281739f0d700
              • Opcode Fuzzy Hash: ff13d274191363dc3ffd4c1d8a84b5e74d43b27635978a24f9ef8e045896b1af
              • Instruction Fuzzy Hash: 8221B612E28B8582E614AB659C402B96760FFD9B40F95D335EE4E537A1EF3CF6D18310
              Function 00007FF70BF906D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-3474627141
              • Opcode ID: bab22eb96becb08a00ebcc2d6477bb4c28c6423ab333932fb34eb064474d7083
              • Instruction ID: f210d2599346d96f2cabc3f50fbad730d0e99159348f30deac7c1143594f97e8
              • Opcode Fuzzy Hash: bab22eb96becb08a00ebcc2d6477bb4c28c6423ab333932fb34eb064474d7083
              • Instruction Fuzzy Hash: 6B013062D0CF8582E6019F2C9C001BAB330FF5A759F659325EA8D66565DF28E692C710
              Function 00007FF70BF90770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-2713391170
              • Opcode ID: d71b967446a45bca81728eb49eb423abcdb3b0fff84de49943593be9c1de9e71
              • Instruction ID: 6390b738d0b81871f1a6f66287faf51eb4b903a2558a4aca0d4167949aa8ef67
              • Opcode Fuzzy Hash: d71b967446a45bca81728eb49eb423abcdb3b0fff84de49943593be9c1de9e71
              • Instruction Fuzzy Hash: 20F06212C08E8482D202AF2CA8001ABB330FF4D798F655336EF8E76565DF28E682C714
              Function 00007FF70BF90780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-4283191376
              • Opcode ID: 3b54bf86bcdf9377bb99afe2eb99a19ffd9c64a75de605e5c45a49ecfa884fe0
              • Instruction ID: 42e4a301ffc5d20dd6770db1b124d4458a55399568ca22ab1fb1b3f2b4aa1ed7
              • Opcode Fuzzy Hash: 3b54bf86bcdf9377bb99afe2eb99a19ffd9c64a75de605e5c45a49ecfa884fe0
              • Instruction Fuzzy Hash: F3F06212C08E8582D202AF2CA8001ABB330FF4D798F655336EF8E76565DF28E682C714
              Function 00007FF70BF90790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-4064033741
              • Opcode ID: 38f80e21313ae6025ce0cfc8b0ba3b0a0b2c07fa0734a636f612c44fd1fef980
              • Instruction ID: 53353b8a6056c201317246b1d07668058c2ee7378135c98ed97fe24467faa66f
              • Opcode Fuzzy Hash: 38f80e21313ae6025ce0cfc8b0ba3b0a0b2c07fa0734a636f612c44fd1fef980
              • Instruction Fuzzy Hash: 3FF06212C08E8482D202AF2CA8001ABB330FF4D798F655336EF8E76565DF28E682C714
              Function 00007FF70BF907A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-2187435201
              • Opcode ID: 7f357b84981f6916015e0a959f087569cbb59797c70008f64a631efa4c866205
              • Instruction ID: edf0fad142d86fead0f174b210eabae3bb40236014715253b9a83c15d3b54d53
              • Opcode Fuzzy Hash: 7f357b84981f6916015e0a959f087569cbb59797c70008f64a631efa4c866205
              • Instruction Fuzzy Hash: 45F04412C08E8482D202AF2CA8001BBB330FF4D798F655325EA8D76555DF18E6828714
              Function 00007FF70BF907B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-4273532761
              • Opcode ID: 190b71d85ac2e6ffd0289cfdd078cd3fd4e8a65d79d8f9fdfce8cb86538b8b01
              • Instruction ID: 36f6c5e22d5f465c434c2a09dd16054c003ca00458701f2705ad5bff916eda80
              • Opcode Fuzzy Hash: 190b71d85ac2e6ffd0289cfdd078cd3fd4e8a65d79d8f9fdfce8cb86538b8b01
              • Instruction Fuzzy Hash: 26F06812C08E8482D2029F2CA8001ABB330FF4D798F655335DF8D76555DF28E682C714
              Function 00007FF70BF90708 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: fprintf
              • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
              • API String ID: 383729395-2468659920
              • Opcode ID: adf42f76fd65a4bf940081e94446061c1c5b114f3533af71a75c4735d736c4fa
              • Instruction ID: 47637320753c699b2d4000059671b61dc75c5f465480389732a8b1846063ed0e
              • Opcode Fuzzy Hash: adf42f76fd65a4bf940081e94446061c1c5b114f3533af71a75c4735d736c4fa
              • Instruction Fuzzy Hash: 91F03613D48E8582D2129F2CA8001ABB330FF5D799F655336EF8D7A555DF28E682C714
              Function 00007FF70BF785F0 Relevance: 5.2, APIs: 4, Instructions: 198memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: e029413698027a35a3d87723ff974b99f43ca2caa1f1f194ab8a2c83bc8ed83d
              • Instruction ID: b6da447509fb23b590f7f0fde893bc934992cbeb749e6615d861d63202dcbc0e
              • Opcode Fuzzy Hash: e029413698027a35a3d87723ff974b99f43ca2caa1f1f194ab8a2c83bc8ed83d
              • Instruction Fuzzy Hash: C971A562A45B4180EA54EB1ADC447B9A7A0FF55FE4F844671EE2E933E1DF38E690C310
              Function 00007FF70BF42600 Relevance: 5.2, APIs: 4, Instructions: 197memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 1d0b95505a12cba4a17f69b8d091c65dea8933b012b32f8fb9746484199267ae
              • Instruction ID: cdaa7b43670ed78579062121e5fc9245a483b4bed18d04e9e3908cb55dcd0ff2
              • Opcode Fuzzy Hash: 1d0b95505a12cba4a17f69b8d091c65dea8933b012b32f8fb9746484199267ae
              • Instruction Fuzzy Hash: 8A71A662A1974581EA15AF19DC40BF8A7A0FF55BA0F844732DE2E933E1DF78E690C310
              Function 00007FF70BF8AF70 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: memcpy$FreeHeap
              • String ID:
              • API String ID: 4250714341-0
              • Opcode ID: 0f423011d1f82acc005d4c5948464c34011152bc484e890f88d6278cbaec4765
              • Instruction ID: 3a0d4882882ee3157f35f9fe0ff293fbec0da57096a09f695aff9e84782d642a
              • Opcode Fuzzy Hash: 0f423011d1f82acc005d4c5948464c34011152bc484e890f88d6278cbaec4765
              • Instruction Fuzzy Hash: 5671AF22A04AC586EB01AF68EC053E9A3A4FF54784F845231DE4D57761EF38F295C310
              Function 00007FF70BF8AD70 Relevance: 5.1, APIs: 4, Instructions: 124memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeapmemcpy
              • String ID:
              • API String ID: 673829100-0
              • Opcode ID: ca9bc7f11ddc7341c6145ebac1025cc2a574081ef38463e837498eefd1fa91b0
              • Instruction ID: db4cc2f36c6f4b4874ca2503ed873e5a0fbc4a4a2595b49ff22c7d37c1eb784e
              • Opcode Fuzzy Hash: ca9bc7f11ddc7341c6145ebac1025cc2a574081ef38463e837498eefd1fa91b0
              • Instruction Fuzzy Hash: 1951A122A04A9496E705EF29DC053E9A3B0FF48B88F849535DF4D57765EF38E2A1C310
              Function 00007FF70BF62595 Relevance: 5.1, APIs: 4, Instructions: 73memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapViewmemcpy
              • String ID:
              • API String ID: 661475760-0
              • Opcode ID: 1fa0b5b20026bb9109c50e052146d8bf752ba294e49ad69ff501bff17f4eb177
              • Instruction ID: 395d8ec10071b384cab0174a2da47b7e2012545dd5c92ec10e5047bef1aeee4f
              • Opcode Fuzzy Hash: 1fa0b5b20026bb9109c50e052146d8bf752ba294e49ad69ff501bff17f4eb177
              • Instruction Fuzzy Hash: 1D3195219089C185F774AB29CC543F96790FF49799F844232CA6E9BAE5CF38B360C310
              Function 00007FF70BF84C52 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseHandle
              • String ID:
              • API String ID: 1910495013-0
              • Opcode ID: a6761422464492fc466960511e540fe252427be30c88a29949e57241ecc36d60
              • Instruction ID: b595c5d8d2446a47fc9d468a3c4934daaff6994a9b2edfced952becceace754e
              • Opcode Fuzzy Hash: a6761422464492fc466960511e540fe252427be30c88a29949e57241ecc36d60
              • Instruction Fuzzy Hash: 31313622D08A82C9FB20EB69DC543FC62A1FF55748F944535CA0EE76A5CF38B641C260
              Function 00007FF70BF84CF6 Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseHandle
              • String ID:
              • API String ID: 1910495013-0
              • Opcode ID: a11df91f313f628a7d3730878565e5ad2c5c250ed84b4539413d419a305e2a83
              • Instruction ID: 32226e0ce7e90eaf490792d60d6bfb32814c865b5524a18856c057a0ebb4d6e2
              • Opcode Fuzzy Hash: a11df91f313f628a7d3730878565e5ad2c5c250ed84b4539413d419a305e2a83
              • Instruction Fuzzy Hash: 04311432A08A81C9F720EF69DC543FC63A1FF55748FA04535CA4E9B765CF39A651C260
              Function 00007FF70BF61D8F Relevance: 5.1, APIs: 4, Instructions: 60memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: cf00206fcd04a550ef0a1688a5ad71a4e05bbceb963c83d0b33b35854e4f9b90
              • Instruction ID: 4e06af433f3f5f4e1c67b31849390ea7c016476594648dee1a54369aabd1e01a
              • Opcode Fuzzy Hash: cf00206fcd04a550ef0a1688a5ad71a4e05bbceb963c83d0b33b35854e4f9b90
              • Instruction Fuzzy Hash: E9314D21A08AC185F7B4AB298C543F9A790FF89749F844532CD0E9BAA5CF3DB355C310
              Function 00007FF70BF61D0C Relevance: 5.1, APIs: 4, Instructions: 60memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: a497c667d6aec3129abf56c41ef06eed71ff74521c48b058a2576755ea12f9e7
              • Instruction ID: dcf8b6a5d2f0fe63755f73d11b5ad9f3a3cb394b5ba0b1e7be98b443332b9bd9
              • Opcode Fuzzy Hash: a497c667d6aec3129abf56c41ef06eed71ff74521c48b058a2576755ea12f9e7
              • Instruction Fuzzy Hash: 73313C21908AC185F774AB298C553F9A790FF89749F844532CD0E9B6A5CF3DB355C310
              Function 00007FF70BF67167 Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: e2f8355943c93ed4583b1b62da21f0fd34caaec0015a144af937c78499cc1d23
              • Instruction ID: d7dfea1c23c80f9dab594064007a4d987d65e0ff275618212b0a5235d12eb7c0
              • Opcode Fuzzy Hash: e2f8355943c93ed4583b1b62da21f0fd34caaec0015a144af937c78499cc1d23
              • Instruction Fuzzy Hash: 9121EE2590898289F771BB2A8C113F9A391FF89758F854532CD0ECB6A5CF2CB7558321
              Function 00007FF70BF62554 Relevance: 5.1, APIs: 4, Instructions: 55memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapViewmemcpy
              • String ID:
              • API String ID: 661475760-0
              • Opcode ID: 6cdd64ac11d9f918d8535d5cf9aee65e2a082506a5bcb216b8a1b42ece013ad8
              • Instruction ID: b6ae9976ef39064cae7526f816973af73973982b3bc377a13e4fa124336e6b95
              • Opcode Fuzzy Hash: 6cdd64ac11d9f918d8535d5cf9aee65e2a082506a5bcb216b8a1b42ece013ad8
              • Instruction Fuzzy Hash: 8221FA21908A82C4F774AB298C553F963A0FF89758F940736C92EDB6E58F39B355C210
              Function 00007FF70BF61D62 Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: f851568b18d46ed76017caef68515d32fa66a30f6b42b3e76c7a784eff113370
              • Instruction ID: 0d4fd52374c41837aed6675dbdb34cd6dc2532e9bad977c7d1e6761f006594bf
              • Opcode Fuzzy Hash: f851568b18d46ed76017caef68515d32fa66a30f6b42b3e76c7a784eff113370
              • Instruction Fuzzy Hash: E121DB21908AC288E774AB298C543F963A0FF89748F941532CD0EDBAA5CF3DB755C310
              Function 00007FF70BF61D79 Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 15037a14f5dc917d54a0a4e393df578bc3a4877fd5cb2327e121f4c06df77d76
              • Instruction ID: 881dc00391deb978737a73b281524a1e29b0aec8f7fed52a1900361251bd9fe5
              • Opcode Fuzzy Hash: 15037a14f5dc917d54a0a4e393df578bc3a4877fd5cb2327e121f4c06df77d76
              • Instruction Fuzzy Hash: F921B825908AC288E774AB298C553F9A3A0FF89748F941536CD0EDBAA5CF3DB755C310
              Function 00007FF70BF61A76 Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: bd944152bdd1fc753aa9ad592dc4dd3af4d18a3745e58d5acf5907c1df584641
              • Instruction ID: e3d366ed369c59e754ac514bb853ac0b1c61f073ae9dba4e14f725673d5b7432
              • Opcode Fuzzy Hash: bd944152bdd1fc753aa9ad592dc4dd3af4d18a3745e58d5acf5907c1df584641
              • Instruction Fuzzy Hash: 4221C921908AC288E774AB298C543F963A0FF89748F941536C90EDBAA5CF3DB755C310
              Function 00007FF70BF61BD9 Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 65ab469a8e92fb4a83e796f288e8bc75575ce8848a88952358a8106858f4b348
              • Instruction ID: da8fde3f44bbfb014cc3c6965a6c5d6f749b81457017a1bcc83d0c0adf5d5c0f
              • Opcode Fuzzy Hash: 65ab469a8e92fb4a83e796f288e8bc75575ce8848a88952358a8106858f4b348
              • Instruction Fuzzy Hash: 9C21C921908AC288F774AB298C553F963A0FF89748F945536C90EDB6A5CF3DB755C310
              Function 00007FF70BF61CDF Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: cf0c1fcd6d6dc4fe377add7ff0370a92cdb8c78fc54e594fee441de8ef8e54f9
              • Instruction ID: f4b0c4bca035b6b2a83661552082df4512b81802f98e9f0af544d2f6caac9c3f
              • Opcode Fuzzy Hash: cf0c1fcd6d6dc4fe377add7ff0370a92cdb8c78fc54e594fee441de8ef8e54f9
              • Instruction Fuzzy Hash: FC21C721908A8288E774AB298C553F9A2A0FF89748F941532CD0EDB6A5CF3DB755C310
              Function 00007FF70BF61CF6 Relevance: 5.1, APIs: 4, Instructions: 52memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 94017fef0b9b168b9f7a2689a2fd6cc4983ee7fef62456129cf4c5e51e094477
              • Instruction ID: 5ce2dc6253da751ac9c4d4900f4eb6500522d7fd4b08059c0ab092de301cba01
              • Opcode Fuzzy Hash: 94017fef0b9b168b9f7a2689a2fd6cc4983ee7fef62456129cf4c5e51e094477
              • Instruction Fuzzy Hash: 4A21A725908A8288E774AB298C553F9A3A0FF89748F941536C90EDB6A5CF39B755C310
              Function 00007FF70BF87EAE Relevance: 5.1, APIs: 4, Instructions: 51memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$Heapabort$AllocCaptureContextExceptionFreeRaiseUnwind
              • String ID:
              • API String ID: 2638765047-0
              • Opcode ID: e27fff26fd6b72714c98ac04c9e60f70b01f4c3ff73b5c85da74732f7377f9d1
              • Instruction ID: 98a442b07699796670a701bfbe577132ed8a0dcf1230a8404c32321736cc9cbd
              • Opcode Fuzzy Hash: e27fff26fd6b72714c98ac04c9e60f70b01f4c3ff73b5c85da74732f7377f9d1
              • Instruction Fuzzy Hash: F411E512A0868158FA11FB6AAC413FCA370BF45B84F840431EE4E57772CF38B292C310
              Function 00007FF70BF87FAE Relevance: 5.1, APIs: 4, Instructions: 51memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$Heapabort$AllocCaptureContextExceptionFreeRaiseUnwind
              • String ID:
              • API String ID: 2638765047-0
              • Opcode ID: f0bf22c2438f99f93d5b7f9d8d2995ae4a84ab03091788de36c85e922c965d7c
              • Instruction ID: 431c911471019339342d685c8f8dab50df873b851e051a222dbeb4ac6f32e920
              • Opcode Fuzzy Hash: f0bf22c2438f99f93d5b7f9d8d2995ae4a84ab03091788de36c85e922c965d7c
              • Instruction Fuzzy Hash: 1311C612A0868558F611BB6AAC423FDA2707F45B84F844431EE4E57772DF38B292C310
              Function 00007FF70BF62526 Relevance: 5.1, APIs: 4, Instructions: 51memoryfileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap$CloseFileHandleUnmapView
              • String ID:
              • API String ID: 238406573-0
              • Opcode ID: 1e23a672404e9379948f517144dd7dff24bcea6bfe7c7e36ff799a06c8500c6e
              • Instruction ID: 90eb5afd1a6fee972e60ac29a80eddca6260b7418f4553b17f428eb2934b320f
              • Opcode Fuzzy Hash: 1e23a672404e9379948f517144dd7dff24bcea6bfe7c7e36ff799a06c8500c6e
              • Instruction Fuzzy Hash: 2021F821908AC2C4F774AB298C453F9A3A1FF89758F940636C91EDB6E98F39B355C210
              Function 00007FF70BF6F765 Relevance: 5.0, APIs: 4, Instructions: 47memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 79c1bdfd0e5169cdd1f3bc381cd51799f6f487cbbaae02f6a210c12555769f96
              • Instruction ID: e8d99d9153dadf37854802929878c6f18818d4e77681089fab3fe68539d9ca1c
              • Opcode Fuzzy Hash: 79c1bdfd0e5169cdd1f3bc381cd51799f6f487cbbaae02f6a210c12555769f96
              • Instruction Fuzzy Hash: 0E112E25A0858285F625FB7AAC543F99291AF8AB84F814531DC0EDBBB6CF3C7341C260
              Function 00007FF70BF8B96C Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 10bf495b43c847ded75b038d1c79ad86b8a2b99e8014f9a67ce475e4d45168e9
              • Instruction ID: 879ed923ef72902e5ad9dd25e89c918101ce32385f672c9a687028b0a4acc0ba
              • Opcode Fuzzy Hash: 10bf495b43c847ded75b038d1c79ad86b8a2b99e8014f9a67ce475e4d45168e9
              • Instruction Fuzzy Hash: 1B01961190858289FA24FB39CC653F992A1AF86748FC45532E90E9B6B78F2DB345C261
              Function 00007FF70BF8B9D1 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 6d1a3c550a024edcfcb55cfffea03306e3fd385dab749bcd7e57979c2c48c1b3
              • Instruction ID: 879ed923ef72902e5ad9dd25e89c918101ce32385f672c9a687028b0a4acc0ba
              • Opcode Fuzzy Hash: 6d1a3c550a024edcfcb55cfffea03306e3fd385dab749bcd7e57979c2c48c1b3
              • Instruction Fuzzy Hash: 1B01961190858289FA24FB39CC653F992A1AF86748FC45532E90E9B6B78F2DB345C261
              Function 00007FF70BF4752E Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 664141d572de74ea0b8e3eabcadad62a4038a65e5d0fba5a192ec08025efa771
              • Instruction ID: e719c913c4d11550b591b7f3307d5016b3dce0a65a165bf2a40c51c90f645ce7
              • Opcode Fuzzy Hash: 664141d572de74ea0b8e3eabcadad62a4038a65e5d0fba5a192ec08025efa771
              • Instruction Fuzzy Hash: 1D01E921908A81C4F665F72AAC583B9A691EFC5740F854532C94E876A6CF3CE241C620
              Function 00007FF70BF47557 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 0d7f902be8a250ec7e5bf9eb79526059874907627c450037006c8d2c69b658d3
              • Instruction ID: d0dc405b0a3d79f59225f999181c404d15c740f9f783421b82e39c55bdac4658
              • Opcode Fuzzy Hash: 0d7f902be8a250ec7e5bf9eb79526059874907627c450037006c8d2c69b658d3
              • Instruction Fuzzy Hash: 01010C21908A81C1F625F72AAC583B9E691FFC5780F854532D94EC76B6CF3CF641C610
              Function 00007FF70BF8B9A9 Relevance: 5.0, APIs: 4, Instructions: 28memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseHandle$FreeHeap
              • String ID:
              • API String ID: 2735614835-0
              • Opcode ID: 78c71c7bc3c2b8143f84ab02ae63e3450a57899cc31223a25eb5deeb428aba23
              • Instruction ID: 3813edcda5e13999f0dc41f461e48ab2bd4abb9abc93f3d36aa0e3ced24be262
              • Opcode Fuzzy Hash: 78c71c7bc3c2b8143f84ab02ae63e3450a57899cc31223a25eb5deeb428aba23
              • Instruction Fuzzy Hash: 22F0B61190868288FA24FB29CC653F89261AF86788F844431E90F9B6B78F2CB345C261
              Function 00007FF70BF8B9AE Relevance: 5.0, APIs: 4, Instructions: 28memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseFreeHandleHeap
              • String ID:
              • API String ID: 1642312469-0
              • Opcode ID: b8da5ea989d7a12ac7e7289c580b80fa03b2869c2e0fe4f3b3dc025180463813
              • Instruction ID: e607aa8b7c217d17a4df54f38f607e554d7f612b57aaa2a69c4e57829e3c7253
              • Opcode Fuzzy Hash: b8da5ea989d7a12ac7e7289c580b80fa03b2869c2e0fe4f3b3dc025180463813
              • Instruction Fuzzy Hash: E9F0CD1190868288FB24FB29CC953F89261BF86748FC04532D90EDB6B78F3CB355C261
              Function 00007FF70BF8B96E Relevance: 5.0, APIs: 4, Instructions: 26memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2327762605.00007FF70BF41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70BF40000, based on PE: true
              • Associated: 00000000.00000002.2327683882.00007FF70BF40000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2327851869.00007FF70BF93000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328030844.00007FF70C008000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328069755.00007FF70C009000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2328107722.00007FF70C00C000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ff70bf40000_g3y89237.jbxd
              Similarity
              • API ID: CloseFreeHandleHeap
              • String ID:
              • API String ID: 1642312469-0
              • Opcode ID: fdbe63087854928da34bb9d6a3c02d2b6bd2712de5b206c28b23c7b60f97d146
              • Instruction ID: 12985dd34773d8a24b391889117df0f6736e7a8abde04aa1423df00f74bfd7c5
              • Opcode Fuzzy Hash: fdbe63087854928da34bb9d6a3c02d2b6bd2712de5b206c28b23c7b60f97d146
              • Instruction Fuzzy Hash: 30F0A91190868288FB24FB29CC953F89261AF86788F844931D90EDB6B7CF3DB355C261