Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iuhmzvlH.cmd

Overview

General Information

Sample name:iuhmzvlH.cmd
Analysis ID:1562861
MD5:b87f096cbc25570329e2bb59fee57580
SHA1:d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256:d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
Tags:cmddoganalecmduser-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Sigma detected: Execution from Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2944 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • esentutl.exe (PID: 4308 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
    • esentutl.exe (PID: 4720 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: E2098B56CF093E165D030E27591CE498)
    • alpha.pif (PID: 1672 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.pif (PID: 6004 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.pif (PID: 432 cmdline: C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xpha.pif (PID: 7160 cmdline: C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • alpha.pif (PID: 7032 cmdline: C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.pif (PID: 6204 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.pif (PID: 5480 cmdline: C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 1672, ProcessName: alpha.pif
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 1672, ProcessName: alpha.pif

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: Binary string: cmd.pdb source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,9_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,9_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,9_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken,5_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D5898C NtQueryInformationToken,5_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,5_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,5_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,5_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,5_2_00007FF718D58114
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,5_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,5_2_00007FF718D588C0
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D5898C NtQueryInformationToken,6_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF718D58114
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF718D588C0
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,9_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,9_2_00007FF718D58114
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken,9_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D5898C NtQueryInformationToken,9_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,9_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,9_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,9_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,9_2_00007FF718D588C0
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D45240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,5_2_00007FF718D45240
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D54224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,5_2_00007FF718D54224
Source: C:\Users\Public\alpha.pifFile created: C:\WindowsJump to behavior
Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64Jump to behavior
Source: C:\Users\Public\alpha.pifFile deleted: C:\Windows \SysWOW64Jump to behavior
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D555545_2_00007FF718D55554
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D47D305_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4AA545_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D537D85_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D48DF85_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4CE105_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D481D45_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6D9D05_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D715385_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D67F005_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D46EE45_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4E6805_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6EE885_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D50A6C5_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D452405_2_00007FF718D45240
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D476505_2_00007FF718D47650
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4D2505_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D49E505_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D542245_2_00007FF718D54224
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D422205_2_00007FF718D42220
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D44A305_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6AA305_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D434105_2_00007FF718D43410
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D46BE05_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6AFBC5_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D43F905_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D45B705_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D49B505_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4372C5_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D485105_2_00007FF718D48510
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4B0D85_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D518D45_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D418845_2_00007FF718D41884
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D42C485_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6AC4C5_2_00007FF718D6AC4C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D578545_2_00007FF718D57854
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D555546_2_00007FF718D55554
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D47D306_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4AA546_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D537D86_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D48DF86_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4CE106_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D481D46_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6D9D06_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D715386_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D67F006_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D46EE46_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4E6806_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6EE886_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D50A6C6_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D452406_2_00007FF718D45240
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D476506_2_00007FF718D47650
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4D2506_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D49E506_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D542246_2_00007FF718D54224
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D422206_2_00007FF718D42220
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D44A306_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6AA306_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D434106_2_00007FF718D43410
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D46BE06_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6AFBC6_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D43F906_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D45B706_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D49B506_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4372C6_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D485106_2_00007FF718D48510
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D4B0D86_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D518D46_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D418846_2_00007FF718D41884
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D42C486_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D6AC4C6_2_00007FF718D6AC4C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D578546_2_00007FF718D57854
Source: C:\Users\Public\xpha.pifCode function: 8_2_00007FF6F7631B5C8_2_00007FF6F7631B5C
Source: C:\Users\Public\xpha.pifCode function: 8_2_00007FF6F76313408_2_00007FF6F7631340
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D48DF89_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D555549_2_00007FF718D55554
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4AA549_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D537D89_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D578549_2_00007FF718D57854
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4CE109_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D481D49_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6D9D09_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D715389_2_00007FF718D71538
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D47D309_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D67F009_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D46EE49_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4E6809_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6EE889_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D50A6C9_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D452409_2_00007FF718D45240
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D476509_2_00007FF718D47650
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4D2509_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D49E509_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D542249_2_00007FF718D54224
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D422209_2_00007FF718D42220
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D44A309_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6AA309_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D434109_2_00007FF718D43410
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D46BE09_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6AFBC9_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D43F909_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D45B709_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D49B509_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4372C9_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D485109_2_00007FF718D48510
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D4B0D89_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D518D49_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D418849_2_00007FF718D41884
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D42C489_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D6AC4C9_2_00007FF718D6AC4C
Source: C:\Users\Public\alpha.pifCode function: String function: 00007FF718D53448 appears 54 times
Source: classification engineClassification label: mal56.evad.winCMD@20/4@0/1
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D432B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,5_2_00007FF718D432B0
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D6FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,5_2_00007FF718D6FB54
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: C:\Windows\System32\esentutl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\xpha.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\xpha.pifSection loaded: winnsi.dllJump to behavior
Source: C:\Users\Public\xpha.pifSection loaded: mswsock.dllJump to behavior
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: Binary string: cmd.pdb source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: alpha.pif.2.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
Source: alpha.pif.2.drStatic PE information: section name: .didat

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\alpha.pifEvaded block: after key decision
Source: C:\Users\Public\alpha.pifAPI coverage: 6.5 %
Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
Source: C:\Users\Public\alpha.pifAPI coverage: 8.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\xpha.pifLast function: Thread delayed
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,9_2_00007FF718D52978
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,9_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,9_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,9_2_00007FF718D41560
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF718D67B4C
Source: xpha.pif, 00000008.00000002.2156162133.000001F3A5759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D663FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,5_2_00007FF718D663FC
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D54A14 GetEnvironmentStringsW,GetProcessHeap,HeapAlloc,memmove,FreeEnvironmentStringsW,5_2_00007FF718D54A14
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D593B0 SetUnhandledExceptionFilter,5_2_00007FF718D593B0
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pifCode function: 6_2_00007FF718D593B0 SetUnhandledExceptionFilter,6_2_00007FF718D593B0
Source: C:\Users\Public\xpha.pifCode function: 8_2_00007FF6F7633840 SetUnhandledExceptionFilter,8_2_00007FF6F7633840
Source: C:\Users\Public\xpha.pifCode function: 8_2_00007FF6F7633644 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF6F7633644
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pifCode function: 9_2_00007FF718D593B0 SetUnhandledExceptionFilter,9_2_00007FF718D593B0

HIPS / PFW / Operating System Protection Evasion

barindex
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pifProcess created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10Jump to behavior
Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,5_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,5_2_00007FF718D53140
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,5_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF718D53140
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,9_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,9_2_00007FF718D53140
Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,9_2_00007FF718D46EE4
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.pifQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D59584 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,5_2_00007FF718D59584
Source: C:\Users\Public\alpha.pifCode function: 5_2_00007FF718D4586C GetVersion,5_2_00007FF718D4586C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		1
Native API		1
Valid Accounts		1
Valid Accounts		221
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Access Token Manipulation		1
Valid Accounts		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Process Injection		1
Disable or Modify Tools		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Timestomp		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
File Deletion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562861 Sample: iuhmzvlH.cmd Startdate: 26/11/2024 Architecture: WINDOWS Score: 56 28 Sigma detected: Execution from Suspicious Folder 2->28 7 cmd.exe 1 2->7         started        process3 process4 9 esentutl.exe 2 7->9         started        13 alpha.pif 1 7->13         started        15 esentutl.exe 2 7->15         started        17 6 other processes 7->17 file5 22 C:\Users\Public\alpha.pif, PE32+ 9->22 dropped 30 Drops PE files to the user root directory 9->30 32 Drops PE files with a suspicious file extension 9->32 34 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->34 19 xpha.pif 1 13->19         started        24 C:\Users\Public\xpha.pif, PE32+ 15->24 dropped signatures6 process7 dnsIp8 26 127.0.0.1 unknown unknown 19->26

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
iuhmzvlH.cmd11%ReversingLabsScript-BAT.Trojan.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\alpha.pif0%ReversingLabs
C:\Users\Public\xpha.pif0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562861
Start date and time:2024-11-26 08:10:10 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:iuhmzvlH.cmd
Detection:MAL
Classification:mal56.evad.winCMD@20/4@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 42
  • Number of non-executed functions: 225
Cookbook Comments:
  • Found application associated with file extension: .cmd
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 2.20.68.210, 2.20.68.201
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • VT rate limit hit for: iuhmzvlH.cmd

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\Public\alpha.pifUSD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
    Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
      Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
        #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse
          #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
            TZH3Uk8x45.batGet hashmaliciousDBatLoader, PureLog Stealer, XWormBrowse
              Payment.cmdGet hashmaliciousAzorult, DBatLoaderBrowse
                FACTURA.cmdGet hashmaliciousDBatLoaderBrowse
                  rPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                    Contact Form and Delivery Details ,pdf.cmdGet hashmaliciousDBatLoader, FormBookBrowse

                      Created / dropped Files

                      C:\Users\Public\alpha.pif

                      Download File
                      Process:C:\Windows\System32\esentutl.exe
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):289792
                      Entropy (8bit):6.135598950357573
                      Encrypted:false
                      SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                      MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                      SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                      SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                      SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                      • Filename: TZH3Uk8x45.bat, Detection: malicious, Browse
                      • Filename: Payment.cmd, Detection: malicious, Browse
                      • Filename: FACTURA.cmd, Detection: malicious, Browse
                      • Filename: rPO767575.cmd, Detection: malicious, Browse
                      • Filename: Contact Form and Delivery Details ,pdf.cmd, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                      C:\Users\Public\xpha.pif

                      Download File
                      Process:C:\Windows\System32\esentutl.exe
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):22528
                      Entropy (8bit):5.358141004461096
                      Encrypted:false
                      SSDEEP:384:Js9qZDngKcZhS6JLFULEg9PhayhN9dsv/45rJLQhW79WBlW:JsgZbgZZGa49snUrJLQ5
                      MD5:2F46799D79D22AC72C241EC0322B011D
                      SHA1:9C13C854A4EF98879D0CAB80EF679B4C4ECCF518
                      SHA-256:7AF50FA112932EA3284F7821B2EEA2B7582F558DBA897231BB82182003C29F8B
                      SHA-512:D0274C6047A788F87ADEF7E125F65D80D0DFCDD54A00C0EF5AF22466E807802F2126C5DB2F61A419D71C8A323095116FB72A648413C38E17BA82F2C4394DEFF2
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(X-RI6~RI6~RI6~[1.~tI6~F"3.PI6~F"5.PI6~F"2.@I6~RI7~.I6~F"7.QI6~F">.VI6~F".~SI6~F"4.SI6~RichRI6~................PE..d....\..........."..........>.......5.........@.....................................5....`.......... .......................................I.......... ....................... ....E..T............................@..............(A...............................text...`,.......................... ..`.rdata..0....@.......2..............@..@.data........`.......H..............@....pdata...............J..............@..@.rsrc... ............L..............@..@.reloc.. ............V..............@..B................................................................................................................................................................................................................................................................

                      \Device\Null

                      Download File
                      Process:C:\Windows\System32\esentutl.exe
                      File Type:ASCII text, with CRLF, CR line terminators
                      Category:dropped
                      Size (bytes):560
                      Entropy (8bit):4.54397131958299
                      Encrypted:false
                      SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5G4aYA1S4TB8NGNX:/p4xT5cp7u0wQakG4aTS4t8Nq
                      MD5:0960CDA3A5AED073C62272724F882535
                      SHA1:16ABACC018A7BACF778F9A31C21CAF7A5F570CFA
                      SHA-256:A46AA12E2EBF5DF7BECE9EC1DF78039FBA05BD5532F88C3C50F829C3B0CAC82C
                      SHA-512:7602C59DC420227F012F8881BC740BE31865D8AB2BE79C57995DC68162D71C9F539DB88439194872C58D9B67E604A0A310933DF9A1BAF645E5451E654E537F9E
                      Malicious:false
                      Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x5800 (22528) (0 MB)....Total bytes written = 0x6000 (24576) (0 MB).......Operation completed successfully in 0.78 seconds.....

                      Static File Info

                      General

                      File type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                      Entropy (8bit):4.705712327109906
                      TrID:
                        File name:iuhmzvlH.cmd
                        File size:62'357 bytes
                        MD5:b87f096cbc25570329e2bb59fee57580
                        SHA1:d281d1bf37b4fb46f90973afc65eece3908532b2
                        SHA256:d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
                        SHA512:72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
                        SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                        TLSH:2D53BB283091C89B8243D4D4CF41D92CBA6B6EA9FD843473598D47B72D790E4F2BB9E4
                        File Content Preview:@echo off..@echo off..@%.....................%e%......%c%.........%h%............ .........%o%......................% %...%o%...............%f%.........%f% ....................%..s%...%e%............ %t%r...o..................% %............%"%...........

                        File Icon

                        Icon Hash:9686878b929a9886

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:02:11:02
                        Start date:26/11/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" "
                        Imagebase:0x7ff6d5530000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:02:11:02
                        Start date:26/11/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:02:11:02
                        Start date:26/11/2024
                        Path:C:\Windows\System32\esentutl.exe
                        Wow64 process (32bit):false
                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                        Imagebase:0x7ff621b40000
                        File size:409'600 bytes
                        MD5 hash:E2098B56CF093E165D030E27591CE498
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:4
                        Start time:02:11:03
                        Start date:26/11/2024
                        Path:C:\Windows\System32\esentutl.exe
                        Wow64 process (32bit):false
                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                        Imagebase:0x7ff621b40000
                        File size:409'600 bytes
                        MD5 hash:E2098B56CF093E165D030E27591CE498
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:02:11:03
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:02:11:03
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:02:11:03
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:02:11:03
                        Start date:26/11/2024
                        Path:C:\Users\Public\xpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                        Imagebase:0x7ff6f7630000
                        File size:22'528 bytes
                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:02:11:13
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:10
                        Start time:02:11:13
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:11
                        Start time:02:11:13
                        Start date:26/11/2024
                        Path:C:\Users\Public\alpha.pif
                        Wow64 process (32bit):false
                        Commandline:C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                        Imagebase:0x7ff718d40000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:35.4%
                          Total number of Nodes:1227
                          Total number of Limit Nodes:8
                          execution_graph 16801 7ff718d601fb 16803 7ff718d57f67 16801->16803 16802 7ff718d602b7 16898 7ff718d54cb0 16802->16898 16803->16802 16816 7ff718d53c24 16803->16816 16806 7ff718d602bc GetProcessHeap RtlFreeHeap 16809 7ff718d602ec 16806->16809 16808 7ff718d57fb2 16808->16802 16810 7ff718d57fbe 16808->16810 16904 7ff718d43278 16809->16904 16890 7ff718d58f80 16810->16890 16817 7ff718d53c67 16816->16817 16818 7ff718d5412c 16817->16818 16907 7ff718d4ca40 16817->16907 16819 7ff718d58f80 7 API calls 16818->16819 16821 7ff718d5413e 16819->16821 16821->16808 16881 7ff718d5417c 16821->16881 16823 7ff718d5ec97 16824 7ff718d5855c ??_V@YAXPEAX 16823->16824 16826 7ff718d5eca1 16824->16826 16828 7ff718d53cb8 GetCurrentDirectoryW towupper iswalpha 16830 7ff718d53fb8 16828->16830 16831 7ff718d53d68 16828->16831 16833 7ff718d53fc6 GetLastError 16830->16833 16831->16830 16832 7ff718d53d72 towupper GetFullPathNameW 16831->16832 16832->16833 16834 7ff718d53dd3 16832->16834 16940 7ff718d5855c 16833->16940 16836 7ff718d53fe0 16834->16836 16852 7ff718d53de3 16834->16852 16838 7ff718d5855c ??_V@YAXPEAX 16836->16838 16837 7ff718d540fe 16840 7ff718d5855c ??_V@YAXPEAX 16837->16840 16839 7ff718d53ffb _local_unwind 16838->16839 16841 7ff718d5400c GetLastError 16839->16841 16842 7ff718d54108 _local_unwind 16840->16842 16843 7ff718d54028 16841->16843 16844 7ff718d53e95 16841->16844 16845 7ff718d53f98 16842->16845 16843->16844 16847 7ff718d54031 16843->16847 16848 7ff718d53ecf 16844->16848 16922 7ff718d52978 16844->16922 16943 7ff718d4ff70 16845->16943 16854 7ff718d5855c ??_V@YAXPEAX 16847->16854 16850 7ff718d53f08 16848->16850 16851 7ff718d53ed5 GetFileAttributesW 16848->16851 16859 7ff718d53f1e SetCurrentDirectoryW 16850->16859 16865 7ff718d53f46 16850->16865 16857 7ff718d53efd 16851->16857 16858 7ff718d54067 GetLastError 16851->16858 16852->16837 16853 7ff718d53e66 GetFileAttributesW 16852->16853 16853->16841 16853->16844 16860 7ff718d5403b _local_unwind 16854->16860 16856 7ff718d5855c ??_V@YAXPEAX 16856->16818 16857->16850 16864 7ff718d5409d 16857->16864 16863 7ff718d5855c ??_V@YAXPEAX 16858->16863 16859->16865 16866 7ff718d540b8 GetLastError 16859->16866 16862 7ff718d5404c 16860->16862 16861 7ff718d53ec7 16861->16848 16861->16862 16871 7ff718d5855c ??_V@YAXPEAX 16862->16871 16867 7ff718d5408c _local_unwind 16863->16867 16868 7ff718d5855c ??_V@YAXPEAX 16864->16868 16935 7ff718d5498c 16865->16935 16869 7ff718d5855c ??_V@YAXPEAX 16866->16869 16867->16864 16872 7ff718d540a7 _local_unwind 16868->16872 16873 7ff718d540d2 _local_unwind 16869->16873 16875 7ff718d54056 _local_unwind 16871->16875 16872->16866 16876 7ff718d540e3 16873->16876 16875->16858 16878 7ff718d5855c ??_V@YAXPEAX 16876->16878 16877 7ff718d53f6f 16879 7ff718d5417c 146 API calls 16877->16879 16880 7ff718d540ed _local_unwind 16878->16880 16879->16845 16880->16837 16882 7ff718d541a8 GetCurrentDirectoryW 16881->16882 16883 7ff718d541d4 towupper 16881->16883 16889 7ff718d541b9 16882->16889 17035 7ff718d5081c GetEnvironmentVariableW 16883->17035 16885 7ff718d58f80 7 API calls 16887 7ff718d541c8 16885->16887 16887->16808 16888 7ff718d5ecac towupper 16889->16885 16891 7ff718d58f89 16890->16891 16892 7ff718d57fd4 16891->16892 16893 7ff718d58fe0 RtlCaptureContext RtlLookupFunctionEntry 16891->16893 16894 7ff718d59067 16893->16894 16895 7ff718d59025 RtlVirtualUnwind 16893->16895 17186 7ff718d58fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16894->17186 16895->16894 16900 7ff718d54cda 16898->16900 16903 7ff718d54cfa 16898->16903 16899 7ff718d58f80 7 API calls 16901 7ff718d54ce9 16899->16901 16900->16899 16901->16806 16902 7ff718d5eefe realloc 16902->16900 16903->16900 16903->16902 17187 7ff718d432b0 16904->17187 16908 7ff718d4ca59 16907->16908 16917 7ff718d4cab8 16907->16917 16947 7ff718d59324 16908->16947 16911 7ff718d4ca84 16913 7ff718d5c706 ??_V@YAXPEAX 16911->16913 16916 7ff718d4ca9b memset 16911->16916 16912 7ff718d5c6e0 16951 7ff718d66d1c 16912->16951 16916->16917 16917->16823 16918 7ff718d4b900 16917->16918 16919 7ff718d4b914 16918->16919 16919->16919 17023 7ff718d4cd90 16919->17023 16933 7ff718d529b9 16922->16933 16923 7ff718d5e3f7 16923->16861 16924 7ff718d52a1e FindFirstFileW 16924->16923 16925 7ff718d52a44 FindClose 16924->16925 16925->16933 16926 7ff718d529ed 16928 7ff718d58f80 7 API calls 16926->16928 16927 7ff718d52aeb _wcsnicmp 16927->16933 16929 7ff718d52a02 16928->16929 16929->16861 16930 7ff718d5e3d6 _wcsicmp 16930->16923 16930->16933 16931 7ff718d52a9d memmove 16931->16933 16932 7ff718d5e404 memmove 16932->16923 16933->16923 16933->16924 16933->16926 16933->16927 16933->16930 16933->16931 16933->16932 16936 7ff718d549ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 16935->16936 16937 7ff718d549a4 16935->16937 17029 7ff718d54a14 GetEnvironmentStringsW 16936->17029 16937->16936 16941 7ff718d58574 ??_V@YAXPEAX 16940->16941 16942 7ff718d58583 16940->16942 16941->16942 16942->16836 16944 7ff718d4ff7c 16943->16944 16945 7ff718d4ffdb 16943->16945 16944->16945 16946 7ff718d4ffb5 GetProcessHeap RtlFreeHeap 16944->16946 16945->16856 16946->16945 16948 7ff718d59330 16947->16948 16954 7ff718d59a6c 16948->16954 16950 7ff718d4ca7b 16950->16911 16950->16912 16959 7ff718d66c5c 16951->16959 16955 7ff718d59a86 malloc 16954->16955 16956 7ff718d59a77 16955->16956 16957 7ff718d59a91 16955->16957 16956->16955 16958 7ff718d59a97 Concurrency::cancel_current_task 16956->16958 16957->16950 16958->16950 16962 7ff718d66a34 16959->16962 16963 7ff718d66a41 16962->16963 16970 7ff718d663fc 16963->16970 16966 7ff718d66b1d 16967 7ff718d58f80 7 API calls 16966->16967 16969 7ff718d66b2e 16967->16969 16969->16917 16971 7ff718d66461 16970->16971 16972 7ff718d66455 16970->16972 16974 7ff718d664f9 GetCurrentThreadId 16971->16974 16972->16971 16973 7ff718d66c5c 11 API calls 16972->16973 16973->16971 16975 7ff718d66561 16974->16975 16976 7ff718d665ea 16975->16976 16977 7ff718d665f5 IsDebuggerPresent 16975->16977 16978 7ff718d6666c OutputDebugStringW 16976->16978 16980 7ff718d6660b 16976->16980 16985 7ff718d65bf4 16976->16985 16977->16976 16978->16980 16980->16966 16981 7ff718d6742c 16980->16981 16982 7ff718d6744a memset 16981->16982 16983 7ff718d67444 16981->16983 16984 7ff718d67489 16982->16984 16983->16982 16988 7ff718d65c2e 16985->16988 17011 7ff718d65e13 16985->17011 16986 7ff718d58f80 7 API calls 16987 7ff718d65e49 16986->16987 16987->16978 16989 7ff718d65ca7 FormatMessageW 16988->16989 16988->17011 16990 7ff718d65cfc 16989->16990 16991 7ff718d65d1f 16989->16991 17014 7ff718d666bc 16990->17014 16993 7ff718d666bc _vsnwprintf 16991->16993 16994 7ff718d65d1d 16993->16994 16995 7ff718d65d54 GetCurrentThreadId 16994->16995 16997 7ff718d666bc _vsnwprintf 16994->16997 16996 7ff718d666bc _vsnwprintf 16995->16996 16999 7ff718d65d91 16996->16999 16998 7ff718d65d51 16997->16998 16998->16995 17000 7ff718d666bc _vsnwprintf 16999->17000 16999->17011 17001 7ff718d65db9 17000->17001 17002 7ff718d65dd4 17001->17002 17003 7ff718d666bc _vsnwprintf 17001->17003 17004 7ff718d65def 17002->17004 17005 7ff718d666bc _vsnwprintf 17002->17005 17003->17002 17006 7ff718d65e15 17004->17006 17007 7ff718d65dff 17004->17007 17005->17004 17009 7ff718d65e2b 17006->17009 17010 7ff718d65e1d 17006->17010 17008 7ff718d666bc _vsnwprintf 17007->17008 17008->17011 17013 7ff718d666bc _vsnwprintf 17009->17013 17012 7ff718d666bc _vsnwprintf 17010->17012 17011->16986 17012->17011 17013->17011 17017 7ff718d5363c 17014->17017 17018 7ff718d53671 17017->17018 17019 7ff718d53664 17017->17019 17018->16994 17021 7ff718d53684 _vsnwprintf 17019->17021 17022 7ff718d536b7 17021->17022 17022->17018 17024 7ff718d5c84e 17023->17024 17025 7ff718d4cda1 GetProcessHeap HeapAlloc 17023->17025 17027 7ff718d43278 164 API calls 17024->17027 17025->17024 17026 7ff718d4b92a 17025->17026 17026->16823 17026->16828 17028 7ff718d5c858 17027->17028 17030 7ff718d53f67 17029->17030 17031 7ff718d54a40 GetProcessHeap HeapAlloc 17029->17031 17030->16876 17030->16877 17033 7ff718d54a9f FreeEnvironmentStringsW 17031->17033 17034 7ff718d54a91 memmove 17031->17034 17033->17030 17034->17033 17036 7ff718d5085e 17035->17036 17037 7ff718d50877 17035->17037 17036->16888 17036->16889 17038 7ff718d50884 _wcsicmp 17037->17038 17039 7ff718d50970 17037->17039 17040 7ff718d508a2 _wcsicmp 17038->17040 17042 7ff718d50989 17038->17042 17056 7ff718d53140 17039->17056 17041 7ff718d508c0 _wcsicmp 17040->17041 17040->17042 17041->17042 17045 7ff718d508de _wcsicmp 17041->17045 17043 7ff718d5417c 154 API calls 17042->17043 17082 7ff718d533f0 17042->17082 17086 7ff718d46ee4 17042->17086 17120 7ff718d59158 RtlCaptureContext RtlLookupFunctionEntry 17042->17120 17043->17042 17047 7ff718d508fc _wcsicmp 17045->17047 17048 7ff718d5d8d3 GetCommandLineW 17045->17048 17047->17042 17049 7ff718d5091a _wcsicmp 17047->17049 17052 7ff718d5d8e5 rand 17048->17052 17049->17039 17053 7ff718d50934 _wcsicmp 17049->17053 17052->17042 17053->17052 17054 7ff718d50952 _wcsicmp 17053->17054 17054->17039 17055 7ff718d5d8f9 GetNumaHighestNodeNumber 17054->17055 17055->17042 17057 7ff718d5e59e 17056->17057 17058 7ff718d53184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17056->17058 17125 7ff718d68654 17057->17125 17059 7ff718d5e5ed 17058->17059 17060 7ff718d531e0 17058->17060 17063 7ff718d5e5fe 17059->17063 17070 7ff718d5e750 17059->17070 17062 7ff718d5e5a8 17060->17062 17064 7ff718d531ff 17060->17064 17131 7ff718d53448 17062->17131 17136 7ff718d55508 GetUserDefaultLCID 17063->17136 17067 7ff718d533f0 _vsnwprintf 17064->17067 17069 7ff718d53247 17067->17069 17072 7ff718d58f80 7 API calls 17069->17072 17071 7ff718d533f0 _vsnwprintf 17070->17071 17078 7ff718d5e748 17071->17078 17075 7ff718d53266 17072->17075 17073 7ff718d5e711 17076 7ff718d55508 GetUserDefaultLCID 17073->17076 17074 7ff718d5e5e8 17075->17042 17077 7ff718d5e716 GetTimeFormatW 17076->17077 17077->17078 17078->17074 17138 7ff718d534a0 17078->17138 17080 7ff718d5e629 17080->17073 17081 7ff718d5e6e7 memmove 17080->17081 17081->17080 17083 7ff718d53421 17082->17083 17085 7ff718d53433 17082->17085 17084 7ff718d53684 _vsnwprintf 17083->17084 17084->17085 17085->17042 17087 7ff718d46f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17086->17087 17095 7ff718d46fbf 17086->17095 17088 7ff718d46f90 17087->17088 17097 7ff718d642b6 17087->17097 17090 7ff718d55508 GetUserDefaultLCID 17088->17090 17089 7ff718d68654 9 API calls 17089->17095 17091 7ff718d46f97 GetLocaleInfoW 17090->17091 17091->17095 17092 7ff718d64322 realloc 17093 7ff718d6433f 17092->17093 17092->17097 17094 7ff718d533f0 _vsnwprintf 17093->17094 17105 7ff718d6437d 17094->17105 17095->17089 17096 7ff718d55508 GetUserDefaultLCID 17095->17096 17103 7ff718d6427f memmove 17095->17103 17110 7ff718d47020 memmove 17095->17110 17098 7ff718d47042 GetDateFormatW 17096->17098 17097->17092 17097->17093 17099 7ff718d43278 153 API calls 17097->17099 17100 7ff718d4707a 17098->17100 17099->17097 17101 7ff718d55508 GetUserDefaultLCID 17100->17101 17104 7ff718d4708a 17100->17104 17102 7ff718d4714a GetDateFormatW 17101->17102 17106 7ff718d642a0 GetLastError 17102->17106 17107 7ff718d47175 realloc 17102->17107 17103->17095 17104->17105 17117 7ff718d470bd 17104->17117 17111 7ff718d643ea 17105->17111 17114 7ff718d643fb 17105->17114 17106->17097 17107->17097 17108 7ff718d4719c 17107->17108 17109 7ff718d55508 GetUserDefaultLCID 17108->17109 17112 7ff718d471ae GetDateFormatW 17109->17112 17110->17095 17113 7ff718d53448 153 API calls 17111->17113 17112->17095 17112->17106 17116 7ff718d643f9 17113->17116 17115 7ff718d53448 153 API calls 17114->17115 17115->17116 17117->17116 17117->17117 17118 7ff718d58f80 7 API calls 17117->17118 17119 7ff718d47129 17118->17119 17119->17042 17121 7ff718d591d7 17120->17121 17122 7ff718d59195 RtlVirtualUnwind 17120->17122 17185 7ff718d58fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17121->17185 17122->17121 17126 7ff718d68686 17125->17126 17127 7ff718d68673 GetSystemTime 17125->17127 17128 7ff718d686cc SystemTimeToFileTime 17126->17128 17127->17128 17129 7ff718d58f80 7 API calls 17128->17129 17130 7ff718d686ed 17129->17130 17130->17062 17132 7ff718d5363c _vsnwprintf 17131->17132 17133 7ff718d5347b 17132->17133 17134 7ff718d534a0 166 API calls 17133->17134 17135 7ff718d53491 17134->17135 17135->17074 17137 7ff718d55529 GetLocaleInfoW 17136->17137 17137->17080 17139 7ff718d534f5 17138->17139 17140 7ff718d534bf 17138->17140 17139->17074 17161 7ff718d53578 _get_osfhandle 17140->17161 17143 7ff718d5350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17145 7ff718d53557 ReleaseSRWLockShared 17143->17145 17146 7ff718d5e8d2 GetLastError 17143->17146 17144 7ff718d534cd 17168 7ff718d536ec _get_osfhandle 17144->17168 17148 7ff718d534e1 17145->17148 17149 7ff718d5e8e5 GetLastError 17146->17149 17148->17139 17148->17149 17175 7ff718d501b8 _get_osfhandle GetFileType 17149->17175 17152 7ff718d5e918 17180 7ff718d6f318 _get_osfhandle GetFileType 17152->17180 17153 7ff718d5e908 17154 7ff718d43278 160 API calls 17153->17154 17154->17139 17156 7ff718d5e91f 17157 7ff718d5e923 17156->17157 17158 7ff718d5e931 17156->17158 17160 7ff718d43278 160 API calls 17157->17160 17181 7ff718d6f1d8 17158->17181 17160->17139 17162 7ff718d53599 GetFileType 17161->17162 17163 7ff718d534c9 17161->17163 17162->17163 17166 7ff718d535b1 17162->17166 17163->17143 17163->17144 17164 7ff718d5e940 17165 7ff718d535c3 GetStdHandle 17167 7ff718d535d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17165->17167 17166->17164 17166->17165 17166->17167 17167->17163 17169 7ff718d5e95c WriteFile 17168->17169 17173 7ff718d53731 17168->17173 17170 7ff718d5e980 WideCharToMultiByte WriteFile 17169->17170 17172 7ff718d537a1 17170->17172 17170->17173 17171 7ff718d53747 17171->17172 17174 7ff718d5374b WideCharToMultiByte WriteFile 17171->17174 17172->17148 17173->17170 17173->17171 17173->17172 17174->17172 17176 7ff718d501eb 17175->17176 17178 7ff718d50200 17175->17178 17176->17152 17176->17153 17177 7ff718d50212 GetStdHandle 17179 7ff718d50221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17177->17179 17178->17176 17178->17177 17178->17179 17179->17176 17180->17156 17183 7ff718d6f1e8 17181->17183 17182 7ff718d6f220 17182->17139 17183->17182 17184 7ff718d43278 166 API calls 17183->17184 17184->17182 17188 7ff718d53578 6 API calls 17187->17188 17189 7ff718d432e8 17188->17189 17190 7ff718d4331d 17189->17190 17191 7ff718d432f0 _get_osfhandle GetConsoleScreenBufferInfo 17189->17191 17223 7ff718d43410 17190->17223 17191->17190 17193 7ff718d433a8 17197 7ff718d611ff 17193->17197 17210 7ff718d433b0 17193->17210 17194 7ff718d536ec 6 API calls 17203 7ff718d4333d 17194->17203 17195 7ff718d43368 WriteConsoleW 17198 7ff718d611cc GetLastError 17195->17198 17195->17203 17196 7ff718d61057 GetConsoleScreenBufferInfo 17200 7ff718d61079 WriteConsoleW 17196->17200 17196->17203 17239 7ff718d54c1c 17197->17239 17198->17203 17199 7ff718d58f80 7 API calls 17204 7ff718d432a4 17199->17204 17200->17203 17205 7ff718d610a8 9 API calls 17200->17205 17202 7ff718d611df GetLastError 17202->17193 17203->17193 17203->17194 17203->17195 17203->17196 17203->17198 17203->17202 17207 7ff718d43400 17203->17207 17205->17203 17208 7ff718d61181 17205->17208 17207->17202 17238 7ff718d6bde4 EnterCriticalSection LeaveCriticalSection 17208->17238 17210->17199 17224 7ff718d612cd _ultoa GetACP 17223->17224 17225 7ff718d4345c FormatMessageW 17223->17225 17243 7ff718d50460 17224->17243 17225->17224 17235 7ff718d4348b 17225->17235 17228 7ff718d4349d wcschr 17229 7ff718d434b4 17228->17229 17228->17235 17230 7ff718d6121d GetProcessHeap HeapAlloc 17229->17230 17231 7ff718d434c4 FormatMessageW 17229->17231 17232 7ff718d434ef 17230->17232 17237 7ff718d6124f FormatMessageW GetProcessHeap RtlFreeHeap 17230->17237 17231->17232 17233 7ff718d58f80 7 API calls 17232->17233 17236 7ff718d434ff 17233->17236 17235->17228 17235->17229 17236->17203 17237->17224 17241 7ff718d54c24 17239->17241 17242 7ff718d54c2f exit 17241->17242 17245 7ff718d54c50 17241->17245 17244 7ff718d50472 MultiByteToWideChar 17243->17244 17246 7ff718d54cb0 8 API calls 17245->17246 17247 7ff718d54c64 17246->17247 17248 7ff718d54c6c 17247->17248 17249 7ff718d53c24 164 API calls 17247->17249 17248->17241 17250 7ff718d54c84 GetProcessHeap RtlFreeHeap 17249->17250 17250->17248 18374 7ff718d46be0 18375 7ff718d4cd90 166 API calls 18374->18375 18376 7ff718d46c04 18375->18376 18377 7ff718d641a2 18376->18377 18378 7ff718d46c13 _pipe 18376->18378 18381 7ff718d43278 166 API calls 18377->18381 18379 7ff718d46e26 18378->18379 18382 7ff718d46c32 18378->18382 18380 7ff718d43278 166 API calls 18379->18380 18380->18377 18383 7ff718d641bc 18381->18383 18386 7ff718d46df1 18382->18386 18425 7ff718d4affc _dup 18382->18425 18384 7ff718d6e91c 198 API calls 18383->18384 18385 7ff718d641c1 18384->18385 18388 7ff718d43278 166 API calls 18385->18388 18390 7ff718d641d2 18388->18390 18389 7ff718d46c7d 18389->18377 18392 7ff718d4b038 _dup2 18389->18392 18391 7ff718d6e91c 198 API calls 18390->18391 18393 7ff718d641d7 18391->18393 18394 7ff718d46c93 18392->18394 18395 7ff718d43278 166 API calls 18393->18395 18394->18393 18396 7ff718d4d208 _close 18394->18396 18397 7ff718d641e4 18395->18397 18398 7ff718d46ca4 18396->18398 18399 7ff718d6e91c 198 API calls 18397->18399 18427 7ff718d4be00 18398->18427 18401 7ff718d641e9 18399->18401 18403 7ff718d46d07 18405 7ff718d4b038 _dup2 18403->18405 18404 7ff718d46ccf _get_osfhandle DuplicateHandle 18404->18403 18406 7ff718d46d11 18405->18406 18406->18393 18407 7ff718d4d208 _close 18406->18407 18408 7ff718d46d22 18407->18408 18409 7ff718d46e21 18408->18409 18411 7ff718d4affc _dup 18408->18411 18410 7ff718d6e91c 198 API calls 18409->18410 18410->18379 18412 7ff718d46d57 18411->18412 18412->18385 18413 7ff718d4b038 _dup2 18412->18413 18414 7ff718d46d6c 18413->18414 18414->18393 18415 7ff718d4d208 _close 18414->18415 18416 7ff718d46d7c 18415->18416 18417 7ff718d4be00 659 API calls 18416->18417 18418 7ff718d46d9c 18417->18418 18419 7ff718d4b038 _dup2 18418->18419 18420 7ff718d46da8 18419->18420 18420->18393 18421 7ff718d4d208 _close 18420->18421 18422 7ff718d46db9 18421->18422 18422->18409 18423 7ff718d46dc1 18422->18423 18423->18386 18464 7ff718d46e60 18423->18464 18426 7ff718d4b018 18425->18426 18426->18389 18428 7ff718d46cc4 18427->18428 18429 7ff718d4be1b 18427->18429 18428->18403 18428->18404 18429->18428 18430 7ff718d4be67 18429->18430 18431 7ff718d4be47 memset 18429->18431 18433 7ff718d4be73 18430->18433 18435 7ff718d4bf29 18430->18435 18452 7ff718d4beaf 18430->18452 18514 7ff718d4bff0 18431->18514 18434 7ff718d4be92 18433->18434 18438 7ff718d4bf0c 18433->18438 18436 7ff718d4bea1 18434->18436 18468 7ff718d4c620 GetConsoleTitleW 18434->18468 18437 7ff718d4cd90 166 API calls 18435->18437 18449 7ff718d4af98 2 API calls 18436->18449 18436->18452 18440 7ff718d4bf33 18437->18440 18552 7ff718d4b0d8 memset 18438->18552 18443 7ff718d4bf9e 18440->18443 18440->18452 18612 7ff718d488a8 18440->18612 18442 7ff718d4bff0 185 API calls 18442->18428 18697 7ff718d471ec 18443->18697 18446 7ff718d4bf1e 18446->18452 18449->18452 18450 7ff718d4bfa9 18450->18452 18453 7ff718d4cd90 166 API calls 18450->18453 18451 7ff718d4bf5f 18616 7ff718d50a6c 18451->18616 18452->18428 18452->18442 18455 7ff718d4bfbb 18453->18455 18455->18452 18457 7ff718d4bfc7 18455->18457 18459 7ff718d5081c 166 API calls 18457->18459 18458 7ff718d4bf75 18460 7ff718d4b0d8 194 API calls 18458->18460 18459->18458 18461 7ff718d4bf7f 18460->18461 18461->18452 18668 7ff718d55ad8 18461->18668 18467 7ff718d46e6d 18464->18467 18465 7ff718d46eb9 18465->18386 18466 7ff718d55cb4 7 API calls 18466->18467 18467->18465 18467->18466 18469 7ff718d4ca2f 18468->18469 18471 7ff718d4c675 18468->18471 18470 7ff718d5c5fc GetLastError 18469->18470 18473 7ff718d43278 166 API calls 18469->18473 18474 7ff718d5855c ??_V@YAXPEAX 18469->18474 18470->18469 18472 7ff718d4ca40 17 API calls 18471->18472 18479 7ff718d4c69b 18472->18479 18473->18469 18474->18469 18475 7ff718d5291c 8 API calls 18477 7ff718d4c94a 18475->18477 18476 7ff718d4c9b5 18482 7ff718d5855c ??_V@YAXPEAX 18476->18482 18477->18469 18477->18470 18477->18475 18477->18476 18478 7ff718d4c762 18477->18478 18480 7ff718d4c978 towupper 18477->18480 18485 7ff718d6ec14 173 API calls 18477->18485 18503 7ff718d5c684 18477->18503 18506 7ff718d489c0 23 API calls 18477->18506 18510 7ff718d4ca16 GetLastError 18477->18510 18478->18469 18478->18477 18481 7ff718d5855c ??_V@YAXPEAX 18478->18481 18495 7ff718d4c83d 18478->18495 18498 7ff718d4c78a wcschr 18478->18498 18501 7ff718d4ca25 18478->18501 18508 7ff718d4ca2a 18478->18508 18479->18469 18479->18476 18479->18477 18479->18478 18484 7ff718d4d3f0 223 API calls 18479->18484 18480->18477 18481->18478 18483 7ff718d4c862 18482->18483 18487 7ff718d4c872 18483->18487 18490 7ff718d5c6b8 SetConsoleTitleW 18483->18490 18486 7ff718d4c741 18484->18486 18485->18478 18488 7ff718d4c74d 18486->18488 18492 7ff718d4c8b5 wcsncmp 18486->18492 18489 7ff718d5855c ??_V@YAXPEAX 18487->18489 18488->18478 18493 7ff718d4bd38 207 API calls 18488->18493 18491 7ff718d4c87c 18489->18491 18490->18487 18494 7ff718d58f80 7 API calls 18491->18494 18492->18478 18492->18488 18493->18478 18497 7ff718d4c88e 18494->18497 18703 7ff718d4cb40 18495->18703 18497->18436 18498->18478 18500 7ff718d4c855 18707 7ff718d47a70 18500->18707 18504 7ff718d43278 166 API calls 18501->18504 18505 7ff718d43278 166 API calls 18503->18505 18504->18469 18507 7ff718d5c675 18505->18507 18506->18477 18507->18469 18509 7ff718d59158 7 API calls 18508->18509 18509->18469 18512 7ff718d43278 166 API calls 18510->18512 18512->18507 18515 7ff718d4c01c 18514->18515 18541 7ff718d4c0c4 18514->18541 18516 7ff718d4c086 18515->18516 18517 7ff718d4c022 18515->18517 18520 7ff718d4c144 18516->18520 18526 7ff718d4c094 18516->18526 18518 7ff718d4c030 18517->18518 18525 7ff718d4c113 18517->18525 18519 7ff718d4c039 wcschr 18518->18519 18545 7ff718d4c053 18518->18545 18522 7ff718d4c301 18519->18522 18519->18545 18521 7ff718d4c151 18520->18521 18551 7ff718d4c1c8 18520->18551 18796 7ff718d4c460 18521->18796 18530 7ff718d4cd90 166 API calls 18522->18530 18523 7ff718d4c058 18534 7ff718d4ff70 2 API calls 18523->18534 18537 7ff718d4c073 18523->18537 18524 7ff718d4c0c6 18529 7ff718d4c0cf wcschr 18524->18529 18524->18537 18531 7ff718d4ff70 2 API calls 18525->18531 18525->18545 18528 7ff718d4c460 183 API calls 18526->18528 18526->18541 18528->18526 18533 7ff718d4c1be 18529->18533 18529->18537 18550 7ff718d4c30b 18530->18550 18531->18545 18535 7ff718d4cd90 166 API calls 18533->18535 18534->18537 18535->18551 18536 7ff718d4c460 183 API calls 18536->18541 18538 7ff718d4c460 183 API calls 18537->18538 18537->18541 18538->18537 18539 7ff718d4c211 18544 7ff718d4ff70 2 API calls 18539->18544 18540 7ff718d4c285 18540->18539 18546 7ff718d4b6b0 170 API calls 18540->18546 18541->18430 18542 7ff718d4b6b0 170 API calls 18542->18545 18543 7ff718d4d840 178 API calls 18543->18550 18544->18541 18545->18523 18545->18524 18545->18539 18548 7ff718d4c2ac 18546->18548 18547 7ff718d4d840 178 API calls 18547->18551 18548->18537 18548->18539 18549 7ff718d4c3d4 18549->18537 18549->18539 18549->18542 18550->18539 18550->18541 18550->18543 18550->18549 18551->18539 18551->18540 18551->18541 18551->18547 18553 7ff718d4ca40 17 API calls 18552->18553 18560 7ff718d4b162 18553->18560 18554 7ff718d4b1d9 18559 7ff718d4cd90 166 API calls 18554->18559 18573 7ff718d4b1ed 18554->18573 18555 7ff718d4b2f7 ??_V@YAXPEAX 18556 7ff718d4b303 18555->18556 18558 7ff718d58f80 7 API calls 18556->18558 18557 7ff718d51ea0 8 API calls 18557->18560 18561 7ff718d4b315 18558->18561 18559->18573 18560->18554 18560->18557 18586 7ff718d4b2e1 18560->18586 18561->18434 18561->18446 18563 7ff718d4b228 _get_osfhandle 18565 7ff718d4b23f _get_osfhandle 18563->18565 18563->18573 18564 7ff718d5bfef _get_osfhandle SetFilePointer 18566 7ff718d5c01d 18564->18566 18564->18573 18565->18573 18568 7ff718d533f0 _vsnwprintf 18566->18568 18567 7ff718d4affc _dup 18567->18573 18570 7ff718d5c038 18568->18570 18569 7ff718d501b8 6 API calls 18569->18573 18575 7ff718d43278 166 API calls 18570->18575 18571 7ff718d5c1c3 18572 7ff718d533f0 _vsnwprintf 18571->18572 18572->18570 18573->18563 18573->18564 18573->18567 18573->18569 18573->18571 18574 7ff718d4d208 _close 18573->18574 18576 7ff718d5c060 18573->18576 18578 7ff718d5c246 18573->18578 18579 7ff718d5c1a5 18573->18579 18581 7ff718d4b038 _dup2 18573->18581 18583 7ff718d526e0 19 API calls 18573->18583 18573->18586 18588 7ff718d4b356 18573->18588 18810 7ff718d6f318 _get_osfhandle GetFileType 18573->18810 18574->18573 18577 7ff718d5c1f9 18575->18577 18576->18578 18584 7ff718d509f4 2 API calls 18576->18584 18580 7ff718d4af98 2 API calls 18577->18580 18585 7ff718d4af98 2 API calls 18578->18585 18582 7ff718d4b038 _dup2 18579->18582 18580->18586 18581->18573 18587 7ff718d5c1b7 18582->18587 18583->18573 18589 7ff718d5c084 18584->18589 18590 7ff718d5c24b 18585->18590 18586->18555 18586->18556 18591 7ff718d5c1be 18587->18591 18592 7ff718d5c207 18587->18592 18595 7ff718d4af98 2 API calls 18588->18595 18593 7ff718d4b900 166 API calls 18589->18593 18594 7ff718d6f1d8 166 API calls 18590->18594 18596 7ff718d4d208 _close 18591->18596 18598 7ff718d4d208 _close 18592->18598 18597 7ff718d5c08c 18593->18597 18594->18586 18599 7ff718d5c211 18595->18599 18596->18571 18600 7ff718d5c094 wcsrchr 18597->18600 18610 7ff718d5c0ad 18597->18610 18598->18588 18601 7ff718d533f0 _vsnwprintf 18599->18601 18600->18610 18602 7ff718d5c22c 18601->18602 18603 7ff718d43278 166 API calls 18602->18603 18603->18586 18604 7ff718d5c106 18605 7ff718d4ff70 2 API calls 18604->18605 18607 7ff718d5c13b 18605->18607 18606 7ff718d5c0e0 _wcsnicmp 18606->18610 18607->18578 18608 7ff718d5c146 SearchPathW 18607->18608 18608->18578 18609 7ff718d5c188 18608->18609 18611 7ff718d526e0 19 API calls 18609->18611 18610->18604 18610->18606 18611->18579 18613 7ff718d488fc 18612->18613 18615 7ff718d488cf 18612->18615 18613->18443 18613->18451 18614 7ff718d488df _wcsicmp 18614->18615 18615->18613 18615->18614 18617 7ff718d51ea0 8 API calls 18616->18617 18618 7ff718d50ab9 18617->18618 18619 7ff718d50b12 memset 18618->18619 18620 7ff718d50aee _wcsnicmp 18618->18620 18621 7ff718d5d927 18618->18621 18624 7ff718d5128f ??_V@YAXPEAX 18618->18624 18622 7ff718d4ca40 17 API calls 18619->18622 18620->18619 18620->18621 18623 7ff718d5081c 166 API calls 18621->18623 18625 7ff718d50b5a 18622->18625 18626 7ff718d5d933 18623->18626 18627 7ff718d4b364 17 API calls 18625->18627 18641 7ff718d5d94e 18625->18641 18626->18619 18626->18624 18628 7ff718d50b6f 18627->18628 18628->18624 18630 7ff718d50b8c wcschr 18628->18630 18634 7ff718d50c0f wcsrchr 18628->18634 18637 7ff718d5081c 166 API calls 18628->18637 18628->18641 18642 7ff718d4cd90 166 API calls 18628->18642 18643 7ff718d53060 171 API calls 18628->18643 18644 7ff718d4d3f0 223 API calls 18628->18644 18645 7ff718d4af74 170 API calls 18628->18645 18646 7ff718d50d71 wcsrchr 18628->18646 18648 7ff718d51ea0 8 API calls 18628->18648 18649 7ff718d5291c 8 API calls 18628->18649 18650 7ff718d50fb1 wcsrchr 18628->18650 18651 7ff718d50fd0 wcschr 18628->18651 18654 7ff718d510fd wcsrchr 18628->18654 18659 7ff718d52eb4 22 API calls 18628->18659 18664 7ff718d51087 _wcsicmp 18628->18664 18667 7ff718d5da74 18628->18667 18811 7ff718d53bac 18628->18811 18815 7ff718d52efc 18628->18815 18629 7ff718d5d96b ??_V@YAXPEAX 18629->18641 18630->18628 18633 7ff718d5d99a wcschr 18633->18641 18634->18628 18634->18641 18635 7ff718d5d9ca GetFileAttributesW 18636 7ff718d5da64 18635->18636 18635->18641 18637->18628 18638 7ff718d5da90 GetFileAttributesW 18640 7ff718d5daa8 GetLastError 18638->18640 18638->18641 18639 7ff718d5d9fd ??_V@YAXPEAX 18639->18641 18640->18636 18640->18641 18641->18629 18641->18633 18641->18635 18641->18636 18641->18639 18642->18628 18643->18628 18644->18628 18645->18628 18646->18628 18647 7ff718d50d97 NeedCurrentDirectoryForExePathW 18646->18647 18647->18628 18647->18641 18648->18628 18649->18628 18650->18628 18650->18651 18651->18636 18652 7ff718d50fed wcschr 18651->18652 18652->18628 18652->18636 18654->18628 18655 7ff718d5111a _wcsicmp 18654->18655 18656 7ff718d5123d 18655->18656 18657 7ff718d51138 _wcsicmp 18655->18657 18660 7ff718d51175 18656->18660 18661 7ff718d51250 ??_V@YAXPEAX 18656->18661 18657->18656 18658 7ff718d510c5 18657->18658 18658->18660 18662 7ff718d51169 ??_V@YAXPEAX 18658->18662 18659->18628 18663 7ff718d58f80 7 API calls 18660->18663 18661->18660 18662->18660 18665 7ff718d4bf70 18663->18665 18666 7ff718d510a7 _wcsicmp 18664->18666 18664->18667 18665->18443 18665->18458 18666->18658 18666->18667 18667->18636 18667->18638 18669 7ff718d4cd90 166 API calls 18668->18669 18670 7ff718d55b12 18669->18670 18671 7ff718d4cb40 166 API calls 18670->18671 18696 7ff718d55b8b 18670->18696 18674 7ff718d55b26 18671->18674 18672 7ff718d58f80 7 API calls 18673 7ff718d4bf99 18672->18673 18673->18436 18675 7ff718d50a6c 273 API calls 18674->18675 18674->18696 18676 7ff718d55b43 18675->18676 18677 7ff718d55bb8 18676->18677 18678 7ff718d55b48 GetConsoleTitleW 18676->18678 18680 7ff718d55bbd GetConsoleTitleW 18677->18680 18681 7ff718d55bf4 18677->18681 18679 7ff718d4cad4 172 API calls 18678->18679 18682 7ff718d55b66 18679->18682 18685 7ff718d4cad4 172 API calls 18680->18685 18683 7ff718d55bfd 18681->18683 18684 7ff718d5f452 18681->18684 18829 7ff718d54224 InitializeProcThreadAttributeList 18682->18829 18691 7ff718d55c1b 18683->18691 18692 7ff718d5f462 18683->18692 18683->18696 18687 7ff718d53c24 166 API calls 18684->18687 18688 7ff718d55bdb 18685->18688 18687->18696 18886 7ff718d496e8 18688->18886 18693 7ff718d43278 166 API calls 18691->18693 18694 7ff718d43278 166 API calls 18692->18694 18693->18696 18694->18696 18695 7ff718d55c3c SetConsoleTitleW 18695->18696 18696->18672 18698 7ff718d47211 _setjmp 18697->18698 18702 7ff718d47279 18697->18702 18700 7ff718d47265 18698->18700 18698->18702 19211 7ff718d472b0 18700->19211 18702->18450 18704 7ff718d4cb63 18703->18704 18705 7ff718d4cd90 166 API calls 18704->18705 18706 7ff718d4c848 18705->18706 18706->18500 18710 7ff718d4cad4 18706->18710 18722 7ff718d47d30 memset 18707->18722 18709 7ff718d47a8a 18709->18483 18711 7ff718d4cad9 18710->18711 18720 7ff718d4cb05 18710->18720 18712 7ff718d4cd90 166 API calls 18711->18712 18711->18720 18713 7ff718d5c722 18712->18713 18714 7ff718d5c72e GetConsoleTitleW 18713->18714 18713->18720 18715 7ff718d5c74a 18714->18715 18714->18720 18716 7ff718d4b6b0 170 API calls 18715->18716 18717 7ff718d5c778 18716->18717 18718 7ff718d5c7ec 18717->18718 18721 7ff718d5c7dd SetConsoleTitleW 18717->18721 18719 7ff718d4ff70 2 API calls 18718->18719 18719->18720 18720->18500 18721->18718 18723 7ff718d4ca40 17 API calls 18722->18723 18724 7ff718d47dc3 18723->18724 18725 7ff718d5af72 18724->18725 18726 7ff718d5417c 166 API calls 18724->18726 18728 7ff718d43278 166 API calls 18725->18728 18727 7ff718d47dee 18726->18727 18729 7ff718d4d3f0 223 API calls 18727->18729 18730 7ff718d5af91 18728->18730 18731 7ff718d47dfb 18729->18731 18730->18709 18732 7ff718d5af7e 18731->18732 18740 7ff718d47e09 18731->18740 18732->18725 18733 7ff718d5af89 18732->18733 18734 7ff718d51ea0 8 API calls 18733->18734 18734->18730 18735 7ff718d51ea0 8 API calls 18735->18740 18736 7ff718d4b900 166 API calls 18736->18740 18737 7ff718d5823c 10 API calls 18756 7ff718d47ef1 18737->18756 18738 7ff718d5afae 18742 7ff718d5b03f 18738->18742 18750 7ff718d5afce 18738->18750 18739 7ff718d48b20 231 API calls 18739->18756 18740->18725 18740->18730 18740->18735 18740->18736 18741 7ff718d47ea4 18740->18741 18747 7ff718d5b024 18740->18747 18740->18756 18758 7ff718d47aa0 18740->18758 18743 7ff718d47eb7 ??_V@YAXPEAX 18741->18743 18744 7ff718d47ec3 18741->18744 18742->18725 18743->18744 18746 7ff718d58f80 7 API calls 18744->18746 18745 7ff718d4b364 17 API calls 18745->18756 18748 7ff718d47ed5 18746->18748 18749 7ff718d43278 166 API calls 18747->18749 18748->18709 18749->18730 18750->18730 18751 7ff718d5aff6 18750->18751 18752 7ff718d43278 166 API calls 18750->18752 18751->18730 18752->18751 18753 7ff718d48940 17 API calls 18753->18756 18754 7ff718d58a70 2 API calls 18754->18756 18755 7ff718d53a0c 2 API calls 18755->18756 18756->18730 18756->18737 18756->18738 18756->18739 18756->18740 18756->18742 18756->18745 18756->18753 18756->18754 18756->18755 18759 7ff718d47aeb memset 18758->18759 18760 7ff718d47adb 18758->18760 18762 7ff718d4ca40 17 API calls 18759->18762 18793 7ff718d5291c GetDriveTypeW 18760->18793 18764 7ff718d47b36 18762->18764 18766 7ff718d47b3e GetFullPathNameW 18764->18766 18783 7ff718d5ae4e 18764->18783 18765 7ff718d5ae3a 18767 7ff718d43278 166 API calls 18765->18767 18768 7ff718d5ae55 GetLastError 18766->18768 18769 7ff718d47b73 18766->18769 18770 7ff718d5ae44 18767->18770 18768->18783 18771 7ff718d5ae68 18769->18771 18772 7ff718d47b7e CreateDirectoryW 18769->18772 18773 7ff718d47bb5 18770->18773 18779 7ff718d43278 166 API calls 18771->18779 18774 7ff718d47bdf GetLastError 18772->18774 18775 7ff718d47b93 18772->18775 18781 7ff718d58f80 7 API calls 18773->18781 18774->18771 18777 7ff718d47bf8 18774->18777 18775->18773 18780 7ff718d47ba9 free 18775->18780 18776 7ff718d43278 166 API calls 18778 7ff718d5af6b 18776->18778 18777->18783 18784 7ff718d47cd1 CreateDirectoryW 18777->18784 18787 7ff718d47c52 CreateDirectoryW 18777->18787 18788 7ff718d47c8f 18777->18788 18789 7ff718d5ae7e 18777->18789 18791 7ff718d47cca 18777->18791 18779->18789 18780->18773 18782 7ff718d47bc6 18781->18782 18782->18740 18783->18776 18784->18775 18785 7ff718d47cf3 18784->18785 18786 7ff718d5af46 GetLastError 18785->18786 18786->18775 18786->18783 18787->18788 18790 7ff718d47c7b GetLastError 18787->18790 18788->18777 18788->18787 18789->18783 18789->18784 18792 7ff718d5af3d 18789->18792 18790->18783 18790->18788 18791->18784 18792->18786 18794 7ff718d58f80 7 API calls 18793->18794 18795 7ff718d47ae3 18794->18795 18795->18759 18795->18765 18797 7ff718d4c4c9 18796->18797 18798 7ff718d4c486 18796->18798 18802 7ff718d4ff70 2 API calls 18797->18802 18803 7ff718d4c161 18797->18803 18799 7ff718d4c48e wcschr 18798->18799 18798->18803 18800 7ff718d4c4ef 18799->18800 18799->18803 18801 7ff718d4cd90 166 API calls 18800->18801 18809 7ff718d4c4f9 18801->18809 18802->18803 18803->18536 18803->18541 18804 7ff718d4c5bd 18805 7ff718d4c541 18804->18805 18807 7ff718d4b6b0 170 API calls 18804->18807 18805->18803 18806 7ff718d4ff70 2 API calls 18805->18806 18806->18803 18807->18805 18808 7ff718d4d840 178 API calls 18808->18809 18809->18803 18809->18804 18809->18805 18809->18808 18810->18573 18812 7ff718d53bcf 18811->18812 18814 7ff718d53bfe 18811->18814 18813 7ff718d53bdc wcschr 18812->18813 18812->18814 18813->18812 18813->18814 18814->18628 18816 7ff718d52f97 18815->18816 18817 7ff718d52f2a 18815->18817 18816->18817 18818 7ff718d52f9c wcschr 18816->18818 18819 7ff718d5823c 10 API calls 18817->18819 18820 7ff718d52fb6 wcschr 18818->18820 18821 7ff718d52f5a 18818->18821 18822 7ff718d52f56 18819->18822 18820->18817 18820->18821 18824 7ff718d58f80 7 API calls 18821->18824 18828 7ff718d5e4ec 18821->18828 18822->18821 18823 7ff718d53a0c 2 API calls 18822->18823 18825 7ff718d52fe0 18823->18825 18826 7ff718d52f83 18824->18826 18825->18821 18827 7ff718d52fe9 wcsrchr 18825->18827 18826->18628 18827->18821 18830 7ff718d542ab UpdateProcThreadAttribute 18829->18830 18831 7ff718d5ecd4 GetLastError 18829->18831 18832 7ff718d542eb memset memset GetStartupInfoW 18830->18832 18833 7ff718d5ecf0 GetLastError 18830->18833 18834 7ff718d5ecee 18831->18834 18836 7ff718d53a90 170 API calls 18832->18836 18923 7ff718d69eec 18833->18923 18838 7ff718d543a8 18836->18838 18839 7ff718d4b900 166 API calls 18838->18839 18840 7ff718d543bb 18839->18840 18841 7ff718d54638 _local_unwind 18840->18841 18845 7ff718d543cc 18840->18845 18841->18845 18842 7ff718d543de wcsrchr 18843 7ff718d543f7 lstrcmpW 18842->18843 18850 7ff718d54415 18842->18850 18846 7ff718d54668 18843->18846 18843->18850 18845->18842 18845->18850 18911 7ff718d69044 18846->18911 18910 7ff718d55a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18850->18910 18903 7ff718d49737 18886->18903 18888 7ff718d4977d memset 18890 7ff718d4ca40 17 API calls 18888->18890 18889 7ff718d4cd90 166 API calls 18889->18903 18890->18903 18891 7ff718d5b76e 18894 7ff718d43278 166 API calls 18891->18894 18892 7ff718d5b7b3 18893 7ff718d5b79a 18896 7ff718d5855c ??_V@YAXPEAX 18893->18896 18897 7ff718d5b787 18894->18897 18895 7ff718d4b364 17 API calls 18895->18903 18896->18892 18898 7ff718d5b795 18897->18898 19013 7ff718d6e944 18897->19013 19021 7ff718d67694 18898->19021 18903->18888 18903->18889 18903->18891 18903->18892 18903->18893 18903->18895 18905 7ff718d4986d 18903->18905 18925 7ff718d51fac memset 18903->18925 18952 7ff718d4ce10 18903->18952 19002 7ff718d496b4 18903->19002 19007 7ff718d55920 18903->19007 18906 7ff718d4988c 18905->18906 18907 7ff718d49880 ??_V@YAXPEAX 18905->18907 18908 7ff718d58f80 7 API calls 18906->18908 18907->18906 18909 7ff718d4989d 18908->18909 18909->18695 18912 7ff718d53a90 170 API calls 18911->18912 18913 7ff718d69064 18912->18913 18914 7ff718d6906e 18913->18914 18915 7ff718d69083 18913->18915 18916 7ff718d5498c 8 API calls 18914->18916 18917 7ff718d4cd90 166 API calls 18915->18917 18922 7ff718d69081 18916->18922 18918 7ff718d6909b 18917->18918 18919 7ff718d5498c 8 API calls 18918->18919 18918->18922 18920 7ff718d690ec 18919->18920 18921 7ff718d4ff70 2 API calls 18920->18921 18921->18922 18922->18850 18924 7ff718d5ed0a DeleteProcThreadAttributeList 18923->18924 18924->18834 18926 7ff718d5203b 18925->18926 18927 7ff718d520b0 18926->18927 18928 7ff718d52094 18926->18928 18929 7ff718d53060 171 API calls 18927->18929 18931 7ff718d5211c 18927->18931 18930 7ff718d520a6 18928->18930 18932 7ff718d43278 166 API calls 18928->18932 18929->18931 18933 7ff718d58f80 7 API calls 18930->18933 18931->18930 18934 7ff718d52e44 2 API calls 18931->18934 18932->18930 18935 7ff718d52325 18933->18935 18936 7ff718d52148 18934->18936 18935->18903 18936->18930 19027 7ff718d52d70 18936->19027 18939 7ff718d4b900 166 API calls 18941 7ff718d521d0 18939->18941 18940 7ff718d5e04a ??_V@YAXPEAX 18940->18930 18941->18940 18942 7ff718d5221c wcsspn 18941->18942 18951 7ff718d522a4 ??_V@YAXPEAX 18941->18951 18943 7ff718d4b900 166 API calls 18942->18943 18945 7ff718d5223b 18943->18945 18945->18940 18948 7ff718d52252 18945->18948 18946 7ff718d4d3f0 223 API calls 18946->18951 18947 7ff718d5e06d wcschr 18947->18948 18948->18947 18949 7ff718d5e090 towupper 18948->18949 18950 7ff718d5228f 18948->18950 18949->18948 18949->18950 18950->18946 18951->18930 18953 7ff718d4d0f8 18952->18953 18984 7ff718d4ce5b 18952->18984 18954 7ff718d58f80 7 API calls 18953->18954 18956 7ff718d4d10a 18954->18956 18955 7ff718d5c860 18957 7ff718d5c97c 18955->18957 18960 7ff718d6ee88 390 API calls 18955->18960 18956->18903 18959 7ff718d6e9b4 197 API calls 18957->18959 18961 7ff718d5c981 longjmp 18959->18961 18962 7ff718d5c879 18960->18962 18963 7ff718d5c99a 18961->18963 18964 7ff718d5c95c 18962->18964 18965 7ff718d5c882 EnterCriticalSection LeaveCriticalSection 18962->18965 18963->18953 18967 7ff718d5c9b3 ??_V@YAXPEAX 18963->18967 18964->18957 18969 7ff718d496b4 186 API calls 18964->18969 18968 7ff718d4d0e3 18965->18968 18967->18953 18968->18903 18969->18964 18971 7ff718d4cd90 166 API calls 18971->18984 18972 7ff718d4d208 _close 18972->18984 18973 7ff718d5c9d5 19111 7ff718d6d610 18973->19111 18975 7ff718d4b900 166 API calls 18975->18984 18977 7ff718d5ca07 18978 7ff718d6e91c 198 API calls 18977->18978 18983 7ff718d5ca0c 18978->18983 18979 7ff718d6bfec 176 API calls 18980 7ff718d5c9f1 18979->18980 18982 7ff718d43240 166 API calls 18980->18982 18981 7ff718d4cf33 memset 18981->18984 18982->18977 18983->18903 18984->18953 18984->18955 18984->18963 18984->18968 18984->18971 18984->18973 18984->18975 18984->18981 18985 7ff718d4ca40 17 API calls 18984->18985 18986 7ff718d6bfec 176 API calls 18984->18986 18987 7ff718d4d184 wcschr 18984->18987 18988 7ff718d4d1a7 wcschr 18984->18988 18989 7ff718d5c9c9 18984->18989 18992 7ff718d50a6c 273 API calls 18984->18992 18993 7ff718d4be00 647 API calls 18984->18993 18994 7ff718d53448 166 API calls 18984->18994 18995 7ff718d4cfab _wcsicmp 18984->18995 18996 7ff718d50580 12 API calls 18984->18996 19000 7ff718d51fac 238 API calls 18984->19000 19001 7ff718d4d044 ??_V@YAXPEAX 18984->19001 19037 7ff718d50494 18984->19037 19050 7ff718d4df60 18984->19050 19070 7ff718d6778c 18984->19070 19101 7ff718d6c738 18984->19101 18985->18984 18986->18984 18987->18984 18988->18984 18990 7ff718d5855c ??_V@YAXPEAX 18989->18990 18990->18953 18992->18984 18993->18984 18994->18984 18995->18984 18997 7ff718d4d003 GetConsoleOutputCP GetCPInfo 18996->18997 18998 7ff718d504f4 3 API calls 18997->18998 18998->18984 19000->18984 19001->18984 19003 7ff718d496c8 19002->19003 19004 7ff718d5b6e2 RevertToSelf CloseHandle 19002->19004 19005 7ff718d496ce 19003->19005 19006 7ff718d46a48 184 API calls 19003->19006 19005->18903 19006->19003 19008 7ff718d5596c 19007->19008 19009 7ff718d55a12 19007->19009 19008->19009 19010 7ff718d5598d VirtualQuery 19008->19010 19009->18903 19010->19009 19012 7ff718d559ad 19010->19012 19011 7ff718d559b7 VirtualQuery 19011->19009 19011->19012 19012->19009 19012->19011 19014 7ff718d6e954 19013->19014 19015 7ff718d6e990 19013->19015 19017 7ff718d6ee88 390 API calls 19014->19017 19016 7ff718d6e9b4 197 API calls 19015->19016 19018 7ff718d6e995 longjmp 19016->19018 19019 7ff718d6e964 19017->19019 19019->19015 19020 7ff718d496b4 186 API calls 19019->19020 19020->19019 19022 7ff718d676a3 19021->19022 19023 7ff718d676b7 19022->19023 19024 7ff718d496b4 186 API calls 19022->19024 19025 7ff718d6e9b4 197 API calls 19023->19025 19024->19022 19026 7ff718d676bc longjmp 19025->19026 19028 7ff718d52d89 19027->19028 19029 7ff718d52da3 19027->19029 19032 7ff718d521af 19028->19032 19033 7ff718d52e0c 19028->19033 19029->19028 19030 7ff718d52dbc GetProcessHeap RtlFreeHeap 19029->19030 19030->19028 19030->19029 19032->18939 19034 7ff718d52e32 19033->19034 19035 7ff718d52e11 19033->19035 19034->19028 19035->19034 19036 7ff718d5e494 VirtualFree 19035->19036 19039 7ff718d504a4 19037->19039 19038 7ff718d526e0 19 API calls 19038->19039 19039->19038 19040 7ff718d504b9 _get_osfhandle SetFilePointer 19039->19040 19041 7ff718d5d845 19039->19041 19042 7ff718d5d839 19039->19042 19044 7ff718d43278 166 API calls 19039->19044 19040->18984 19043 7ff718d6f1d8 166 API calls 19041->19043 19045 7ff718d43278 166 API calls 19042->19045 19046 7ff718d5d837 19043->19046 19047 7ff718d5d819 _getch 19044->19047 19045->19046 19047->19039 19048 7ff718d5d832 19047->19048 19120 7ff718d6bde4 EnterCriticalSection LeaveCriticalSection 19048->19120 19051 7ff718d4df93 19050->19051 19052 7ff718d4dfe2 19050->19052 19051->19052 19053 7ff718d4df9f GetProcessHeap RtlFreeHeap 19051->19053 19054 7ff718d4e100 VirtualFree 19052->19054 19055 7ff718d4e00b _setjmp 19052->19055 19053->19051 19053->19052 19054->19052 19056 7ff718d4e04a 19055->19056 19057 7ff718d4ceaa _tell 19055->19057 19058 7ff718d4e600 473 API calls 19056->19058 19057->18972 19059 7ff718d4e073 19058->19059 19060 7ff718d4e0e0 longjmp 19059->19060 19061 7ff718d4e081 19059->19061 19069 7ff718d4e0b0 19060->19069 19121 7ff718d4d250 19061->19121 19066 7ff718d4e600 473 API calls 19067 7ff718d4e0a7 19066->19067 19068 7ff718d6d610 167 API calls 19067->19068 19067->19069 19068->19069 19069->19057 19152 7ff718d6d3fc 19069->19152 19090 7ff718d677bc 19070->19090 19071 7ff718d679ef 19071->18984 19072 7ff718d679c0 19081 7ff718d534a0 166 API calls 19072->19081 19073 7ff718d67aca 19075 7ff718d534a0 166 API calls 19073->19075 19076 7ff718d67adb 19075->19076 19079 7ff718d67af0 19076->19079 19084 7ff718d53448 166 API calls 19076->19084 19077 7ff718d67984 19077->19072 19080 7ff718d67989 19077->19080 19078 7ff718d67ab5 19082 7ff718d53448 166 API calls 19078->19082 19085 7ff718d6778c 166 API calls 19079->19085 19080->19071 19204 7ff718d676e0 19080->19204 19087 7ff718d679d6 19081->19087 19082->19071 19083 7ff718d67a00 19083->19071 19089 7ff718d67a0b 19083->19089 19099 7ff718d67a33 19083->19099 19084->19079 19088 7ff718d67afb 19085->19088 19086 7ff718d53448 166 API calls 19086->19090 19091 7ff718d53448 166 API calls 19087->19091 19100 7ff718d679e7 19087->19100 19088->19080 19094 7ff718d53448 166 API calls 19088->19094 19089->19071 19095 7ff718d534a0 166 API calls 19089->19095 19090->19071 19090->19072 19090->19073 19090->19077 19090->19078 19090->19080 19090->19083 19090->19086 19097 7ff718d6778c 166 API calls 19090->19097 19091->19100 19093 7ff718d53448 166 API calls 19093->19071 19094->19080 19096 7ff718d67a23 19095->19096 19098 7ff718d6778c 166 API calls 19096->19098 19097->19090 19098->19100 19099->19093 19200 7ff718d67730 19100->19200 19102 7ff718d6c775 19101->19102 19109 7ff718d6c7ab 19101->19109 19103 7ff718d4cd90 166 API calls 19102->19103 19105 7ff718d6c781 19103->19105 19104 7ff718d6c8d4 19104->18984 19105->19104 19106 7ff718d4b0d8 194 API calls 19105->19106 19106->19104 19107 7ff718d4b6b0 170 API calls 19107->19109 19108 7ff718d4b038 _dup2 19108->19109 19109->19104 19109->19105 19109->19107 19109->19108 19110 7ff718d4d208 _close 19109->19110 19110->19109 19112 7ff718d6d63d 19111->19112 19118 7ff718d6d635 19111->19118 19113 7ff718d6d64a 19112->19113 19115 7ff718d6d658 19112->19115 19114 7ff718d43278 166 API calls 19113->19114 19114->19118 19115->19118 19119 7ff718d43278 166 API calls 19115->19119 19116 7ff718d5c9da 19116->18977 19116->18979 19117 7ff718d6d672 longjmp 19117->19116 19118->19116 19118->19117 19119->19118 19122 7ff718d4d2d3 19121->19122 19132 7ff718d4d267 19121->19132 19126 7ff718d4e600 473 API calls 19122->19126 19128 7ff718d4d305 19122->19128 19122->19132 19123 7ff718d4d2a6 19125 7ff718d4d316 19123->19125 19130 7ff718d4ef40 472 API calls 19123->19130 19124 7ff718d4d284 _wcsicmp 19124->19123 19129 7ff718d4d32b 19124->19129 19125->19066 19125->19069 19126->19122 19127 7ff718d4e600 473 API calls 19127->19129 19128->19125 19131 7ff718d4e600 473 API calls 19128->19131 19129->19123 19129->19127 19141 7ff718d4edf8 19130->19141 19131->19132 19132->19123 19132->19124 19133 7ff718d5d0a2 longjmp 19134 7ff718d5d0c5 19133->19134 19135 7ff718d53448 166 API calls 19134->19135 19136 7ff718d5d0d4 19135->19136 19137 7ff718d4ee68 19139 7ff718d4ef40 472 API calls 19137->19139 19138 7ff718d4eece 19138->19125 19140 7ff718d4cd90 166 API calls 19138->19140 19139->19125 19142 7ff718d4eee7 19140->19142 19141->19133 19141->19134 19141->19137 19144 7ff718d4eeb1 19141->19144 19145 7ff718d4eeef 19142->19145 19146 7ff718d4ef31 19142->19146 19143 7ff718d4e600 473 API calls 19143->19144 19144->19138 19144->19143 19148 7ff718d4eec2 19144->19148 19149 7ff718d4e600 473 API calls 19145->19149 19147 7ff718d6e91c 198 API calls 19146->19147 19150 7ff718d4ef36 19147->19150 19151 7ff718d4ef40 472 API calls 19148->19151 19149->19125 19150->19133 19151->19138 19168 7ff718d6d419 19152->19168 19153 7ff718d5cadf 19154 7ff718d6d576 19155 7ff718d6d592 19154->19155 19166 7ff718d6d555 19154->19166 19156 7ff718d53448 166 API calls 19155->19156 19159 7ff718d6d5a5 19156->19159 19157 7ff718d6d5c4 19161 7ff718d53448 166 API calls 19157->19161 19162 7ff718d6d5ba 19159->19162 19164 7ff718d53448 166 API calls 19159->19164 19160 7ff718d6d541 19160->19155 19163 7ff718d6d546 19160->19163 19161->19153 19170 7ff718d6d36c 19162->19170 19163->19157 19163->19166 19164->19162 19177 7ff718d6d31c 19166->19177 19167 7ff718d6d3fc 166 API calls 19167->19168 19168->19153 19168->19154 19168->19155 19168->19157 19168->19160 19168->19166 19168->19167 19169 7ff718d53448 166 API calls 19168->19169 19169->19168 19171 7ff718d6d3d8 19170->19171 19172 7ff718d6d381 19170->19172 19173 7ff718d534a0 166 API calls 19172->19173 19175 7ff718d6d390 19173->19175 19174 7ff718d53448 166 API calls 19174->19175 19175->19171 19175->19174 19176 7ff718d534a0 166 API calls 19175->19176 19176->19175 19178 7ff718d53448 166 API calls 19177->19178 19179 7ff718d6d33b 19178->19179 19180 7ff718d6d36c 166 API calls 19179->19180 19181 7ff718d6d343 19180->19181 19182 7ff718d6d3fc 166 API calls 19181->19182 19199 7ff718d6d34e 19182->19199 19183 7ff718d6d5c2 19183->19153 19184 7ff718d6d576 19185 7ff718d6d592 19184->19185 19197 7ff718d6d555 19184->19197 19186 7ff718d53448 166 API calls 19185->19186 19189 7ff718d6d5a5 19186->19189 19187 7ff718d6d5c4 19191 7ff718d53448 166 API calls 19187->19191 19188 7ff718d6d31c 166 API calls 19188->19183 19192 7ff718d6d5ba 19189->19192 19195 7ff718d53448 166 API calls 19189->19195 19190 7ff718d6d541 19190->19185 19193 7ff718d6d546 19190->19193 19191->19183 19196 7ff718d6d36c 166 API calls 19192->19196 19193->19187 19193->19197 19194 7ff718d53448 166 API calls 19194->19199 19195->19192 19196->19183 19197->19188 19198 7ff718d6d3fc 166 API calls 19198->19199 19199->19183 19199->19184 19199->19185 19199->19187 19199->19190 19199->19194 19199->19197 19199->19198 19203 7ff718d6773c 19200->19203 19201 7ff718d6777d 19201->19071 19202 7ff718d53448 166 API calls 19202->19203 19203->19201 19203->19202 19205 7ff718d6778c 166 API calls 19204->19205 19206 7ff718d676fb 19205->19206 19207 7ff718d6771c 19206->19207 19208 7ff718d53448 166 API calls 19206->19208 19207->19071 19209 7ff718d67711 19208->19209 19210 7ff718d6778c 166 API calls 19209->19210 19210->19207 19212 7ff718d472de 19211->19212 19213 7ff718d64621 19211->19213 19215 7ff718d472eb 19212->19215 19220 7ff718d64467 19212->19220 19221 7ff718d64530 19212->19221 19214 7ff718d647e0 19213->19214 19218 7ff718d6447b longjmp 19213->19218 19222 7ff718d64639 19213->19222 19237 7ff718d6475e 19213->19237 19216 7ff718d47348 168 API calls 19214->19216 19272 7ff718d47348 19215->19272 19271 7ff718d64524 19216->19271 19223 7ff718d64492 19218->19223 19220->19215 19220->19223 19233 7ff718d64475 19220->19233 19228 7ff718d47348 168 API calls 19221->19228 19225 7ff718d6463e 19222->19225 19226 7ff718d64695 19222->19226 19227 7ff718d47348 168 API calls 19223->19227 19224 7ff718d47315 19287 7ff718d473d4 19224->19287 19225->19218 19241 7ff718d64654 19225->19241 19232 7ff718d473d4 168 API calls 19226->19232 19244 7ff718d644a8 19227->19244 19235 7ff718d64549 19228->19235 19229 7ff718d472b0 168 API calls 19238 7ff718d6480e 19229->19238 19230 7ff718d47348 168 API calls 19230->19224 19240 7ff718d6469a 19232->19240 19233->19218 19233->19226 19234 7ff718d47348 168 API calls 19234->19214 19236 7ff718d645b2 19235->19236 19257 7ff718d47348 168 API calls 19235->19257 19262 7ff718d6455e 19235->19262 19242 7ff718d47348 168 API calls 19236->19242 19237->19234 19238->18702 19239 7ff718d47323 19239->18702 19255 7ff718d646e1 19240->19255 19263 7ff718d646c7 19240->19263 19264 7ff718d646ea 19240->19264 19245 7ff718d47348 168 API calls 19241->19245 19247 7ff718d645c7 19242->19247 19243 7ff718d644e2 19251 7ff718d472b0 168 API calls 19243->19251 19244->19243 19250 7ff718d47348 168 API calls 19244->19250 19245->19239 19246 7ff718d472b0 168 API calls 19252 7ff718d64738 19246->19252 19249 7ff718d47348 168 API calls 19247->19249 19248 7ff718d47348 168 API calls 19248->19236 19253 7ff718d645db 19249->19253 19250->19243 19254 7ff718d644f1 19251->19254 19256 7ff718d47348 168 API calls 19252->19256 19258 7ff718d47348 168 API calls 19253->19258 19259 7ff718d472b0 168 API calls 19254->19259 19255->19246 19256->19271 19257->19262 19260 7ff718d645ec 19258->19260 19261 7ff718d64503 19259->19261 19266 7ff718d47348 168 API calls 19260->19266 19261->19239 19269 7ff718d47348 168 API calls 19261->19269 19262->19236 19262->19248 19263->19255 19267 7ff718d47348 168 API calls 19263->19267 19265 7ff718d47348 168 API calls 19264->19265 19265->19255 19268 7ff718d64600 19266->19268 19267->19255 19270 7ff718d47348 168 API calls 19268->19270 19269->19271 19270->19271 19271->19229 19271->19239 19279 7ff718d4735d 19272->19279 19273 7ff718d43278 166 API calls 19274 7ff718d64820 longjmp 19273->19274 19275 7ff718d64838 19274->19275 19276 7ff718d43278 166 API calls 19275->19276 19277 7ff718d64844 longjmp 19276->19277 19278 7ff718d6485a 19277->19278 19280 7ff718d47348 166 API calls 19278->19280 19279->19273 19279->19275 19279->19279 19286 7ff718d473ab 19279->19286 19281 7ff718d6487b 19280->19281 19282 7ff718d47348 166 API calls 19281->19282 19283 7ff718d648ad 19282->19283 19284 7ff718d47348 166 API calls 19283->19284 19285 7ff718d472ff 19284->19285 19285->19224 19285->19230 19288 7ff718d6485a 19287->19288 19289 7ff718d47401 19287->19289 19290 7ff718d47348 168 API calls 19288->19290 19289->19239 19291 7ff718d6487b 19290->19291 19292 7ff718d47348 168 API calls 19291->19292 19293 7ff718d648ad 19292->19293 19294 7ff718d47348 168 API calls 19293->19294 19295 7ff718d648be 19294->19295 19295->19239 16744 7ff718d58d80 16745 7ff718d58da4 16744->16745 16746 7ff718d58db6 16745->16746 16747 7ff718d58dbf Sleep 16745->16747 16748 7ff718d58ddb _amsg_exit 16746->16748 16752 7ff718d58de7 16746->16752 16747->16745 16748->16752 16749 7ff718d58e56 _initterm 16750 7ff718d58e73 _IsNonwritableInCurrentImage 16749->16750 16758 7ff718d537d8 GetCurrentThreadId OpenThread 16750->16758 16751 7ff718d58e3c 16752->16749 16752->16750 16752->16751 16791 7ff718d504f4 16758->16791 16760 7ff718d53839 HeapSetInformation RegOpenKeyExW 16761 7ff718d5388d 16760->16761 16762 7ff718d5e9f8 RegQueryValueExW RegCloseKey 16760->16762 16763 7ff718d55920 VirtualQuery VirtualQuery 16761->16763 16765 7ff718d5ea41 GetThreadLocale 16762->16765 16764 7ff718d538ab GetConsoleOutputCP GetCPInfo 16763->16764 16764->16765 16766 7ff718d538f1 memset 16764->16766 16773 7ff718d53919 16765->16773 16766->16773 16767 7ff718d54d5c 391 API calls 16767->16773 16768 7ff718d43240 166 API calls 16768->16773 16769 7ff718d5eb27 _setjmp 16769->16773 16770 7ff718d53948 _setjmp 16770->16773 16771 7ff718d68530 370 API calls 16771->16773 16772 7ff718d501b8 6 API calls 16772->16773 16773->16762 16773->16767 16773->16768 16773->16769 16773->16770 16773->16771 16773->16772 16774 7ff718d4df60 481 API calls 16773->16774 16775 7ff718d5eb71 _setmode 16773->16775 16776 7ff718d586f0 182 API calls 16773->16776 16777 7ff718d50580 12 API calls 16773->16777 16778 7ff718d54c1c 166 API calls 16773->16778 16780 7ff718d558e4 EnterCriticalSection LeaveCriticalSection 16773->16780 16782 7ff718d4be00 659 API calls 16773->16782 16783 7ff718d558e4 EnterCriticalSection LeaveCriticalSection 16773->16783 16774->16773 16775->16773 16776->16773 16779 7ff718d5398b GetConsoleOutputCP GetCPInfo 16777->16779 16778->16773 16781 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16779->16781 16780->16773 16781->16773 16782->16773 16784 7ff718d5ebbe GetConsoleOutputCP GetCPInfo 16783->16784 16785 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16784->16785 16786 7ff718d5ebe6 16785->16786 16787 7ff718d4be00 659 API calls 16786->16787 16788 7ff718d50580 12 API calls 16786->16788 16787->16786 16789 7ff718d5ebfc GetConsoleOutputCP GetCPInfo 16788->16789 16790 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16789->16790 16790->16773 16792 7ff718d50504 16791->16792 16793 7ff718d5051e GetModuleHandleW 16792->16793 16794 7ff718d5054d GetProcAddress 16792->16794 16795 7ff718d5056c SetThreadLocale 16792->16795 16793->16792 16794->16792

                          Executed Functions

                          Function 00007FF718D4AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 7ff718d4aa54-7ff718d4aa98 call 7ff718d4cd90 3 7ff718d4aa9e 0->3 4 7ff718d5bf5a-7ff718d5bf70 call 7ff718d54c1c call 7ff718d4ff70 0->4 5 7ff718d4aaa5-7ff718d4aaa8 3->5 7 7ff718d4acde-7ff718d4ad00 5->7 8 7ff718d4aaae-7ff718d4aac8 wcschr 5->8 13 7ff718d4ad06 7->13 8->7 10 7ff718d4aace-7ff718d4aae9 towlower 8->10 10->7 12 7ff718d4aaef-7ff718d4aaf3 10->12 16 7ff718d5beb7-7ff718d5bec4 call 7ff718d6eaf0 12->16 17 7ff718d4aaf9-7ff718d4aafd 12->17 18 7ff718d4ad0d-7ff718d4ad1f 13->18 30 7ff718d5bf43-7ff718d5bf59 call 7ff718d54c1c 16->30 31 7ff718d5bec6-7ff718d5bed8 call 7ff718d43240 16->31 20 7ff718d4ab03-7ff718d4ab07 17->20 21 7ff718d5bbcf 17->21 22 7ff718d4ad22-7ff718d4ad2a call 7ff718d513e0 18->22 25 7ff718d4ab7d-7ff718d4ab81 20->25 26 7ff718d4ab09-7ff718d4ab0d 20->26 32 7ff718d5bbde 21->32 22->5 28 7ff718d5be63 25->28 33 7ff718d4ab87-7ff718d4ab95 25->33 27 7ff718d4ab13-7ff718d4ab17 26->27 26->28 27->25 34 7ff718d4ab19-7ff718d4ab1d 27->34 39 7ff718d5be72-7ff718d5be88 call 7ff718d43278 call 7ff718d54c1c 28->39 30->4 31->30 46 7ff718d5beda-7ff718d5bee9 call 7ff718d43240 31->46 42 7ff718d5bbea-7ff718d5bbec 32->42 37 7ff718d4ab98-7ff718d4aba0 33->37 34->32 38 7ff718d4ab23-7ff718d4ab27 34->38 37->37 43 7ff718d4aba2-7ff718d4abb3 call 7ff718d4cd90 37->43 38->42 44 7ff718d4ab2d-7ff718d4ab31 38->44 67 7ff718d5be89-7ff718d5be8c 39->67 51 7ff718d5bbf8-7ff718d5bc01 42->51 43->4 53 7ff718d4abb9-7ff718d4abde call 7ff718d513e0 call 7ff718d533a8 43->53 44->13 48 7ff718d4ab37-7ff718d4ab3b 44->48 61 7ff718d5beeb-7ff718d5bef1 46->61 62 7ff718d5bef3-7ff718d5bef9 46->62 48->51 54 7ff718d4ab41-7ff718d4ab45 48->54 51->18 89 7ff718d4abe4-7ff718d4abe7 53->89 90 7ff718d4ac75 53->90 58 7ff718d4ab4b-7ff718d4ab4f 54->58 59 7ff718d5bc06-7ff718d5bc2a call 7ff718d513e0 54->59 65 7ff718d4ab55-7ff718d4ab78 call 7ff718d513e0 58->65 66 7ff718d4ad2f-7ff718d4ad33 58->66 77 7ff718d5bc2c-7ff718d5bc4c _wcsnicmp 59->77 78 7ff718d5bc5a-7ff718d5bc61 59->78 61->30 61->62 62->30 68 7ff718d5befb-7ff718d5bf0d call 7ff718d43240 62->68 65->5 71 7ff718d4ad39-7ff718d4ad3d 66->71 72 7ff718d5bc66-7ff718d5bc8a call 7ff718d513e0 66->72 74 7ff718d4acbe 67->74 75 7ff718d5be92-7ff718d5beaa call 7ff718d43278 call 7ff718d54c1c 67->75 68->30 87 7ff718d5bf0f-7ff718d5bf21 call 7ff718d43240 68->87 80 7ff718d5bcde-7ff718d5bd02 call 7ff718d513e0 71->80 81 7ff718d4ad43-7ff718d4ad49 71->81 107 7ff718d5bc8c-7ff718d5bcaa _wcsnicmp 72->107 108 7ff718d5bcc4-7ff718d5bcdc 72->108 84 7ff718d4acc0-7ff718d4acc7 74->84 127 7ff718d5beab-7ff718d5beb6 call 7ff718d54c1c 75->127 77->78 88 7ff718d5bc4e-7ff718d5bc55 77->88 93 7ff718d5bd31-7ff718d5bd4f _wcsnicmp 78->93 119 7ff718d5bd2a 80->119 120 7ff718d5bd04-7ff718d5bd24 _wcsnicmp 80->120 91 7ff718d5bd5e-7ff718d5bd65 81->91 92 7ff718d4ad4f-7ff718d4ad68 81->92 84->84 95 7ff718d4acc9-7ff718d4acda 84->95 87->30 122 7ff718d5bf23-7ff718d5bf35 call 7ff718d43240 87->122 102 7ff718d5bbb3-7ff718d5bbb7 88->102 89->74 104 7ff718d4abed-7ff718d4ac0b call 7ff718d4cd90 * 2 89->104 99 7ff718d4ac77-7ff718d4ac7f 90->99 91->92 103 7ff718d5bd6b-7ff718d5bd73 91->103 105 7ff718d4ad6d-7ff718d4ad70 92->105 106 7ff718d4ad6a 92->106 100 7ff718d5bd55 93->100 101 7ff718d5bbc2-7ff718d5bbca 93->101 95->7 99->74 116 7ff718d4ac81-7ff718d4ac85 99->116 100->91 101->5 111 7ff718d5bbba-7ff718d5bbbd call 7ff718d513e0 102->111 112 7ff718d5be4a-7ff718d5be5e 103->112 113 7ff718d5bd79-7ff718d5bd8b iswxdigit 103->113 104->127 140 7ff718d4ac11-7ff718d4ac14 104->140 105->22 106->105 107->108 117 7ff718d5bcac-7ff718d5bcbf 107->117 108->93 111->101 112->111 113->112 125 7ff718d5bd91-7ff718d5bda3 iswxdigit 113->125 123 7ff718d4ac88-7ff718d4ac8f 116->123 117->102 119->93 120->119 121 7ff718d5bbac 120->121 121->102 122->30 141 7ff718d5bf37-7ff718d5bf3e call 7ff718d43240 122->141 123->123 132 7ff718d4ac91-7ff718d4ac94 123->132 125->112 129 7ff718d5bda9-7ff718d5bdbb iswxdigit 125->129 127->16 129->112 136 7ff718d5bdc1-7ff718d5bdd7 iswdigit 129->136 132->74 135 7ff718d4ac96-7ff718d4acaa wcsrchr 132->135 135->74 142 7ff718d4acac-7ff718d4acb9 call 7ff718d51300 135->142 138 7ff718d5bdd9-7ff718d5bddd 136->138 139 7ff718d5bddf-7ff718d5bdeb towlower 136->139 145 7ff718d5bdee-7ff718d5be0f iswdigit 138->145 139->145 140->127 146 7ff718d4ac1a-7ff718d4ac33 memset 140->146 141->30 142->74 147 7ff718d5be17-7ff718d5be23 towlower 145->147 148 7ff718d5be11-7ff718d5be15 145->148 146->90 149 7ff718d4ac35-7ff718d4ac4b wcschr 146->149 150 7ff718d5be26-7ff718d5be45 call 7ff718d513e0 147->150 148->150 149->90 151 7ff718d4ac4d-7ff718d4ac54 149->151 150->112 152 7ff718d4ac5a-7ff718d4ac6f wcschr 151->152 153 7ff718d4ad72-7ff718d4ad91 wcschr 151->153 152->90 152->153 155 7ff718d4ad97-7ff718d4adac wcschr 153->155 156 7ff718d4af03-7ff718d4af07 153->156 155->156 157 7ff718d4adb2-7ff718d4adc7 wcschr 155->157 156->90 157->156 158 7ff718d4adcd-7ff718d4ade2 wcschr 157->158 158->156 159 7ff718d4ade8-7ff718d4adfd wcschr 158->159 159->156 160 7ff718d4ae03-7ff718d4ae18 wcschr 159->160 160->156 161 7ff718d4ae1e-7ff718d4ae21 160->161 162 7ff718d4ae24-7ff718d4ae27 161->162 162->156 163 7ff718d4ae2d-7ff718d4ae40 iswspace 162->163 164 7ff718d4ae4b-7ff718d4ae5e 163->164 165 7ff718d4ae42-7ff718d4ae49 163->165 166 7ff718d4ae66-7ff718d4ae6d 164->166 165->162 166->166 167 7ff718d4ae6f-7ff718d4ae77 166->167 167->39 168 7ff718d4ae7d-7ff718d4ae97 call 7ff718d513e0 167->168 171 7ff718d4ae9a-7ff718d4aea4 168->171 172 7ff718d4aebc-7ff718d4aef8 call 7ff718d50a6c call 7ff718d4ff70 * 2 171->172 173 7ff718d4aea6-7ff718d4aead 171->173 172->99 181 7ff718d4aefe 172->181 173->172 174 7ff718d4aeaf-7ff718d4aeba 173->174 174->171 174->172 181->67
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                          • String ID: :$:$:$:ON$OFF
                          • API String ID: 972821348-467788257
                          • Opcode ID: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                          • Instruction ID: 3899f5b58632f2d57bad750863e14eadcb2ef4c251859ad5345cd454f452a09f
                          • Opcode Fuzzy Hash: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                          • Instruction Fuzzy Hash: 0322C221A08F4A86FB54BF219415279E6B1EF4DBA0FC88176C98E47794DF3CA44C8729
                          Function 00007FF718D551EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 182 7ff718d551ec-7ff718d55248 call 7ff718d55508 GetLocaleInfoW 185 7ff718d5524e-7ff718d55272 GetLocaleInfoW 182->185 186 7ff718d5ef32-7ff718d5ef3c 182->186 187 7ff718d55274-7ff718d5527a 185->187 188 7ff718d55295-7ff718d552b9 GetLocaleInfoW 185->188 189 7ff718d5ef3f-7ff718d5ef49 186->189 190 7ff718d554f7-7ff718d554f9 187->190 191 7ff718d55280-7ff718d55286 187->191 192 7ff718d552bb-7ff718d552c3 188->192 193 7ff718d552de-7ff718d55305 GetLocaleInfoW 188->193 194 7ff718d5ef4b-7ff718d5ef52 189->194 195 7ff718d5ef61-7ff718d5ef6c 189->195 190->186 191->190 197 7ff718d5528c-7ff718d5528f 191->197 198 7ff718d552c9-7ff718d552d7 192->198 199 7ff718d5ef75-7ff718d5ef78 192->199 200 7ff718d55307-7ff718d5531b 193->200 201 7ff718d55321-7ff718d55343 GetLocaleInfoW 193->201 194->195 196 7ff718d5ef54-7ff718d5ef5f 194->196 195->199 196->189 196->195 197->188 198->193 202 7ff718d5ef7a-7ff718d5ef7d 199->202 203 7ff718d5ef99-7ff718d5efa3 199->203 200->201 204 7ff718d55349-7ff718d5536e GetLocaleInfoW 201->204 205 7ff718d5efaf-7ff718d5efb9 201->205 202->193 208 7ff718d5ef83-7ff718d5ef8d 202->208 203->205 206 7ff718d55374-7ff718d55396 GetLocaleInfoW 204->206 207 7ff718d5eff2-7ff718d5effc 204->207 209 7ff718d5efbc-7ff718d5efc6 205->209 211 7ff718d5539c-7ff718d553be GetLocaleInfoW 206->211 212 7ff718d5f035-7ff718d5f03f 206->212 210 7ff718d5efff-7ff718d5f009 207->210 208->203 213 7ff718d5efde-7ff718d5efe9 209->213 214 7ff718d5efc8-7ff718d5efcf 209->214 215 7ff718d5f00b-7ff718d5f012 210->215 216 7ff718d5f021-7ff718d5f02c 210->216 217 7ff718d5f078-7ff718d5f082 211->217 218 7ff718d553c4-7ff718d553e6 GetLocaleInfoW 211->218 219 7ff718d5f042-7ff718d5f04c 212->219 213->207 214->213 220 7ff718d5efd1-7ff718d5efdc 214->220 215->216 221 7ff718d5f014-7ff718d5f01f 215->221 216->212 226 7ff718d5f085-7ff718d5f08f 217->226 222 7ff718d5f0bb-7ff718d5f0c5 218->222 223 7ff718d553ec-7ff718d5540e GetLocaleInfoW 218->223 224 7ff718d5f04e-7ff718d5f055 219->224 225 7ff718d5f064-7ff718d5f06f 219->225 220->209 220->213 221->210 221->216 227 7ff718d5f0c8-7ff718d5f0d2 222->227 228 7ff718d5f0fe-7ff718d5f108 223->228 229 7ff718d55414-7ff718d55436 GetLocaleInfoW 223->229 224->225 230 7ff718d5f057-7ff718d5f062 224->230 225->217 231 7ff718d5f0a7-7ff718d5f0b2 226->231 232 7ff718d5f091-7ff718d5f098 226->232 233 7ff718d5f0ea-7ff718d5f0f5 227->233 234 7ff718d5f0d4-7ff718d5f0db 227->234 237 7ff718d5f10b-7ff718d5f115 228->237 235 7ff718d5543c-7ff718d5545e GetLocaleInfoW 229->235 236 7ff718d5f141-7ff718d5f14b 229->236 230->219 230->225 231->222 232->231 238 7ff718d5f09a-7ff718d5f0a5 232->238 233->228 234->233 239 7ff718d5f0dd-7ff718d5f0e8 234->239 240 7ff718d5f184-7ff718d5f18b 235->240 241 7ff718d55464-7ff718d55486 GetLocaleInfoW 235->241 244 7ff718d5f14e-7ff718d5f158 236->244 242 7ff718d5f12d-7ff718d5f138 237->242 243 7ff718d5f117-7ff718d5f11e 237->243 238->226 238->231 239->227 239->233 245 7ff718d5f18e-7ff718d5f198 240->245 246 7ff718d5548c-7ff718d554ae GetLocaleInfoW 241->246 247 7ff718d5f1c4-7ff718d5f1ce 241->247 242->236 243->242 248 7ff718d5f120-7ff718d5f12b 243->248 249 7ff718d5f15a-7ff718d5f161 244->249 250 7ff718d5f170-7ff718d5f17b 244->250 252 7ff718d5f19a-7ff718d5f1a1 245->252 253 7ff718d5f1b0-7ff718d5f1bb 245->253 254 7ff718d5f207-7ff718d5f20e 246->254 255 7ff718d554b4-7ff718d554f5 setlocale call 7ff718d58f80 246->255 256 7ff718d5f1d1-7ff718d5f1db 247->256 248->237 248->242 249->250 251 7ff718d5f163-7ff718d5f16e 249->251 250->240 251->244 251->250 252->253 258 7ff718d5f1a3-7ff718d5f1ae 252->258 253->247 257 7ff718d5f211-7ff718d5f21b 254->257 260 7ff718d5f1dd-7ff718d5f1e4 256->260 261 7ff718d5f1f3-7ff718d5f1fe 256->261 262 7ff718d5f21d-7ff718d5f224 257->262 263 7ff718d5f233-7ff718d5f23e 257->263 258->245 258->253 260->261 265 7ff718d5f1e6-7ff718d5f1f1 260->265 261->254 262->263 266 7ff718d5f226-7ff718d5f231 262->266 265->256 265->261 266->257 266->263
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InfoLocale$DefaultUsersetlocale
                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                          • API String ID: 1351325837-2236139042
                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                          • Instruction ID: 8161ed9b0cdea9e0b2741457a39ebb61d6d9dba22c0652d29eba2148c7a1af0a
                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                          • Instruction Fuzzy Hash: 96F14B25B08B4A85EB15AF15D5102B9E2B4BF0DBA4FD44236DA8D477A4EF3CE50DC328
                          Function 00007FF718D55554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 267 7ff718d55554-7ff718d555b9 call 7ff718d5a640 270 7ff718d555bc-7ff718d555e8 RegOpenKeyExW 267->270 271 7ff718d555ee-7ff718d55631 RegQueryValueExW 270->271 272 7ff718d55887-7ff718d5588e 270->272 273 7ff718d5f248-7ff718d5f24d 271->273 274 7ff718d55637-7ff718d55675 RegQueryValueExW 271->274 272->270 275 7ff718d55894-7ff718d558db time srand call 7ff718d58f80 272->275 279 7ff718d5f260-7ff718d5f265 273->279 280 7ff718d5f24f-7ff718d5f25b 273->280 276 7ff718d5568e-7ff718d556cc RegQueryValueExW 274->276 277 7ff718d55677-7ff718d5567c 274->277 284 7ff718d5f2b6-7ff718d5f2bb 276->284 285 7ff718d556d2-7ff718d55710 RegQueryValueExW 276->285 282 7ff718d5f28b-7ff718d5f290 277->282 283 7ff718d55682-7ff718d55687 277->283 279->274 281 7ff718d5f26b-7ff718d5f286 _wtol 279->281 280->274 281->274 282->276 287 7ff718d5f296-7ff718d5f2b1 _wtol 282->287 283->276 288 7ff718d5f2ce-7ff718d5f2d3 284->288 289 7ff718d5f2bd-7ff718d5f2c9 284->289 290 7ff718d55729-7ff718d55767 RegQueryValueExW 285->290 291 7ff718d55712-7ff718d55717 285->291 287->276 288->285 292 7ff718d5f2d9-7ff718d5f2f4 _wtol 288->292 289->285 295 7ff718d55769-7ff718d5576e 290->295 296 7ff718d5579f-7ff718d557dd RegQueryValueExW 290->296 293 7ff718d5571d-7ff718d55722 291->293 294 7ff718d5f2f9-7ff718d5f2fe 291->294 292->285 293->290 294->290 299 7ff718d5f304-7ff718d5f31a wcstol 294->299 300 7ff718d55774-7ff718d5578f 295->300 301 7ff718d5f320-7ff718d5f325 295->301 297 7ff718d5f3a9 296->297 298 7ff718d557e3-7ff718d557e8 296->298 312 7ff718d5f3b5-7ff718d5f3b8 297->312 304 7ff718d557ee-7ff718d55809 298->304 305 7ff718d5f363-7ff718d5f368 298->305 299->301 302 7ff718d5f357-7ff718d5f35e 300->302 303 7ff718d55795-7ff718d55799 300->303 306 7ff718d5f34b 301->306 307 7ff718d5f327-7ff718d5f33f wcstol 301->307 302->296 303->296 303->302 310 7ff718d5f39a-7ff718d5f39d 304->310 311 7ff718d5580f-7ff718d55813 304->311 308 7ff718d5f38e 305->308 309 7ff718d5f36a-7ff718d5f382 wcstol 305->309 306->302 307->306 308->310 309->308 310->297 311->310 313 7ff718d55819-7ff718d55823 311->313 314 7ff718d5582c 312->314 315 7ff718d5f3be-7ff718d5f3c5 312->315 313->312 316 7ff718d55829 313->316 317 7ff718d5f3ca-7ff718d5f3d1 314->317 318 7ff718d55832-7ff718d55870 RegQueryValueExW 314->318 315->318 316->314 319 7ff718d5f3dd-7ff718d5f3e2 317->319 318->319 320 7ff718d55876-7ff718d55882 RegCloseKey 318->320 321 7ff718d5f3e4-7ff718d5f412 ExpandEnvironmentStringsW 319->321 322 7ff718d5f433-7ff718d5f439 319->322 320->272 323 7ff718d5f428 321->323 324 7ff718d5f414-7ff718d5f426 call 7ff718d513e0 321->324 322->320 325 7ff718d5f43f-7ff718d5f44c call 7ff718d4b900 322->325 327 7ff718d5f42e 323->327 324->327 325->320 327->322
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpensrandtime
                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                          • API String ID: 145004033-3846321370
                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                          • Instruction ID: cb7799b12b6521e97310c5ca65dc329cbd234d29441052a8e0563b1355e43f39
                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                          • Instruction Fuzzy Hash: 2BE13A32519F8A86E751AB10E44017AF7B0FB89765FC05236EACE42A58DF7CE54CCB24
                          Function 00007FF718D537D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 509 7ff718d537d8-7ff718d53887 GetCurrentThreadId OpenThread call 7ff718d504f4 HeapSetInformation RegOpenKeyExW 512 7ff718d5388d-7ff718d538eb call 7ff718d55920 GetConsoleOutputCP GetCPInfo 509->512 513 7ff718d5e9f8-7ff718d5ea3b RegQueryValueExW RegCloseKey 509->513 516 7ff718d5ea41-7ff718d5ea59 GetThreadLocale 512->516 517 7ff718d538f1-7ff718d53913 memset 512->517 513->516 518 7ff718d5ea5b-7ff718d5ea67 516->518 519 7ff718d5ea74-7ff718d5ea77 516->519 520 7ff718d53919-7ff718d53935 call 7ff718d54d5c 517->520 521 7ff718d5eaa5 517->521 518->519 522 7ff718d5ea79-7ff718d5ea7d 519->522 523 7ff718d5ea94-7ff718d5ea96 519->523 529 7ff718d5393b-7ff718d53942 520->529 530 7ff718d5eae2-7ff718d5eaff call 7ff718d43240 call 7ff718d68530 call 7ff718d54c1c 520->530 526 7ff718d5eaa8-7ff718d5eab4 521->526 522->523 525 7ff718d5ea7f-7ff718d5ea89 522->525 523->521 525->523 526->520 528 7ff718d5eaba-7ff718d5eac3 526->528 531 7ff718d5eacb-7ff718d5eace 528->531 533 7ff718d5eb27-7ff718d5eb40 _setjmp 529->533 534 7ff718d53948-7ff718d53962 _setjmp 529->534 540 7ff718d5eb00-7ff718d5eb0d 530->540 535 7ff718d5eac5-7ff718d5eac9 531->535 536 7ff718d5ead0-7ff718d5eadb 531->536 541 7ff718d539fe-7ff718d53a05 call 7ff718d54c1c 533->541 542 7ff718d5eb46-7ff718d5eb49 533->542 539 7ff718d53968-7ff718d5396d 534->539 534->540 535->531 536->526 537 7ff718d5eadd 536->537 537->520 546 7ff718d539b9-7ff718d539bb 539->546 547 7ff718d5396f 539->547 555 7ff718d5eb15-7ff718d5eb1f call 7ff718d54c1c 540->555 541->513 543 7ff718d5eb4b-7ff718d5eb65 call 7ff718d43240 call 7ff718d68530 call 7ff718d54c1c 542->543 544 7ff718d5eb66-7ff718d5eb6f call 7ff718d501b8 542->544 543->544 568 7ff718d5eb87-7ff718d5eb89 call 7ff718d586f0 544->568 569 7ff718d5eb71-7ff718d5eb82 _setmode 544->569 550 7ff718d5eb20 546->550 551 7ff718d539c1-7ff718d539c3 call 7ff718d54c1c 546->551 554 7ff718d53972-7ff718d5397d 547->554 550->533 565 7ff718d539c8 551->565 561 7ff718d539c9-7ff718d539de call 7ff718d4df60 554->561 562 7ff718d5397f-7ff718d53984 554->562 555->550 561->555 577 7ff718d539e4-7ff718d539e8 561->577 562->554 570 7ff718d53986-7ff718d539ae call 7ff718d50580 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 562->570 565->561 578 7ff718d5eb8e-7ff718d5ebad call 7ff718d558e4 call 7ff718d4df60 568->578 569->568 584 7ff718d539b3 570->584 577->541 581 7ff718d539ea-7ff718d539ef call 7ff718d4be00 577->581 590 7ff718d5ebaf-7ff718d5ebb3 578->590 588 7ff718d539f4-7ff718d539fc 581->588 584->546 588->562 590->541 591 7ff718d5ebb9-7ff718d5ec24 call 7ff718d558e4 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 call 7ff718d4be00 call 7ff718d50580 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 590->591 591->578
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                          • API String ID: 2624720099-1920437939
                          • Opcode ID: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                          • Instruction ID: f3a5d52e787c499db80ef41b758dbff7cf1eb4f250ecf78b3a4b347f963f2960
                          • Opcode Fuzzy Hash: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                          • Instruction Fuzzy Hash: 25C1C131E08F4A8AF714BB609441178FAB1FF4E734FC4823AD99E56695DE3CA44D8728
                          Function 00007FF718D52978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                          • Instruction ID: 7d3d4f061d33efecd404d077a79c841b505941160734e29a406f1e165d341a09
                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                          • Instruction Fuzzy Hash: F651D621B08B8685EB20AB15D54427AE770FB58BB4FC44332DEAD076D1DF3CE44D8614
                          Function 00007FF718D54A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                          • memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                          • String ID:
                          • API String ID: 1623332820-0
                          • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                          • Instruction ID: 49b706479c9ec15682a12ec367f5ad59a9c100a2f86f5e4e780a5cf160e3329a
                          • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                          • Instruction Fuzzy Hash: 6B11C122B04B5682DF54AB02A004039FBB1FB8DFA8BC88135DE8E03744DE3CE44C8728
                          Function 00007FF718D47D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00007FF718D47DA1
                            • Part of subcall function 00007FF718D5417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D541AD
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D47EB7
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                          • String ID:
                          • API String ID: 168394030-0
                          • Opcode ID: b6050c66f82dc7928a1abc4fa5bbb3c506f83fcae6e66a9ce87afb692c1e7a8d
                          • Instruction ID: b6caba322b15b6d30f6027e2d6eaeaea24ece01cf2eeca58cbde49c46beb5303
                          • Opcode Fuzzy Hash: b6050c66f82dc7928a1abc4fa5bbb3c506f83fcae6e66a9ce87afb692c1e7a8d
                          • Instruction Fuzzy Hash: C3A11521B08F4A85FB24AB2994416B9E3B1BF8D7A4FC44232D99D47AD5DF3CE40D8714
                          Function 00007FF718D54D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 331 7ff718d54d5c-7ff718d54e4b InitializeCriticalSection call 7ff718d558e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff718d50580 call 7ff718d54a14 call 7ff718d54ad0 call 7ff718d55554 GetCommandLineW 342 7ff718d54e4d-7ff718d54e54 331->342 342->342 343 7ff718d54e56-7ff718d54e61 342->343 344 7ff718d54e67-7ff718d54e7b call 7ff718d52e44 343->344 345 7ff718d551cf-7ff718d551e3 call 7ff718d43278 call 7ff718d54c1c 343->345 351 7ff718d551ba-7ff718d551ce call 7ff718d43278 call 7ff718d54c1c 344->351 352 7ff718d54e81-7ff718d54ec3 GetCommandLineW call 7ff718d513e0 call 7ff718d4ca40 344->352 351->345 352->351 362 7ff718d54ec9-7ff718d54ee8 call 7ff718d5417c call 7ff718d52394 352->362 366 7ff718d54eed-7ff718d54ef5 362->366 366->366 367 7ff718d54ef7-7ff718d54f1f call 7ff718d4aa54 366->367 370 7ff718d54f95-7ff718d54fee GetConsoleOutputCP GetCPInfo call 7ff718d551ec GetProcessHeap HeapAlloc 367->370 371 7ff718d54f21-7ff718d54f30 367->371 376 7ff718d54ff0-7ff718d55006 GetConsoleTitleW 370->376 377 7ff718d55012-7ff718d55018 370->377 371->370 372 7ff718d54f32-7ff718d54f39 371->372 372->370 375 7ff718d54f3b-7ff718d54f77 call 7ff718d43278 GetWindowsDirectoryW 372->375 384 7ff718d54f7d-7ff718d54f90 call 7ff718d53c24 375->384 385 7ff718d551b1-7ff718d551b9 call 7ff718d54c1c 375->385 376->377 379 7ff718d55008-7ff718d5500f 376->379 380 7ff718d5507a-7ff718d5507e 377->380 381 7ff718d5501a-7ff718d55024 call 7ff718d53578 377->381 379->377 386 7ff718d550eb-7ff718d55161 GetModuleHandleW GetProcAddress * 3 380->386 387 7ff718d55080-7ff718d550b3 call 7ff718d6b89c call 7ff718d4586c call 7ff718d43240 call 7ff718d53448 380->387 381->380 397 7ff718d55026-7ff718d55030 381->397 384->370 385->351 388 7ff718d55163-7ff718d55167 386->388 389 7ff718d5516f 386->389 412 7ff718d550b5-7ff718d550d0 call 7ff718d53448 * 2 387->412 413 7ff718d550d2-7ff718d550d7 call 7ff718d43278 387->413 388->389 395 7ff718d55169-7ff718d5516d 388->395 396 7ff718d55172-7ff718d551af free call 7ff718d58f80 389->396 395->389 395->396 401 7ff718d55075 call 7ff718d6cff0 397->401 402 7ff718d55032-7ff718d55059 GetStdHandle GetConsoleScreenBufferInfo 397->402 401->380 405 7ff718d5505b-7ff718d55067 402->405 406 7ff718d55069-7ff718d55073 402->406 405->380 406->380 406->401 417 7ff718d550dc-7ff718d550e6 GlobalFree 412->417 413->417 417->386
                          APIs
                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54D9A
                            • Part of subcall function 00007FF718D558E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF718D6C6DB), ref: 00007FF718D558EF
                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54DBB
                          • _get_osfhandle.MSVCRT ref: 00007FF718D54DCA
                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54DE0
                          • _get_osfhandle.MSVCRT ref: 00007FF718D54DEE
                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E04
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D50589
                            • Part of subcall function 00007FF718D50580: SetConsoleMode.KERNELBASE ref: 00007FF718D5059E
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D505AF
                            • Part of subcall function 00007FF718D50580: GetConsoleMode.KERNELBASE ref: 00007FF718D505C5
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D505EF
                            • Part of subcall function 00007FF718D50580: GetConsoleMode.KERNELBASE ref: 00007FF718D50605
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D50632
                            • Part of subcall function 00007FF718D50580: SetConsoleMode.KERNELBASE ref: 00007FF718D50647
                            • Part of subcall function 00007FF718D54A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                            • Part of subcall function 00007FF718D54A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                            • Part of subcall function 00007FF718D54A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                            • Part of subcall function 00007FF718D54A14: memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                            • Part of subcall function 00007FF718D54A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                            • Part of subcall function 00007FF718D54AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AD6
                            • Part of subcall function 00007FF718D54AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AEF
                            • Part of subcall function 00007FF718D55554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF718D54E35), ref: 00007FF718D555DA
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55623
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55667
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D556BE
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55702
                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E35
                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E81
                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54F69
                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54F95
                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FB0
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FC1
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FD8
                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FF8
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55037
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5504B
                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D550DF
                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D550F2
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5510F
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55130
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5514A
                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55175
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                          • API String ID: 1049357271-3021193919
                          • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                          • Instruction ID: bbe90bd8c78fd4c7fe8e6d92604338f93252f1983bf6e026e76d0992b7e6061b
                          • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                          • Instruction Fuzzy Hash: EBC15D61A08F4A86EB05BB11A851179F6B1FF8DBB4FC48235D98E43795DF3CA44D8328
                          Function 00007FF718D53C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 420 7ff718d53c24-7ff718d53c61 421 7ff718d53c67-7ff718d53c99 call 7ff718d4af14 call 7ff718d4ca40 420->421 422 7ff718d5ec5a-7ff718d5ec5f 420->422 431 7ff718d5ec97-7ff718d5eca1 call 7ff718d5855c 421->431 432 7ff718d53c9f-7ff718d53cb2 call 7ff718d4b900 421->432 422->421 424 7ff718d5ec65-7ff718d5ec6a 422->424 426 7ff718d5412e-7ff718d5415b call 7ff718d58f80 424->426 432->431 437 7ff718d53cb8-7ff718d53cbc 432->437 438 7ff718d53cbf-7ff718d53cc7 437->438 438->438 439 7ff718d53cc9-7ff718d53ccd 438->439 440 7ff718d53cd2-7ff718d53cd8 439->440 441 7ff718d53cda-7ff718d53cdf 440->441 442 7ff718d53ce5-7ff718d53d62 GetCurrentDirectoryW towupper iswalpha 440->442 441->442 443 7ff718d53faa-7ff718d53fb3 441->443 444 7ff718d53fb8 442->444 445 7ff718d53d68-7ff718d53d6c 442->445 443->440 447 7ff718d53fc6-7ff718d53fec GetLastError call 7ff718d5855c call 7ff718d5a5d6 444->447 445->444 446 7ff718d53d72-7ff718d53dcd towupper GetFullPathNameW 445->446 446->447 448 7ff718d53dd3-7ff718d53ddd 446->448 451 7ff718d53ff1-7ff718d54007 call 7ff718d5855c _local_unwind 447->451 450 7ff718d53de3-7ff718d53dfb 448->450 448->451 453 7ff718d540fe-7ff718d54119 call 7ff718d5855c _local_unwind 450->453 454 7ff718d53e01-7ff718d53e11 450->454 461 7ff718d5400c-7ff718d54022 GetLastError 451->461 466 7ff718d5411a-7ff718d5412c call 7ff718d4ff70 call 7ff718d5855c 453->466 454->453 457 7ff718d53e17-7ff718d53e28 454->457 460 7ff718d53e2c-7ff718d53e34 457->460 460->460 463 7ff718d53e36-7ff718d53e3f 460->463 464 7ff718d54028-7ff718d5402b 461->464 465 7ff718d53e95-7ff718d53e9c 461->465 468 7ff718d53e42-7ff718d53e55 463->468 464->465 469 7ff718d54031-7ff718d54047 call 7ff718d5855c _local_unwind 464->469 470 7ff718d53e9e-7ff718d53ec2 call 7ff718d52978 465->470 471 7ff718d53ecf-7ff718d53ed3 465->471 466->426 475 7ff718d53e57-7ff718d53e60 468->475 476 7ff718d53e66-7ff718d53e8f GetFileAttributesW 468->476 487 7ff718d5404c-7ff718d54062 call 7ff718d5855c _local_unwind 469->487 486 7ff718d53ec7-7ff718d53ec9 470->486 473 7ff718d53f08-7ff718d53f0b 471->473 474 7ff718d53ed5-7ff718d53ef7 GetFileAttributesW 471->474 482 7ff718d53f0d-7ff718d53f11 473->482 483 7ff718d53f1e-7ff718d53f40 SetCurrentDirectoryW 473->483 480 7ff718d53efd-7ff718d53f02 474->480 481 7ff718d54067-7ff718d54098 GetLastError call 7ff718d5855c _local_unwind 474->481 475->476 484 7ff718d53f9d-7ff718d53fa5 475->484 476->461 476->465 480->473 490 7ff718d5409d-7ff718d540b3 call 7ff718d5855c _local_unwind 480->490 481->490 491 7ff718d53f13-7ff718d53f1c 482->491 492 7ff718d53f46-7ff718d53f69 call 7ff718d5498c 482->492 483->492 493 7ff718d540b8-7ff718d540de GetLastError call 7ff718d5855c _local_unwind 483->493 484->468 486->471 486->487 487->481 490->493 491->483 491->492 503 7ff718d540e3-7ff718d540f9 call 7ff718d5855c _local_unwind 492->503 504 7ff718d53f6f-7ff718d53f98 call 7ff718d5417c 492->504 493->503 503->453 504->466
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                          • String ID: :
                          • API String ID: 1809961153-336475711
                          • Opcode ID: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                          • Instruction ID: 16c68941097148f4859e30e19119dce06b363c8a5774dc3edc17895876dc76d8
                          • Opcode Fuzzy Hash: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                          • Instruction Fuzzy Hash: 19D15F6260CF8981EB24AB15E4552BAF7B1FB89760F844236DA8E437A4DF3CE54CC714
                          Function 00007FF718D52394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 602 7ff718d52394-7ff718d52416 memset call 7ff718d4ca40 605 7ff718d5241c-7ff718d52453 GetModuleFileNameW call 7ff718d5081c 602->605 606 7ff718d5e0d2-7ff718d5e0da call 7ff718d54c1c 602->606 611 7ff718d5e0db-7ff718d5e0ee call 7ff718d5498c 605->611 612 7ff718d52459-7ff718d52468 call 7ff718d5081c 605->612 606->611 618 7ff718d5e0f4-7ff718d5e107 call 7ff718d5498c 611->618 617 7ff718d5246e-7ff718d5247d call 7ff718d5081c 612->617 612->618 623 7ff718d52483-7ff718d52492 call 7ff718d5081c 617->623 624 7ff718d52516-7ff718d52529 call 7ff718d5498c 617->624 625 7ff718d5e10d-7ff718d5e123 618->625 623->625 632 7ff718d52498-7ff718d524a7 call 7ff718d5081c 623->632 624->623 628 7ff718d5e125-7ff718d5e139 wcschr 625->628 629 7ff718d5e13f-7ff718d5e17a _wcsupr 625->629 628->629 633 7ff718d5e27c 628->633 634 7ff718d5e17c-7ff718d5e17f 629->634 635 7ff718d5e181-7ff718d5e199 wcsrchr 629->635 642 7ff718d524ad-7ff718d524c5 call 7ff718d53c24 632->642 643 7ff718d5e2a1-7ff718d5e2c3 _wcsicmp 632->643 637 7ff718d5e283-7ff718d5e29b call 7ff718d5498c 633->637 638 7ff718d5e19c 634->638 635->638 637->643 641 7ff718d5e1a0-7ff718d5e1a7 638->641 641->641 645 7ff718d5e1a9-7ff718d5e1bb 641->645 651 7ff718d524ca-7ff718d524db 642->651 646 7ff718d5e264-7ff718d5e277 call 7ff718d51300 645->646 647 7ff718d5e1c1-7ff718d5e1e6 645->647 646->633 649 7ff718d5e1e8-7ff718d5e1f1 647->649 650 7ff718d5e21a 647->650 653 7ff718d5e1f3-7ff718d5e1f6 649->653 654 7ff718d5e201-7ff718d5e210 649->654 657 7ff718d5e21d-7ff718d5e21f 650->657 655 7ff718d524dd-7ff718d524e4 ??_V@YAXPEAX@Z 651->655 656 7ff718d524e9-7ff718d52514 call 7ff718d58f80 651->656 653->654 658 7ff718d5e1f8-7ff718d5e1ff 653->658 654->650 659 7ff718d5e212-7ff718d5e218 654->659 655->656 657->637 661 7ff718d5e221-7ff718d5e228 657->661 658->653 658->654 659->657 663 7ff718d5e22a-7ff718d5e231 661->663 664 7ff718d5e254-7ff718d5e262 661->664 665 7ff718d5e234-7ff718d5e237 663->665 664->633 665->664 666 7ff718d5e239-7ff718d5e242 665->666 666->664 667 7ff718d5e244-7ff718d5e252 666->667 667->664 667->665
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                          • API String ID: 2622545777-4197029667
                          • Opcode ID: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                          • Instruction ID: 09d390c02a9ce2b8f079c5455b2ced51ab0abd1dd628dace76babded7e3864a0
                          • Opcode Fuzzy Hash: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                          • Instruction Fuzzy Hash: D1914C61A09F8A85EF25BB10D8505B9E3B1BF4CBA4FC48236C98E47695DE3CE50C8324
                          Function 00007FF718D50580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleMode_get_osfhandle
                          • String ID: CMD.EXE
                          • API String ID: 1606018815-3025314500
                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                          • Instruction ID: 26f1c0749396bdd1615f345a6cdda60f82e76e23410354b7f165d45a27f474b6
                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                          • Instruction Fuzzy Hash: C741D531A09F168BE718BB24E856578F7A0BB8E775FC84175C99E43350DF3CA40C8629
                          Function 00007FF718D4C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 680 7ff718d4c620-7ff718d4c66f GetConsoleTitleW 681 7ff718d4c675-7ff718d4c687 call 7ff718d4af14 680->681 682 7ff718d5c5f2 680->682 687 7ff718d4c68e-7ff718d4c69d call 7ff718d4ca40 681->687 688 7ff718d4c689 681->688 684 7ff718d5c5fc-7ff718d5c60c GetLastError 682->684 686 7ff718d5c5e3 call 7ff718d43278 684->686 692 7ff718d5c5e8-7ff718d5c5ed call 7ff718d5855c 686->692 687->692 693 7ff718d4c6a3-7ff718d4c6ac 687->693 688->687 692->682 695 7ff718d4c954-7ff718d4c95e call 7ff718d5291c 693->695 696 7ff718d4c6b2-7ff718d4c6c5 call 7ff718d4b9c0 693->696 703 7ff718d5c5de-7ff718d5c5e0 695->703 704 7ff718d4c964-7ff718d4c972 call 7ff718d489c0 695->704 701 7ff718d4c6cb-7ff718d4c6ce 696->701 702 7ff718d4c9b5-7ff718d4c9c9 call 7ff718d55c6c call 7ff718d5855c 696->702 701->692 705 7ff718d4c6d4-7ff718d4c6e9 701->705 727 7ff718d4c9d0-7ff718d4c9d7 702->727 703->686 704->684 712 7ff718d4c978-7ff718d4c99a towupper 704->712 709 7ff718d5c616-7ff718d5c620 call 7ff718d5855c 705->709 710 7ff718d4c6ef-7ff718d4c6fa 705->710 713 7ff718d5c627 709->713 710->713 714 7ff718d4c700-7ff718d4c713 710->714 717 7ff718d4c9a0-7ff718d4c9a9 712->717 719 7ff718d5c631 713->719 718 7ff718d4c719-7ff718d4c72c 714->718 714->719 717->717 722 7ff718d4c9ab-7ff718d4c9af 717->722 723 7ff718d5c63b 718->723 724 7ff718d4c732-7ff718d4c747 call 7ff718d4d3f0 718->724 719->723 722->702 725 7ff718d5c60e-7ff718d5c611 call 7ff718d6ec14 722->725 732 7ff718d5c645 723->732 733 7ff718d4c8ac-7ff718d4c8af 724->733 734 7ff718d4c74d-7ff718d4c750 724->734 725->709 730 7ff718d4c9dd-7ff718d5c6da SetConsoleTitleW 727->730 731 7ff718d4c872-7ff718d4c8aa call 7ff718d5855c call 7ff718d58f80 727->731 730->731 737 7ff718d5c64e-7ff718d5c651 732->737 733->734 741 7ff718d4c8b5-7ff718d4c8d3 wcsncmp 733->741 738 7ff718d4c76a-7ff718d4c76d 734->738 739 7ff718d4c752-7ff718d4c764 call 7ff718d4bd38 734->739 743 7ff718d4c80d-7ff718d4c811 737->743 744 7ff718d5c657-7ff718d5c65b 737->744 747 7ff718d4c773-7ff718d4c77a 738->747 748 7ff718d4c840-7ff718d4c84b call 7ff718d4cb40 738->748 739->692 739->738 741->738 742 7ff718d4c8d9 741->742 742->734 750 7ff718d4c817-7ff718d4c81b 743->750 751 7ff718d4c9e2-7ff718d4c9e7 743->751 744->743 754 7ff718d4c780-7ff718d4c784 747->754 763 7ff718d4c84d-7ff718d4c855 call 7ff718d4cad4 748->763 764 7ff718d4c856-7ff718d4c85c call 7ff718d47a70 748->764 758 7ff718d4ca1b-7ff718d4ca1f 750->758 759 7ff718d4c821 750->759 751->750 760 7ff718d4c9ed-7ff718d4c9f7 call 7ff718d5291c 751->760 755 7ff718d4c83d 754->755 756 7ff718d4c78a-7ff718d4c7a4 wcschr 754->756 755->748 761 7ff718d4c8de-7ff718d4c8f7 756->761 762 7ff718d4c7aa-7ff718d4c7ad 756->762 758->759 765 7ff718d4ca25-7ff718d5c6b3 call 7ff718d43278 758->765 766 7ff718d4c824-7ff718d4c82d 759->766 774 7ff718d4c9fd-7ff718d4ca00 760->774 775 7ff718d5c684-7ff718d5c698 call 7ff718d43278 760->775 768 7ff718d4c900-7ff718d4c908 761->768 769 7ff718d4c7b0-7ff718d4c7b8 762->769 763->764 779 7ff718d4c862-7ff718d4c86c 764->779 765->692 766->766 772 7ff718d4c82f-7ff718d4c837 766->772 768->768 776 7ff718d4c90a-7ff718d4c915 768->776 769->769 777 7ff718d4c7ba-7ff718d4c7c7 769->777 772->754 772->755 774->750 781 7ff718d4ca06-7ff718d4ca10 call 7ff718d489c0 774->781 775->692 782 7ff718d4c917 776->782 783 7ff718d4c93a-7ff718d4c944 776->783 777->737 784 7ff718d4c7cd-7ff718d4c7db 777->784 779->727 779->731 781->750 799 7ff718d4ca16-7ff718d5c67f GetLastError call 7ff718d43278 781->799 788 7ff718d4c920-7ff718d4c928 782->788 791 7ff718d4ca2a-7ff718d4ca2f call 7ff718d59158 783->791 792 7ff718d4c94a 783->792 789 7ff718d4c7e0-7ff718d4c7e7 784->789 794 7ff718d4c92a-7ff718d4c92f 788->794 795 7ff718d4c932-7ff718d4c938 788->795 796 7ff718d4c7e9-7ff718d4c7f1 789->796 797 7ff718d4c800-7ff718d4c803 789->797 791->703 792->695 794->795 795->783 795->788 796->797 800 7ff718d4c7f3-7ff718d4c7fe 796->800 797->732 801 7ff718d4c809 797->801 799->692 800->789 800->797 801->743
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleTitlewcschr
                          • String ID: /$:
                          • API String ID: 2364928044-4222935259
                          • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                          • Instruction ID: f5897a2460a5fda66329b52555a8555ac64d56fe15eb757648239965e7b04f29
                          • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                          • Instruction Fuzzy Hash: 30C19D61A08F4A81EB24BB1594452B9E2F0EF59BB4FC84271D99E476E5DF3CE44CC328
                          Function 00007FF718D47AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 807 7ff718d47aa0-7ff718d47ad9 808 7ff718d47aeb-7ff718d47b38 memset call 7ff718d4ca40 807->808 809 7ff718d47adb-7ff718d47ae5 call 7ff718d5291c 807->809 815 7ff718d5ae4e-7ff718d5ae53 808->815 816 7ff718d47b3e-7ff718d47b6d GetFullPathNameW 808->816 809->808 814 7ff718d5ae3a-7ff718d5ae49 call 7ff718d43278 809->814 825 7ff718d47bb7-7ff718d47bdd call 7ff718d58f80 814->825 818 7ff718d5ae61-7ff718d5ae63 815->818 819 7ff718d5ae55-7ff718d5ae5c GetLastError 816->819 820 7ff718d47b73-7ff718d47b78 816->820 822 7ff718d5af64-7ff718d5af6b call 7ff718d43278 818->822 819->818 823 7ff718d5ae68-7ff718d5ae6d 820->823 824 7ff718d47b7e-7ff718d47b91 CreateDirectoryW 820->824 826 7ff718d5ae74-7ff718d5ae7e call 7ff718d43278 823->826 827 7ff718d47bdf-7ff718d47bf2 GetLastError 824->827 828 7ff718d47b93-7ff718d47ba7 824->828 842 7ff718d5ae84-7ff718d5ae8e 826->842 830 7ff718d47bf8-7ff718d47bfb 827->830 831 7ff718d5ae6f 827->831 834 7ff718d47ba9-7ff718d47bb0 free 828->834 835 7ff718d47bb5 828->835 830->818 837 7ff718d47c01-7ff718d47c08 830->837 831->826 834->835 835->825 840 7ff718d47c0e-7ff718d47c2e 837->840 841 7ff718d5af5f 837->841 840->842 843 7ff718d47c34-7ff718d47c4a 840->843 841->822 842->841 846 7ff718d5ae94-7ff718d5aea4 842->846 844 7ff718d47cd1-7ff718d47ced CreateDirectoryW 843->844 845 7ff718d47c50 843->845 844->828 847 7ff718d47cf3 844->847 848 7ff718d47cbe-7ff718d47cc1 845->848 846->841 849 7ff718d5aeaa-7ff718d5aeca 846->849 852 7ff718d5af46-7ff718d5af54 GetLastError 847->852 853 7ff718d47cad-7ff718d47cb0 848->853 854 7ff718d47cc3-7ff718d47cc6 848->854 850 7ff718d5aecc 849->850 851 7ff718d5aef1-7ff718d5aef5 849->851 855 7ff718d5aecf-7ff718d5aed6 850->855 856 7ff718d5aef7-7ff718d5af00 851->856 857 7ff718d5af03-7ff718d5af0b 851->857 852->828 860 7ff718d5af5a 852->860 858 7ff718d47c52-7ff718d47c79 CreateDirectoryW 853->858 859 7ff718d47cb2-7ff718d47cbb 853->859 861 7ff718d47cc8 854->861 862 7ff718d47ca5-7ff718d47cab 854->862 855->851 863 7ff718d5aed8-7ff718d5aeef 855->863 856->857 857->844 864 7ff718d5af11-7ff718d5af18 857->864 865 7ff718d47c7b-7ff718d47c89 GetLastError 858->865 866 7ff718d47c8f-7ff718d47ca0 858->866 859->848 860->818 861->858 862->853 867 7ff718d47cca 862->867 863->851 863->855 868 7ff718d5af1a-7ff718d5af31 864->868 869 7ff718d5af33-7ff718d5af37 864->869 865->841 865->866 866->862 867->844 868->864 868->869 869->844 870 7ff718d5af3d 869->870 870->852
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CreateDirectoryDriveFullNamePathTypefreememset
                          • String ID:
                          • API String ID: 1445986735-0
                          • Opcode ID: fe82e3eae3579b7f0e88292875d89759f9dd0f662728a8192ad32f6f8a3809eb
                          • Instruction ID: 063d474c2508422dbf452949602a28def1a7605e280948bf922f0d6ae63115a6
                          • Opcode Fuzzy Hash: fe82e3eae3579b7f0e88292875d89759f9dd0f662728a8192ad32f6f8a3809eb
                          • Instruction Fuzzy Hash: 04916132B08F9986EB64AB1194406B9F3B1FB4CBA4F858136DA8D07B94DF3CD54C8725
                          Function 00007FF718D58D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                          • String ID:
                          • API String ID: 4291973834-0
                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                          • Instruction ID: 1189ae2a5ae61fa3b7cca3c7ac9d0b98648099412c25f26f9ba842c4fed01512
                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                          • Instruction Fuzzy Hash: 6441EC21A08F0A86F750BB10E842236E2B0AF4C378FD40536D99D976A4DF7DE94CC768
                          Function 00007FF718D4CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                          • API String ID: 2221118986-3416068913
                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                          • Instruction ID: 235ea427dc6a2ed7764fe92438c5b636eee05c1da4cbacbab64aaf3232b21c47
                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                          • Instruction Fuzzy Hash: 7C11CA21A08F4A81EB54EB16A145279D2A09F4CBB4F984331DEAD477D5DD3CD04C4328
                          Function 00007FF718D4BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 958 7ff718d4be00-7ff718d4be15 959 7ff718d4befb-7ff718d4befd 958->959 960 7ff718d4be1b-7ff718d4be22 958->960 961 7ff718d4bed2-7ff718d4bee2 959->961 960->959 962 7ff718d4be28-7ff718d4be2b 960->962 962->959 963 7ff718d4be31-7ff718d4be45 962->963 964 7ff718d4be6b-7ff718d4be6d 963->964 965 7ff718d4be47-7ff718d4be69 memset call 7ff718d4bff0 963->965 967 7ff718d4be73-7ff718d4be79 964->967 968 7ff718d4bf20-7ff718d4bf23 964->968 965->964 973 7ff718d4beaf-7ff718d4beb6 965->973 970 7ff718d4be7b-7ff718d4be89 967->970 971 7ff718d4be92-7ff718d4be9a 967->971 968->967 972 7ff718d4bf29-7ff718d4bf39 call 7ff718d4cd90 968->972 970->971 974 7ff718d4be8b-7ff718d4be90 970->974 975 7ff718d4be9c call 7ff718d4c620 971->975 976 7ff718d4bee4-7ff718d4bef9 971->976 972->973 983 7ff718d4bf3f-7ff718d4bf42 972->983 980 7ff718d4bec8-7ff718d4beca 973->980 981 7ff718d4beb8-7ff718d4bec3 call 7ff718d4bff0 973->981 974->971 978 7ff718d4bf0c-7ff718d4bf18 call 7ff718d4b0d8 974->978 986 7ff718d4bea1-7ff718d4bead 975->986 976->986 978->971 994 7ff718d4bf1e 978->994 980->961 981->980 988 7ff718d4bf9e-7ff718d4bfab call 7ff718d471ec 983->988 989 7ff718d4bf44-7ff718d4bf5d call 7ff718d488a8 983->989 986->973 991 7ff718d4beff-7ff718d4bf03 986->991 988->973 999 7ff718d4bfb1-7ff718d4bfc1 call 7ff718d4cd90 988->999 989->988 1000 7ff718d4bf5f-7ff718d4bf73 call 7ff718d50a6c 989->1000 991->973 993 7ff718d4bf05-7ff718d4bf0a call 7ff718d4af98 991->993 993->973 994->973 999->973 1006 7ff718d4bfc7-7ff718d4bfe1 call 7ff718d5081c 999->1006 1000->988 1007 7ff718d4bf75-7ff718d4bf81 call 7ff718d4b0d8 1000->1007 1006->1007 1007->973 1012 7ff718d4bf87-7ff718d4bf99 call 7ff718d55ad8 1007->1012 1012->986
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memsetwcschr
                          • String ID: 2$COMSPEC
                          • API String ID: 1764819092-1738800741
                          • Opcode ID: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                          • Instruction ID: 51825dd42125d073f38c48f7fb102c5c9c6e547a97519fa681ad4d2599864562
                          • Opcode Fuzzy Hash: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                          • Instruction Fuzzy Hash: 0C51C031A08F4A45FB70BB619441379E2A49FAD7A4FCC4071DACD42AD6DE2CE84C8768
                          Function 00007FF718D59A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Concurrency::cancel_current_taskmalloc
                          • String ID:
                          • API String ID: 1412018758-0
                          • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                          • Instruction ID: 9e08a03e03070ecb77d2cb7a2b6665314c1a04c152d55f1a04b591c84d755fa0
                          • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                          • Instruction Fuzzy Hash: B1E0C941E59B1FA1FB193B627842178D2745F5E764E982531DD9D05382EE2CA09D8238
                          Function 00007FF718D4CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                          • Instruction ID: 033659daa3aaa5e98109d821e65aae6ce5d3d0c1a1987554e33ccd3c4adf234f
                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                          • Instruction Fuzzy Hash: 74F04B31A18B4686EB08AB05E841168FBB0FB9DB20BD89135D98A03354DF3CE44D8718
                          Function 00007FF718D54C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: exit
                          • String ID:
                          • API String ID: 2483651598-0
                          • Opcode ID: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                          • Instruction ID: 363da56883751ff70acbec2ed3db043b7fb5537c26ed47cc3a06a0f76e9767ef
                          • Opcode Fuzzy Hash: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                          • Instruction Fuzzy Hash: C1C01270708B4A47EB1C773164A1079D5755B4C211F845539C68681281DD28D40C8219
                          Function 00007FF718D55508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: DefaultUser
                          • String ID:
                          • API String ID: 3358694519-0
                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                          • Instruction ID: 2516eaaa1b238ff67db580d8c14081a48363ec3cdec996f34653c72e2fe279e3
                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                          • Instruction Fuzzy Hash: 06E0C2A2D08F578BF7593E4160423B4D973CB6C7B2FC44132E68D812C04D2D284D522C
                          Function 00007FF718D52E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                          • Instruction ID: fe0838f0563912c0075f1662831a974878f4733b1de0f88c4cb74483d7f75235
                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                          • Instruction Fuzzy Hash: 3FF0B421B09B9940EB409756B540129D3A19B4CBF0B888335FABC47BC5DE3CD4598304

                          Non-executed Functions

                          Function 00007FF718D45B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                          • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                          • API String ID: 1388555566-2647954630
                          • Opcode ID: d4d9ce56e35a01f12eedf6d783baa2c0b86a8d3bd91a5e3763091160450b3b6f
                          • Instruction ID: 400f64bed4d000eee6bb8a5c4d9cc8da488030c40819ab970b2d9dfe29557bcb
                          • Opcode Fuzzy Hash: d4d9ce56e35a01f12eedf6d783baa2c0b86a8d3bd91a5e3763091160450b3b6f
                          • Instruction Fuzzy Hash: 23A29131A08F8A86FB14AB25A4541B9F7A1FB8DB64FD48135DA8E47B94DF3CD40C8724
                          Function 00007FF718D4E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                          • String ID: &<|>$+: $:$:EOF$=,;$^
                          • API String ID: 511550188-726566285
                          • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                          • Instruction ID: 190324869256a4e25f6079e2c5ed937fffd24518ba6caca0eb84bb4a26e1d9ed
                          • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                          • Instruction Fuzzy Hash: BE52B131A0CF5A96EB24AB15A400279E6B1FB4D774FC84275D98E43B94DF3CE84D8728
                          Function 00007FF718D49E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 811COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmp$wcschr$wcstol
                          • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                          • API String ID: 1738779099-3004636944
                          • Opcode ID: 524a9485643aabb091361d6b16ddfe7c9a3cfc40a98c1ea6d538c196b1212b63
                          • Instruction ID: c248e9d83d9693156af6ce17a5bf3e26cae389a1a20509667a965f814f96adbe
                          • Opcode Fuzzy Hash: 524a9485643aabb091361d6b16ddfe7c9a3cfc40a98c1ea6d538c196b1212b63
                          • Instruction Fuzzy Hash: E9728031B08B4A8AEB10AF6590406BDF7B1FB48768FC44175DE8D57B94DE3CA80C8729
                          Function 00007FF718D67F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67F44
                          • _get_osfhandle.MSVCRT ref: 00007FF718D67F5C
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67F9E
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67FFF
                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68020
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68036
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68061
                          • RtlFreeHeap.NTDLL ref: 00007FF718D68075
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D680D6
                          • RtlFreeHeap.NTDLL ref: 00007FF718D680EA
                          • _wcsnicmp.MSVCRT ref: 00007FF718D68177
                          • _wcsnicmp.MSVCRT ref: 00007FF718D6819A
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681BD
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681DC
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681FB
                          • _wcsnicmp.MSVCRT ref: 00007FF718D6821A
                          • _wcsnicmp.MSVCRT ref: 00007FF718D68239
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68291
                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D682D7
                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D682FB
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D6831A
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68364
                          • RtlFreeHeap.NTDLL ref: 00007FF718D68378
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D6839A
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D683AE
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D683E6
                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68403
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68418
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                          • API String ID: 3637805771-3100821235
                          • Opcode ID: c15d10fa516844a3d30f6ee6566238d7eb90fade697e3424b0e4caa7a671d349
                          • Instruction ID: 1624fd992df05dac8b1f7da137e34bb7508be44d7a4d201177b0d22f20a171ab
                          • Opcode Fuzzy Hash: c15d10fa516844a3d30f6ee6566238d7eb90fade697e3424b0e4caa7a671d349
                          • Instruction Fuzzy Hash: 46E19271A08F5A8AE714AB61E401179FAB1FB4DBA9BD48230DD9E53794DF3CA40CC724
                          Function 00007FF718D43F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                          • String ID: %s$%s
                          • API String ID: 3623545644-3518022669
                          • Opcode ID: b1280c95c607ff8abac62f17f6730ad2ac5bc7cd816563325bb9a0c6bc9b7514
                          • Instruction ID: d8c1cb54380944eb2892f4acf3fbcb86936c6a49e2e42b6bcc9e6b178ea031b0
                          • Opcode Fuzzy Hash: b1280c95c607ff8abac62f17f6730ad2ac5bc7cd816563325bb9a0c6bc9b7514
                          • Instruction Fuzzy Hash: DFD2C431A09F8A8AEB64AF21D4802BDF7A1FB49764F944135DA8E47A94DF3CE44CC714
                          Function 00007FF718D42C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                          • String ID: %9d$%s
                          • API String ID: 4286035211-3662383364
                          • Opcode ID: b114766139773e2df951d73e5d05123471aeb2e8fda5b0a6868f05ac29e6399a
                          • Instruction ID: e301579c325d4d6e1053e92c298d540993f978c017ffdeb447673feb1359d0ef
                          • Opcode Fuzzy Hash: b114766139773e2df951d73e5d05123471aeb2e8fda5b0a6868f05ac29e6399a
                          • Instruction Fuzzy Hash: 48529632A08F898AEB24AB24D8502F9F7A0FB4D768F944135DA8E47B95DF3CD54C8714
                          Function 00007FF718D50A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                          • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                          • API String ID: 3305344409-4288247545
                          • Opcode ID: 534ec16e987550a66f3e1d5b34a1157b4fd9a17b2c719d80120aaa9796f83e6c
                          • Instruction ID: 2a325b6e42977db82d17c7e33bbb92505f88fdceb79ed2a7735b50eae2416c7d
                          • Opcode Fuzzy Hash: 534ec16e987550a66f3e1d5b34a1157b4fd9a17b2c719d80120aaa9796f83e6c
                          • Instruction Fuzzy Hash: E342A321A08F8A85EF14AB2198502B9E6B1AF4D7B4FC44336D99E477D4DF3CE54D8328
                          Function 00007FF718D54224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                          • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                          • API String ID: 388421343-2905461000
                          • Opcode ID: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                          • Instruction ID: 1755befc11888d1a2097a4baa6f9971d9b44f90365d9e2ee096b4d1a8344dc99
                          • Opcode Fuzzy Hash: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                          • Instruction Fuzzy Hash: 70F14A71A08F8A85EB60AB11E4817B9F7B1FB8D7A0F804236D98D42654DF3CE44CCB65
                          Function 00007FF718D518D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcsrchr$towlower
                          • String ID: fdpnxsatz
                          • API String ID: 3267374428-1106894203
                          • Opcode ID: ad1bcbbe82a7f5b39676b917d6e1cd648cfaa51af7a6c8b46bc02b7c8c250201
                          • Instruction ID: b6a0450a779705f52d59f9817774184168a6dad78245a5fd7da4652d79360cdb
                          • Opcode Fuzzy Hash: ad1bcbbe82a7f5b39676b917d6e1cd648cfaa51af7a6c8b46bc02b7c8c250201
                          • Instruction Fuzzy Hash: 2C42C421B08F8A85EF64AF2595102B9E6B1FF49BA4F944236DE8E47784DF3CE44D8314
                          Function 00007FF718D47650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                          • String ID: DPATH
                          • API String ID: 95024817-2010427443
                          • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                          • Instruction ID: d80d5a8d6824c30011bb5958682cb3915ea634037319e34e1d7305702a6e703c
                          • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                          • Instruction Fuzzy Hash: 6512B332A08F8A86E764AF15A4401B9F6A2FB8D764FD45135EA8E53794DF3CE40C8B14
                          Function 00007FF718D45240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID:
                          • String ID: [...]$ [..]$ [.]$...$:
                          • API String ID: 0-1980097535
                          • Opcode ID: 251dffbd20cb83d3debd935fcd4546828530d34106f281e7cd8b68f040cf8ba4
                          • Instruction ID: 9a2100d364ce319e372c5f09ac6017220eb1755459264f1c6f2614c78e84c108
                          • Opcode Fuzzy Hash: 251dffbd20cb83d3debd935fcd4546828530d34106f281e7cd8b68f040cf8ba4
                          • Instruction Fuzzy Hash: 11329F72A08F8A86EB24EF21D4402F9E3A0EB497A8FD54135DA8D47A95DF3CD50DC724
                          Function 00007FF718D6EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                          Download Yara Rule
                          APIs
                          • _wcsupr.MSVCRT ref: 00007FF718D6EF33
                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EF98
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFA9
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFBF
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF718D6EFDC
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFED
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F003
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F022
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F083
                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F092
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F0A5
                          • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF718D6F0DB
                          • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F135
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F16C
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F185
                            • Part of subcall function 00007FF718D501B8: _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                            • Part of subcall function 00007FF718D501B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                          • String ID: <noalias>$CMD.EXE
                          • API String ID: 1161012917-1690691951
                          • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                          • Instruction ID: da441310c98a3805eb8cccd45e034b48561ae853b1bb52edc4942ed6a163c0ce
                          • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                          • Instruction Fuzzy Hash: 87917021B09F5A8AFB04AB60E4411BDFAB0AF4DB78FD84135DD8E42695DF3CA44D8324
                          Function 00007FF718D46EE4 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 342timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                          • String ID: %02d%s%02d%s%02d$%s $%s %s
                          • API String ID: 1795611712-4023967598
                          • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                          • Instruction ID: dc5853c369473a6ca7146477d47e6b641267fcdc98bdec7d86edeacd82947d90
                          • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                          • Instruction Fuzzy Hash: 44E1B021A08F4E86FB10AF64A8411B9E6B2FF4D7A4FD44132D98E47695DF3CE50C8368
                          Function 00007FF718D432B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          • _get_osfhandle.MSVCRT ref: 00007FF718D432F3
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF718D432A4), ref: 00007FF718D43309
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF718D43384
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D611DF
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                          • String ID:
                          • API String ID: 611521582-0
                          • Opcode ID: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                          • Instruction ID: 92d55ec69ea7531689af60269d462ce89c25f578714490eb5cdd73d8fd24372a
                          • Opcode Fuzzy Hash: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                          • Instruction Fuzzy Hash: D4A1C232F08F5A86FB18AB65A4052BDE6A1FB4DB69FC44139CD8E46B40DF3C944D8724
                          Function 00007FF718D41560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                          • String ID: \\?\
                          • API String ID: 628682198-4282027825
                          • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                          • Instruction ID: 9d4a8968559c1dc6bc7335e06564c5eaa3cb9701485c5ccd492a6a85f30ae9d8
                          • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                          • Instruction Fuzzy Hash: 48E18131B08F8A96EF64AB24D8502F9E3A0FB49769F844135D98E46B94EF3CD54DC314
                          Function 00007FF718D6AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                          • String ID:
                          • API String ID: 16309207-0
                          • Opcode ID: 86690df5a35c47ea2bcce9b612d36fe3f63b0820289f587d8a51e9e8d197d79b
                          • Instruction ID: 946f1d6c2d7ea75e1f7370d79fddeeec85d6413ea9b7ef59860fd01069fb95ea
                          • Opcode Fuzzy Hash: 86690df5a35c47ea2bcce9b612d36fe3f63b0820289f587d8a51e9e8d197d79b
                          • Instruction Fuzzy Hash: F122A262B04F8A86EB64AF21D8542F9E3A0FF497A4F904135DA8E47B95DF3CE14D8314
                          Function 00007FF718D43410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                          • String ID: $Application$System
                          • API String ID: 3538039442-1881496484
                          • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                          • Instruction ID: 87565d6b8cd536369c5b998379bd4495aed219d2e46719057164ca04c9358508
                          • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                          • Instruction Fuzzy Hash: 0E519F32A08F4986EB249B15B4016BAFAA1FB8DB68F848134DA8E43B54DF3CD44DC714
                          Function 00007FF718D6D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                          Download Yara Rule
                          APIs
                          • longjmp.MSVCRT(?,?,00000000,00007FF718D6048E), ref: 00007FF718D6DA58
                          • memset.MSVCRT ref: 00007FF718D6DAD6
                          • memset.MSVCRT ref: 00007FF718D6DAFC
                          • memset.MSVCRT ref: 00007FF718D6DB22
                            • Part of subcall function 00007FF718D53A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D6EAC5,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D53A56
                            • Part of subcall function 00007FF718D45194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF718D451C4
                            • Part of subcall function 00007FF718D5823C: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D58280
                            • Part of subcall function 00007FF718D5823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D5829D
                            • Part of subcall function 00007FF718D501B8: _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                            • Part of subcall function 00007FF718D501B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                            • Part of subcall function 00007FF718D44FE8: _get_osfhandle.MSVCRT ref: 00007FF718D45012
                            • Part of subcall function 00007FF718D44FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D45030
                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D6DDB0
                            • Part of subcall function 00007FF718D459E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D45A2E
                            • Part of subcall function 00007FF718D459E4: _open_osfhandle.MSVCRT ref: 00007FF718D45A4F
                          • _get_osfhandle.MSVCRT ref: 00007FF718D6DDEB
                          • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D6DDFA
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D6E204
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D6E223
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D6E242
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                          • String ID: %9d$%s$~
                          • API String ID: 3651208239-912394897
                          • Opcode ID: 890cca104b69365cf936dd1624f6b5150d7a96fff965683345eff720fd26938b
                          • Instruction ID: 0133b3d5b835d771674005405bcf7b5e59aef1cc8d560047d499954a2e371939
                          • Opcode Fuzzy Hash: 890cca104b69365cf936dd1624f6b5150d7a96fff965683345eff720fd26938b
                          • Instruction Fuzzy Hash: E9428231A08F8A86E764AF21D4512F9F3B1FB49764FA00136E68D87A99DF3CE54C8714
                          Function 00007FF718D4CE10 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 337COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                          • String ID: GOTO
                          • API String ID: 3863671652-1693823284
                          • Opcode ID: 8a7ebebe1ccbf711eb435a48e2ca9f96987f67b530ed60dee1bcce27abdacbd9
                          • Instruction ID: ade3d96499f3b27a5069a8f1ff62a733d8c024913b94394ff0027fd4d4be5dd5
                          • Opcode Fuzzy Hash: 8a7ebebe1ccbf711eb435a48e2ca9f96987f67b530ed60dee1bcce27abdacbd9
                          • Instruction Fuzzy Hash: 43E1DD31A09F4A86FB64BB159444379E6A0AF4D774FD84236C98E43AD1DF3CE84D8728
                          Function 00007FF718D4372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                          • String ID: COPYCMD$\
                          • API String ID: 3989487059-1802776761
                          • Opcode ID: 3bbf8f215ee2954a5d4fb17bf70d9d8e166cfa696a158a9e0d223ca151e74ab2
                          • Instruction ID: 380f781db08b13182cfdf69db2970bd083fb870898bba80f038ac0acf0e0cdcd
                          • Opcode Fuzzy Hash: 3bbf8f215ee2954a5d4fb17bf70d9d8e166cfa696a158a9e0d223ca151e74ab2
                          • Instruction Fuzzy Hash: D2F1B565A08F4E86EF14BB25D4016BAE3A0FF4DBA8F984135DA8D47B94DE3CE44D8314
                          Function 00007FF718D71538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                          • String ID:
                          • API String ID: 3935429995-0
                          • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                          • Instruction ID: e262bebe74c5f069e6ff2c7615e8b9685dfc5013b9db2482a3780ccc22556c59
                          • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                          • Instruction Fuzzy Hash: 3A61B126A08F96C2EB14AF21A405579FBA1FB8DF68F858235DE8A43790DF3CD40D8714
                          Function 00007FF718D53140 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 229timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Time$File$System$FormatInfoLocalLocale
                          • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                          • API String ID: 55602301-695310191
                          • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                          • Instruction ID: e4e1c09b9103a124a822a8435c7c64a55bbebf752b0a5f600b7a72b126ea610f
                          • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                          • Instruction Fuzzy Hash: A1A18272A08F4A96EB10AB10E4401BAF7B5FB89764FD04236DA8E43694EF3CE54CC754
                          Function 00007FF718D435B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                          • Instruction ID: 26b99ddedf1d57922a2265bf6bf660dfbc7ecaac4b56e1808808a69afb4ec500
                          • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                          • Instruction Fuzzy Hash: 04919F32608F8A86EB28AF25D4502FDF6A0FB4D769F944135DA8E47B94DE3CD54CC224
                          Function 00007FF718D4B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _get_osfhandlememset$wcschr
                          • String ID: DPATH
                          • API String ID: 3260997497-2010427443
                          • Opcode ID: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                          • Instruction ID: 6a36b28adf339db6527225fa81a84662f945e7333ca52c5f46a5619223256d77
                          • Opcode Fuzzy Hash: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                          • Instruction Fuzzy Hash: 5FD19E32A08F4A86EB14AB65D44117DE2B1FB58BA4FC84232D99D477D4DF3CE80D8368
                          Function 00007FF718D57FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                          • String ID: @P
                          • API String ID: 1801357106-3670739982
                          • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                          • Instruction ID: 48ba600cf6b683a8a543b1dbccc02fc9dbb0367342f910a016512147f53e1d69
                          • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                          • Instruction Fuzzy Hash: EA415932B04F4ADAE310AF65D4402ADFBB0EB8D769F948231DA8D52A98DF78D50CC714
                          Function 00007FF718D42220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$BufferConsoleInfoScreen
                          • String ID:
                          • API String ID: 1034426908-0
                          • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                          • Instruction ID: 4080e8fa45e1d04afec30a39e85290416078cff3174a24b130745ac71c9a377f
                          • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                          • Instruction Fuzzy Hash: E8F1A332608F8A8AEB24EF21D8402E9F7A0FF59768F844175DA8D47A95DF38E50CC714
                          Function 00007FF718D5823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorFileFindFirstLast
                          • String ID:
                          • API String ID: 873889042-0
                          • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                          • Instruction ID: f42558e83a8816533f83753d22104c85286e8e14183712f9df04dda3b31d3916
                          • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                          • Instruction Fuzzy Hash: 48512B35A09F4A8AE700AF11A441279FBB0FB5EBA1FD48232DA9D43354CF3CE45C8618
                          Function 00007FF718D6AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseValue$CreateDeleteOpen
                          • String ID: %s=%s$\Shell\Open\Command
                          • API String ID: 4081037667-3301834661
                          • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                          • Instruction ID: c865b5594a1c9814fb628596e52e2cdb6265d2a2987fe98c584e7eea8e4e45da
                          • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                          • Instruction Fuzzy Hash: BD71B262B09F4A86EB50AB16A0502B9E2A1FF8D7A4FD44131DECE07785EF3CD44D8725
                          Function 00007FF718D6AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D6AA85
                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D6AACF
                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D6AAEC
                          • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF718D698C0), ref: 00007FF718D6AB39
                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF718D698C0), ref: 00007FF718D6AB6F
                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF718D698C0), ref: 00007FF718D6ABA4
                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF718D698C0), ref: 00007FF718D6ABCB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseDeleteValue$CreateOpen
                          • String ID: %s=%s
                          • API String ID: 1019019434-1087296587
                          • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                          • Instruction ID: d20ad81498c4674e2c6cc02ada39c14313378811d2d607f9cb4eda47d20e526e
                          • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                          • Instruction Fuzzy Hash: 0951B231B08F5A86E760AB2AA44176AF6A1FB8D7A0F948235CACD43790DF38D44D8715
                          Function 00007FF718D41884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmpwcsrchr
                          • String ID: COPYCMD
                          • API String ID: 2429825313-3727491224
                          • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                          • Instruction ID: dc468bc12b506f6d56b7a7d670d5fef67d32368e32baff902cbc4676e4fac23e
                          • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                          • Instruction Fuzzy Hash: 2EF19431F08F4A85FB60AF61904017DF6B5AB0C7A8F944275DE9D22A94DE3CA84DC768
                          Function 00007FF718D44A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$FullNamePathwcsrchr
                          • String ID:
                          • API String ID: 4289998964-0
                          • Opcode ID: a80d012484cbdcca0ca620b8a14734abd8c46742d7c15bd51813b886838a5470
                          • Instruction ID: b415b46c8408311045c07cc307bb25863295f0e54ac976a06185ff98a5e7e586
                          • Opcode Fuzzy Hash: a80d012484cbdcca0ca620b8a14734abd8c46742d7c15bd51813b886838a5470
                          • Instruction Fuzzy Hash: 66C1B421B09F5E82EB54BB519548779E3A1FB49BB0F945531CA8E03BD0DF3CA49D8328
                          Function 00007FF718D6BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                          • String ID:
                          • API String ID: 3476366620-0
                          • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                          • Instruction ID: 4a00a057843659e39ebd3e018c48dd1747ffa7142badc312681f3cb10f957663
                          • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                          • Instruction Fuzzy Hash: 5421FA20908F4E96EB147B20A8162B8E661FF5EB35FD44235D5DE462E1DF3CA40D8728
                          Function 00007FF718D59584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 4104442557-0
                          • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                          • Instruction ID: 00bca345a54cfcdd9bb1ff5a52ff89e89671fc42a2b7c7e334c191f6a44ec001
                          • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                          • Instruction Fuzzy Hash: CE115122604F458AEB00EF61E8452A8B3A4FB0D76CF800A35EAAD47B54DF3CD1AC8354
                          Function 00007FF718D43D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                          • String ID: %9d
                          • API String ID: 1006866328-2241623522
                          • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                          • Instruction ID: 6a198dbc205421cb02d477cbc51231dbbf1da7478deb92ffe7b2ad0f942f0cf5
                          • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                          • Instruction Fuzzy Hash: 1F516072A08B4A9AE700AF1198415A8FBB0FB49774FC44635DAAD53795CF3CE50CCB24
                          Function 00007FF718D48DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                          • Instruction ID: 785cd84dc2ca9042db46c23a143b05e8caa07473419494595fb88bf0b5abf10d
                          • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                          • Instruction Fuzzy Hash: 8EC1F832A09F8A86EB61EB11E450AB9E3B0FB597A4F884171DA8D07B95DF3CD14CC314
                          Function 00007FF718D49B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                          • Instruction ID: 83f29f6ba815b0ddeb9cf0a3e0e0a176372edfbc4ccfacf3a2c7441264fea5d4
                          • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                          • Instruction Fuzzy Hash: EEA1A331A18F4A85EB14BB16A451679E6A0FF8D7A0FC44135ED8E43BA5DF3CE40D8728
                          Function 00007FF718D6FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$DiskFreeSpace
                          • String ID: %5lu
                          • API String ID: 2448137811-2100233843
                          • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                          • Instruction ID: 0d8c4934ea4f03a9f37409d2b499bb6f3afa24f72ba9db660e70ac96d08703fe
                          • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                          • Instruction Fuzzy Hash: 51416E62608FC985EB61EF11E8416EAE361FB88798F848136DA8D4BB48DF7CD14DC714
                          Function 00007FF718D4D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID: GeToken: (%x) '%s'
                          • API String ID: 2081463915-1994581435
                          • Opcode ID: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                          • Instruction ID: 81654db7d4cc7e7340c4cfce1bb858993ce4c405e432ae23294c7fc083fb4ad0
                          • Opcode Fuzzy Hash: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                          • Instruction Fuzzy Hash: 7A719C30E0CF4E95FB64BB65A485275E2A0AF09774FC80575D58D42AA5DF3CA48D8338
                          Function 00007FF718D481D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr
                          • String ID:
                          • API String ID: 1497570035-0
                          • Opcode ID: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
                          • Instruction ID: dc91a2f204351ce46488fc82de22c9fcc224d829fd150702c11fe154c5db0322
                          • Opcode Fuzzy Hash: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
                          • Instruction Fuzzy Hash: 0CC1E831A08F4A85EB54BB119441279E6B0FF8D7A4F884232EADE47A95DF3CE44CC724
                          Function 00007FF718D67B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
                          • Instruction ID: 4993ec60f8db344faf5b11e31155b609515ad0b6aa31654ad074876631035628
                          • Opcode Fuzzy Hash: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
                          • Instruction Fuzzy Hash: ACA1F261B18F5E81EF14AB6594142B9E2A0AF48BF4F954331DEAE477C5EE3CE40C8224
                          Function 00007FF718D46BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • _pipe.MSVCRT ref: 00007FF718D46C1E
                          • _get_osfhandle.MSVCRT ref: 00007FF718D46CD1
                          • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF718D46CFB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                          • String ID:
                          • API String ID: 624391571-0
                          • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                          • Instruction ID: cd3caf9620fdd534c8dff1039e8cee58e1e9be61b770c95cad70a72fecdfa726
                          • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                          • Instruction Fuzzy Hash: 41719D31A08F0A87E714BF24E841078F6A2EF8D774BD88274E69D566D5CF3CA44D8728
                          Function 00007FF718D663FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentDebugDebuggerOutputPresentStringThread
                          • String ID:
                          • API String ID: 4268342597-0
                          • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                          • Instruction ID: 9b732530bb1c263674beabf62a71b6c93197a9bb009b8b261a556170d8c375b3
                          • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                          • Instruction Fuzzy Hash: 89812A22A08F8E85EB64AF25B441239F7A0EF5DBA4FA84135C98D43754DF3CE44D8768
                          Function 00007FF718D588C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: OpenToken$CloseProcessThread
                          • String ID:
                          • API String ID: 2991381754-0
                          • Opcode ID: 55e115f10c8d4ea653a789ede48b69880637abd9560beca918893f9813f02e72
                          • Instruction ID: 6cf68c348942edbeb25d6382b680addc5122ce292b5cb60c488063d480d134c6
                          • Opcode Fuzzy Hash: 55e115f10c8d4ea653a789ede48b69880637abd9560beca918893f9813f02e72
                          • Instruction Fuzzy Hash: BD216F72A08B4687E700AB54D4412BEF770EB8D7B5F904236EB9942694DF78E84CCB14
                          Function 00007FF718D4586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF718D6C59E), ref: 00007FF718D45879
                            • Part of subcall function 00007FF718D458D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D45903
                            • Part of subcall function 00007FF718D458D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D45943
                            • Part of subcall function 00007FF718D458D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D45956
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValueVersion
                          • String ID: %d.%d.%05d.%d
                          • API String ID: 2996790148-3457777122
                          • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                          • Instruction ID: 3f3f61ee2e57b03e9285efb774272ca3875fb573cf557729876b23cad3d38832
                          • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                          • Instruction Fuzzy Hash: 02F0A771A08785C7D310AF15B44106AE6A1FB88790FD44138D98907F59CF3CD51CCB54
                          Function 00007FF718D57854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$ErrorFileFindFirstLast
                          • String ID:
                          • API String ID: 2831795651-0
                          • Opcode ID: 638df73a00ca543e65087d6208835b8c015977170cf38772a4d9fd7cf800cb00
                          • Instruction ID: 54d5342df61d3ca01177e18f93aa0c63e3b6d0189d5cc983617ca3deb5c195e1
                          • Opcode Fuzzy Hash: 638df73a00ca543e65087d6208835b8c015977170cf38772a4d9fd7cf800cb00
                          • Instruction Fuzzy Hash: ABD1B572608B8686E764AF21A4502BAF3B1FB487A4FA11236DE8D07798DF3CD54DC714
                          Function 00007FF718D589E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InformationQueryToken
                          • String ID:
                          • API String ID: 4239771691-0
                          • Opcode ID: 2eb98c52454088f6621be3decb0bbaf4861c7b3c1ad5e6b04c37f51bc6bdd8a0
                          • Instruction ID: 222060e941bc90dd28de6756eefad2d9007f5aa984683f2f2c78c62c5656fc49
                          • Opcode Fuzzy Hash: 2eb98c52454088f6621be3decb0bbaf4861c7b3c1ad5e6b04c37f51bc6bdd8a0
                          • Instruction Fuzzy Hash: 14113072618B85CBEB109F01E4003AAFBB4FB897A5F904132DF88026A4DB7DD58CCB55
                          Function 00007FF718D58114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FileInformation$HandleQueryVolume
                          • String ID:
                          • API String ID: 2149833895-0
                          • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                          • Instruction ID: 8ce60bc05aa610e0eeaa054f52d96408ad4582272f8a0d4c847c3f4c37fdd190
                          • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                          • Instruction Fuzzy Hash: 23115132618B8686E7609B51F4417AEF7B0FB48B58F845231DADD42A54DFBCD44CCB14
                          Function 00007FF718D48510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • towupper.MSVCRT ref: 00007FF718D485D4
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                          • String ID:
                          • API String ID: 3520273530-0
                          • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                          • Instruction ID: 17d14849ab54895955ea45e90cc436f7ed20b8ead83f38dcac2685dea80ef6d8
                          • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                          • Instruction Fuzzy Hash: 6761A031A0CB0A85F764BF24910527DE6B0EB0C7A4FC44236DA9E566D5DF3CA48CC729
                          Function 00007FF718D5898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InformationQueryToken
                          • String ID:
                          • API String ID: 4239771691-0
                          • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                          • Instruction ID: fb7be5088f1ed9a9baaade010a2be0b7df3bcdce15f20da1e0dbd13892e51f15
                          • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                          • Instruction Fuzzy Hash: BBF0A0B3704B81CBC7008F64E08449CB778F708B98B95853ACB6803304DB71D9A8CB50
                          Function 00007FF718D593B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D593BB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                          • Instruction ID: c549737fc83602ef1969451ef772c4e412c855d08f8e41c87d65995ba7145029
                          • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                          • Instruction Fuzzy Hash: 2AB09210E65986E1E708BB31AC8206892B06B5C720FC00472D04E84160DE2C929F8714
                          Function 00007FF718D4F8C0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 380COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF718D4F52A,00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F8DE
                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F8FB
                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F951
                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F96B
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4FA8E
                          • _get_osfhandle.MSVCRT ref: 00007FF718D4FB14
                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4FB2D
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4FBEA
                          • _get_osfhandle.MSVCRT ref: 00007FF718D4F996
                            • Part of subcall function 00007FF718D50010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF718D6849D,?,?,?,00007FF718D6F0C7), ref: 00007FF718D50045
                            • Part of subcall function 00007FF718D50010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D6F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D50071
                            • Part of subcall function 00007FF718D50010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D50092
                            • Part of subcall function 00007FF718D50010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D500A7
                            • Part of subcall function 00007FF718D50010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF718D50181
                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D5D401
                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D5D41B
                          • longjmp.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D5D435
                          • longjmp.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D5D480
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                          • String ID: =,;
                          • API String ID: 3964947564-1539845467
                          • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                          • Instruction ID: 98e5f7bda366bc24d395195f9beaef998e2c944cbd568f063a6cb962f71b80d2
                          • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                          • Instruction Fuzzy Hash: F2027B31A09F4A86EB14BB219845179E6B1FF4EB74FD442B5D98E426A4DF3CA40DC328
                          Function 00007FF718D502A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$iswspacewcschr
                          • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                          • API String ID: 840959033-3627297882
                          • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                          • Instruction ID: 072f1ec79d8d14a9024a761b583007744e83c5265736a651e3af6450152a9169
                          • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                          • Instruction Fuzzy Hash: FDD15B21E08F0B86FB10BB61E8452B8E7B1BF5DB64FC44136D58D462A5EE2CA40D8739
                          Function 00007FF718D4EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                          Download Yara Rule
                          APIs
                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F000
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F031
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F0D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigitiswspacewcschr
                          • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                          • API String ID: 1595556998-2755026540
                          • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                          • Instruction ID: e70ead93dcf32299f4ebf152bd3c46317d367886aecc0dcdfa581b2717c0f540
                          • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                          • Instruction Fuzzy Hash: C0227CB5D08F5B81FB607B15A449279E6A0BF0D7B0FC841B2D9CD46AA4DF3CA44D8638
                          Function 00007FF718D5081C Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 130COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$EnvironmentVariable
                          • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                          • API String ID: 198002717-2301591722
                          • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                          • Instruction ID: 65e523552f5cf10fcbecc77819d1a3bf37b99f0988121dea55662b7d2452dbba
                          • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                          • Instruction Fuzzy Hash: 1C511C21A08F4B86F7147B11A851579FAB1EF4EBA4FC89136CA8E43654DF2CE40C8769
                          Function 00007FF718D4D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                          • String ID: "$=,;
                          • API String ID: 3545743878-4143597401
                          • Opcode ID: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                          • Instruction ID: 287f3c139cbff5fe194dee2ab0e8b5aff2c3369dadd244bef1cf61c43082aec8
                          • Opcode Fuzzy Hash: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                          • Instruction Fuzzy Hash: 6FC18071A09F5A82EB656B119400379F6A0FF4DF64FD88175DACE42B94EF3CA44DC228
                          Function 00007FF718D65BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentFormatMessageThread
                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                          • API String ID: 2411632146-3173542853
                          • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                          • Instruction ID: 3d111899edda2f8dc8c55267b72f0f71a8d3062bbc158cb934c55b200e66eef6
                          • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                          • Instruction Fuzzy Hash: 42613C71A09F8A81EB64FB51A4045A5E3B0EB4CBA8FD40136E98D07758CF3CE54C8718
                          Function 00007FF718D526E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CreateFile_open_osfhandle
                          • String ID: con
                          • API String ID: 2905481843-4257191772
                          • Opcode ID: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                          • Instruction ID: 4d15f64e28fc5b51f1478e93b8b6fb646ae215716a18e6cca9a1505304066dec
                          • Opcode Fuzzy Hash: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                          • Instruction Fuzzy Hash: DF718232A08B858AE720AF14A440279FBB1FB8EB75F944335EA9D42794DF3CD44D8B14
                          Function 00007FF718D693E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                          • String ID:
                          • API String ID: 3829876242-3916222277
                          • Opcode ID: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                          • Instruction ID: 0476a9fd4ba71ddd4c26630d5328606392da75073b24cf838d8aa7ea01431468
                          • Opcode Fuzzy Hash: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                          • Instruction Fuzzy Hash: 9F617F32A08F4A96E718AB1194151BAF6A1FF8DB68FD49134DE8E07794DF3CE40D8B14
                          Function 00007FF718D71A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                          • String ID: CSVFS$NTFS$REFS
                          • API String ID: 3510147486-2605508654
                          • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                          • Instruction ID: 607ecee09e86f02c098fffcc034f065a538f20ee09a808beb2fd93aa1744daf3
                          • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                          • Instruction Fuzzy Hash: 55615932608F868AEB65AF21E8443E9F7A5FB49B98F844235CA4D4B758DF38D10CC714
                          Function 00007FF718D472B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                          Download Yara Rule
                          APIs
                          • longjmp.MSVCRT(?,00000000,00000000,00007FF718D47279,?,?,?,?,?,00007FF718D4BFA9), ref: 00007FF718D64485
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: longjmp
                          • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                          • API String ID: 1832741078-366822981
                          • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                          • Instruction ID: bc6e28422725a81fd9a7074aaaff528feaf21dac33ad8da8994c378d6af34eeb
                          • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                          • Instruction Fuzzy Hash: 6CC17C20F0CF4E85E724FA1651845BCE7A3AB4EBB4FE54036D98D53A91CF2CA44D8369
                          Function 00007FF718D4B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • memset.MSVCRT ref: 00007FF718D4BA2B
                          • wcschr.MSVCRT ref: 00007FF718D4BA8A
                          • wcschr.MSVCRT ref: 00007FF718D4BAAA
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heapwcschr$AllocProcessmemset
                          • String ID: -$:.\$=,;$=,;+/[] "
                          • API String ID: 2872855111-969133440
                          • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                          • Instruction ID: d835583ea9d37ce22172e5bd9dd944262f36099ec3a71817a17c57039e2e1424
                          • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                          • Instruction Fuzzy Hash: 66B18231A08F4A81EB60AB55908427DE6A0FF5C7A4FD94275CADE43B94DF7CE44D8328
                          Function 00007FF718D703AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$ErrorLast$InformationVolume
                          • String ID: %04X-%04X$~
                          • API String ID: 2748242238-2468825380
                          • Opcode ID: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                          • Instruction ID: 62366b6070cda8ac0365ff460f1020668ab09dd1e282c47f873b9045856bce3c
                          • Opcode Fuzzy Hash: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                          • Instruction Fuzzy Hash: 59A19462708FC58AEB25EF2198502E9F7A1FB49798F804135DA8D4BB89DF3CD60D8714
                          Function 00007FF718D5662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF718D56570,?,?,?,?,?,?,00000000,00007FF718D56488), ref: 00007FF718D56677
                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF718D56570,?,?,?,?,?,?,00000000,00007FF718D56488), ref: 00007FF718D5668F
                          • _errno.MSVCRT ref: 00007FF718D566A3
                          • wcstol.MSVCRT ref: 00007FF718D566C4
                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF718D56570,?,?,?,?,?,?,00000000,00007FF718D56488), ref: 00007FF718D566E4
                          • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF718D56570,?,?,?,?,?,?,00000000,00007FF718D56488), ref: 00007FF718D566FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit$_errnoiswalphawcschrwcstol
                          • String ID: +-~!$APerformUnaryOperation: '%c'
                          • API String ID: 2348642995-441775793
                          • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                          • Instruction ID: 6ddf37b870860cd7baf63c10ee17502b0ddabca1cc06ac3c100ad79bf9ca1a3f
                          • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                          • Instruction Fuzzy Hash: 39714E62908F4A85E7606F25F450179F7B0EB5DFA4FD48232DA8E06694EF3CA48CC725
                          Function 00007FF718D49400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                          • String ID: FAT$~
                          • API String ID: 2238823677-1832570214
                          • Opcode ID: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                          • Instruction ID: ca18c43669ad99307799dbede8038b86404c783e663087b0797cb6754369eaca
                          • Opcode Fuzzy Hash: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                          • Instruction Fuzzy Hash: B7719F32608FC589EB21EF2198512EAF7A0FB49798F844135DA8D4BB58DF38D24DC714
                          Function 00007FF718D4D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF718D4FE2A), ref: 00007FF718D4D884
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF718D4FE2A), ref: 00007FF718D4D89D
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF718D4FE2A), ref: 00007FF718D4D94D
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF718D4FE2A), ref: 00007FF718D4D964
                          • _wcsnicmp.MSVCRT ref: 00007FF718D4DB89
                          • wcstol.MSVCRT ref: 00007FF718D4DBDF
                          • wcstol.MSVCRT ref: 00007FF718D4DC63
                          • memmove.MSVCRT ref: 00007FF718D4DD33
                          • memmove.MSVCRT ref: 00007FF718D4DE9A
                          • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF718D4FE2A), ref: 00007FF718D4DF1F
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                          • String ID:
                          • API String ID: 1051989028-0
                          • Opcode ID: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                          • Instruction ID: da0408748e0cb124a4b1ffb8f6240253579d39465e22cc6f07cb20335c9ccaa0
                          • Opcode Fuzzy Hash: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                          • Instruction Fuzzy Hash: 3B028232A08F4981EB24AF15E40027AF6A1FB5DBA4F984275DACD43B94DF7DD04D8728
                          Function 00007FF718D486B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$_wcsicmp$AllocProcess
                          • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                          • API String ID: 3223794493-3086019870
                          • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                          • Instruction ID: 8a16cf73e8b84ef4f4f50ec84ef19c1d8250074c3dec8f81551d67a78790c37b
                          • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                          • Instruction Fuzzy Hash: 0D516D35A08F4A8AEB04AB15A411179EBB0FB5DBB4FD84175C99E027A4DF3CE04DC728
                          Function 00007FF718D52B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID:
                          • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                          • API String ID: 0-3124875276
                          • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                          • Instruction ID: 8968e41c02fea122bd66b866cd6bd472781b9dd1e8c3e614d40003c02c0092b5
                          • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                          • Instruction Fuzzy Hash: 6B516320A0CF4B81F7147F21E450278E7B1AF4DB69FC04136D68D462A5EF7CA04D8369
                          Function 00007FF718D4FC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                          • String ID: 0123456789
                          • API String ID: 1606811317-2793719750
                          • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                          • Instruction ID: a70b9270106f80ed3731852e4a003216e7a3ae6e2577571361f2edc1e6efcdfd
                          • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                          • Instruction Fuzzy Hash: DED16F31A09F4A81EB10AB15A445279E6B0FF497A4FC84272DADD477A5DF3CE40DC728
                          Function 00007FF718D56FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00007FF718D57013
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D57123
                            • Part of subcall function 00007FF718D51EA0: wcschr.MSVCRT(?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF718D70D54), ref: 00007FF718D51EB3
                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D5706E
                          • wcsncmp.MSVCRT ref: 00007FF718D570A5
                          • wcsstr.MSVCRT ref: 00007FF718D5F9DB
                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D5FA00
                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D5FA5F
                            • Part of subcall function 00007FF718D5823C: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D58280
                            • Part of subcall function 00007FF718D5823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D5829D
                            • Part of subcall function 00007FF718D53A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D6EAC5,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D53A56
                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D5FA3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                          • String ID: \\.\
                          • API String ID: 799470305-2900601889
                          • Opcode ID: 54d19c3779d548040f92f3520906801ddb16aa6d7fde4edd6d52b252c225e034
                          • Instruction ID: 041ea6e1ad63cdc29dc9cdc4467b97599f121f8c099c10d529d3850289a194ce
                          • Opcode Fuzzy Hash: 54d19c3779d548040f92f3520906801ddb16aa6d7fde4edd6d52b252c225e034
                          • Instruction Fuzzy Hash: 6751A731A08F8685EB60AF21D4006B9E7B0FB8DB64F955636DA8D0B794DF3CD54D8324
                          Function 00007FF718D48B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                          • String ID:
                          • API String ID: 1944892715-0
                          • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                          • Instruction ID: 2b0c926f097da8523777e60122bdfdf38e60b27669c35ed50f41ba0c53c98e29
                          • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                          • Instruction Fuzzy Hash: F4B16031A09F4A8AEB64BF11A451179E6A0AF5DBA4FC84135CACE47790DF3CE44CC728
                          Function 00007FF718D45458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          • _get_osfhandle.MSVCRT ref: 00007FF718D454DE
                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF718D41F7D), ref: 00007FF718D4552B
                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF718D41F7D), ref: 00007FF718D4554F
                          • _get_osfhandle.MSVCRT ref: 00007FF718D6345F
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF718D41F7D), ref: 00007FF718D6347E
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF718D41F7D), ref: 00007FF718D634C3
                          • _get_osfhandle.MSVCRT ref: 00007FF718D634DB
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF718D41F7D), ref: 00007FF718D634FA
                            • Part of subcall function 00007FF718D536EC: _get_osfhandle.MSVCRT ref: 00007FF718D53715
                            • Part of subcall function 00007FF718D536EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF718D53770
                            • Part of subcall function 00007FF718D536EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D53791
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                          • String ID:
                          • API String ID: 1356649289-0
                          • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                          • Instruction ID: ef1f6759a07f0ca2fb31d7a0e60a34f2676fa420df39c694d90554dd7eadbcb5
                          • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                          • Instruction Fuzzy Hash: CE915131A08F4A87EB18AF15A401179F6A1FB8DBA4FD84135DA8E47B54DF3CE44C8B18
                          Function 00007FF718D6BFEC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 444COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D558E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF718D6C6DB), ref: 00007FF718D558EF
                            • Part of subcall function 00007FF718D5081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D5084E
                          • towupper.MSVCRT ref: 00007FF718D6C1C9
                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D6C31C
                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF718D6C5CB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                          • String ID: %s $%s>$PROMPT$Unknown$\$x
                          • API String ID: 2242554020-3610052186
                          • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                          • Instruction ID: aeeeee4f7a869a25eda419079a81743dcab55c36b35f4003890a763614b70bbf
                          • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                          • Instruction Fuzzy Hash: 3F126E21E08F4E81EB24BB55A44417AE6A0EF49BB4FE44236D9DD437E4DE3CE50D8728
                          Function 00007FF718D686FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LocalTime$ErrorLast_get_osfhandle
                          • String ID: %s$/-.$:
                          • API String ID: 1644023181-879152773
                          • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                          • Instruction ID: c7272a55ea01a4274ca06300b5e2a925d986a8746adb601935e68d61e7e4d6fe
                          • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                          • Instruction Fuzzy Hash: B69193A2A08F4E91EF14AB25D4522B9E3A0FF48BB4FD44136D9CE42694DE3CE54DC724
                          Function 00007FF718D6627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D67251), ref: 00007FF718D6628E
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ObjectSingleWait
                          • String ID: wil
                          • API String ID: 24740636-1589926490
                          • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                          • Instruction ID: d5c0364e89f76d35f7b678a08f72c01c08c8a2aa28c9d98935f29dd209503926
                          • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                          • Instruction Fuzzy Hash: 0D416121A08F4B83F3606B11F40127DE6A1EF8D7A4FF48131E98946694DF3DE84C8725
                          Function 00007FF718D6CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                          • String ID: $Application$System
                          • API String ID: 3377411628-1881496484
                          • Opcode ID: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                          • Instruction ID: 91b5ffe50e93a4e4f91f51e0ded5a2f0c5fc3cae294cd853ac092d88894eee41
                          • Opcode Fuzzy Hash: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                          • Instruction Fuzzy Hash: 7F414832B08F469AE710AB60E4403EDB7B5EB8D768F845235DA8E42B58EF38D10DC754
                          Function 00007FF718D414E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                          • String ID: :$\
                          • API String ID: 3961617410-1166558509
                          • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                          • Instruction ID: d5743234bf9cbb52a2a32f588e034dd845ce0662e571145db5340151e10f53ab
                          • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                          • Instruction Fuzzy Hash: 0B218032B08F8A86EB106B60A4450B9E6B1EB4DBA4BC88675D98F42790DF3CD44C8625
                          Function 00007FF718D5258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                          • _wcsicmp.MSVCRT ref: 00007FF718D525CA
                          • _wcsicmp.MSVCRT ref: 00007FF718D525E8
                          • _wcsicmp.MSVCRT ref: 00007FF718D5260F
                          • _wcsicmp.MSVCRT ref: 00007FF718D52636
                          • _wcsicmp.MSVCRT ref: 00007FF718D52650
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$Heap$AllocProcess
                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                          • API String ID: 3407644289-1668778490
                          • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                          • Instruction ID: d77ecf3db381c8a66aaa2fe7df130025494dd34f60b2c4f1351ff9d81530b148
                          • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                          • Instruction Fuzzy Hash: 0E315D21A0CF0A85F7157F21E815279E6B5AF8CB65FC48136EA8E46295DF3CE40CC729
                          Function 00007FF718D70C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                          • String ID: &()[]{}^=;!%'+,`~
                          • API String ID: 2516562204-381716982
                          • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                          • Instruction ID: 1ea875492baddd73b5eee117b03c72bb4a99c5cb796b55bb25a8c0899670b689
                          • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                          • Instruction Fuzzy Hash: 0DC1B032A04B5586EB54AF25E84067EF7A1FB48BA8F841235DE8D03B94DF3CE458C714
                          Function 00007FF718D57E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • iswspace.MSVCRT ref: 00007FF718D57EEE
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspace$AllocProcess
                          • String ID: A
                          • API String ID: 3731854180-3554254475
                          • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                          • Instruction ID: 3a466747c638f7a2f4f37ef013ba15606f98c853852929f1f0cc1b4dad51bab7
                          • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                          • Instruction Fuzzy Hash: 32A17C21909F8A8AE720BB11A451279F6B0FF4D7A4FE48135DACD47794DF3CA84D8728
                          Function 00007FF718D6A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: MemoryProcessRead$AddressLibraryLoadProc
                          • String ID: NTDLL.DLL$NtQueryInformationProcess
                          • API String ID: 1580871199-2613899276
                          • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                          • Instruction ID: 5b85a46dcb55ae807b95f414b811bdbfec41bf298cf41bf43dc8c7d37b3dad14
                          • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                          • Instruction Fuzzy Hash: 24515D71A18F8A86EB109B16A800279F7A5FB88BA4F945135DADE03754DF3CE40DC718
                          Function 00007FF718D47420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                          • String ID: con
                          • API String ID: 689241570-4257191772
                          • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                          • Instruction ID: 62cf8bcdd974b7cc7c1bbc34dc538cbd8db4e89e63605e0833817ff404543920
                          • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                          • Instruction Fuzzy Hash: 70416D32A08F4986E310AB159484379FAA1FB8DBB4F998334DAAD53790CF3DD84D8754
                          Function 00007FF718D6A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                          • String ID: PE
                          • API String ID: 2941894976-4258593460
                          • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                          • Instruction ID: 224424bc2e105748b0ac1c47427e60060a8b72bcc7bf380fc76f82bed164be16
                          • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                          • Instruction Fuzzy Hash: 2F415161608F9986E724AB12E410279F7A1FB8DBA0F944230DADD03B95DF3CE44DCB25
                          Function 00007FF718D50010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF718D6849D,?,?,?,00007FF718D6F0C7), ref: 00007FF718D50045
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D6F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D50071
                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D50092
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D500A7
                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D50148
                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF718D50181
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                          • String ID:
                          • API String ID: 734197835-0
                          • Opcode ID: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                          • Instruction ID: 6f59c87964cb0aed17ec8195823add5250b497e6625b46caaf8c861165e81acd
                          • Opcode Fuzzy Hash: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                          • Instruction Fuzzy Hash: AC618621D08F9A86E724AB159801779FAB1BB4DB64FC48232D9DD43790DF3C984DC725
                          Function 00007FF718D69B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Enum$Openwcsrchr
                          • String ID: %s=%s$.$\Shell\Open\Command
                          • API String ID: 3402383852-1459555574
                          • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                          • Instruction ID: d6aad88592c66eec9f32d1871268cc42b498b754b7e474adba26d290f8d7e2eb
                          • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                          • Instruction Fuzzy Hash: 53A1A161A09F4E92EB10BB5590502F9E2A0EF89BB4FE44131DA8D07785DF7CE94DC728
                          Function 00007FF718D57610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$wcscmp
                          • String ID: %s
                          • API String ID: 243296809-3043279178
                          • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                          • Instruction ID: 741d5141561bca077d736d9281fb106e746904ffab9713e5cc5209eadce14f29
                          • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                          • Instruction Fuzzy Hash: DEA19422709B8A96EB25EB21D8403F9E3B0FB4C758F944136DA8D4B695DF3CE64C8314
                          Function 00007FF718D41F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$EnvironmentVariable
                          • String ID: DIRCMD
                          • API String ID: 1405722092-1465291664
                          • Opcode ID: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                          • Instruction ID: a175477bb189f4dc0fd7eb93d5f2da908be276b8d81c5d6785e9b3b5df20c0be
                          • Opcode Fuzzy Hash: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                          • Instruction Fuzzy Hash: 56816E72A04BC58AEB20DF60E8802EDB7B5FB48758F944139DA8D67B58DF38D149C714
                          Function 00007FF718D499F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49A39
                            • Part of subcall function 00007FF718D4DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF718D4CEAA), ref: 00007FF718D4DFB8
                            • Part of subcall function 00007FF718D4DF60: RtlFreeHeap.NTDLL ref: 00007FF718D4DFCC
                            • Part of subcall function 00007FF718D4DF60: _setjmp.MSVCRT ref: 00007FF718D4E03E
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49AF0
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49B0F
                            • Part of subcall function 00007FF718D496E8: memset.MSVCRT ref: 00007FF718D497B2
                            • Part of subcall function 00007FF718D496E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D49880
                          • _wcsupr.MSVCRT ref: 00007FF718D5B844
                          • wcscmp.MSVCRT ref: 00007FF718D5B86D
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                          • String ID: FOR$ IF
                          • API String ID: 3663254013-2924197646
                          • Opcode ID: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                          • Instruction ID: 57c65a8cb56f0cd961f94f81892f172e84627d315bb8399391af1ef98b31e7fa
                          • Opcode Fuzzy Hash: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                          • Instruction Fuzzy Hash: 86518D20A09F4A91FF14BB169451279EAB1AF4DBB0FC84235D99E47BD1DF3CA40D8728
                          Function 00007FF718D4F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F0D6
                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1BA
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F1E7
                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1FF
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit$iswspacewcschr
                          • String ID: )$=,;
                          • API String ID: 1959970872-2167043656
                          • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                          • Instruction ID: 77edb9c98d02974ef9be8c98f181eafc5909187ffa9576e29b0bc66c720f11d0
                          • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                          • Instruction Fuzzy Hash: 1B41AD71E08B5A86FB647B14A448379E6A0AF18765FC850B2CACD429B4DF3CA44D8728
                          Function 00007FF718D6BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorLast$InformationVolumeiswalphatowupper
                          • String ID: %04X-%04X$:
                          • API String ID: 930873262-1938371929
                          • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                          • Instruction ID: 0bb617ca816231789e5dd26c5c0f4ade15249dee34eb819920da55e67533b9a2
                          • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                          • Instruction Fuzzy Hash: 56415E21A08F8AC2EB24BB64E4412BAE261FB8D764FD44236D9CD426D5DF3CD54CC728
                          Function 00007FF718D56A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D568A3,?,?,?,?,?,?,?,00000000,?,00007FF718D563F3), ref: 00007FF718D56A73
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D568A3,?,?,?,?,?,?,?,00000000,?,00007FF718D563F3), ref: 00007FF718D56A91
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D568A3,?,?,?,?,?,?,?,00000000,?,00007FF718D563F3), ref: 00007FF718D56AB0
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D568A3,?,?,?,?,?,?,?,00000000,?,00007FF718D563F3), ref: 00007FF718D56AE3
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D568A3,?,?,?,?,?,?,?,00000000,?,00007FF718D563F3), ref: 00007FF718D56B01
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$iswdigit
                          • String ID: +-~!$<>+-*/%()|^&=,
                          • API String ID: 2770779731-632268628
                          • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                          • Instruction ID: 16fd7e23fb035c02158b63c0ec5df90df2d8d1526d6ec4a4550df372fc0fb076
                          • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                          • Instruction Fuzzy Hash: 9231DA22A09F5A85EB54AF11F450279F7B0FB99F65BC58236DA9E43354EE3CA40C8324
                          Function 00007FF718D6D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                          • String ID:
                          • API String ID: 3192234081-0
                          • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                          • Instruction ID: 35cfee08c063dc0e39222a9bbaf2c321f5d41d9ff0f9afa8c49a627b3fe02081
                          • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                          • Instruction Fuzzy Hash: 51319E31608B59CBE714BF21A44567DEBA0FB8DBA4F849234DA8A47791CF3CD40D8B14
                          Function 00007FF718D51630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D51673
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D5168D
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D51757
                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D5176E
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D51788
                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF718D514D6,?,?,?,00007FF718D4AA22,?,?,?,00007FF718D4847E), ref: 00007FF718D5179C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$Alloc$Size
                          • String ID:
                          • API String ID: 3586862581-0
                          • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                          • Instruction ID: 6e3eeef79f6a23fd61b93da1a18674261ac20a0feab415d34a2fc0f99d196ffb
                          • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                          • Instruction Fuzzy Hash: 32916F21A09F4A85EB14AB159441279F6B1FB5CBA4FD94236DA8D433A4DF3CE44DC328
                          Function 00007FF718D586F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                          • String ID:
                          • API String ID: 1313749407-0
                          • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                          • Instruction ID: 9f6cae6f7aee35e0f77e3a77ce1bbe6f1c02a03be65caf0c254e49b59fe9aabb
                          • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                          • Instruction Fuzzy Hash: 37519121A08F8A82EB14BB11A41517AE6B1BF4DBB0FD85231DD9E077D0DF3CE44C8268
                          Function 00007FF718D6EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                          • String ID:
                          • API String ID: 920682188-0
                          • Opcode ID: a8a6e8177cbd8b682a13a2bb844deda24ae09a817a4e735513ea5a2a487d64ef
                          • Instruction ID: d33ba62552107c8f4b5cc84db13cb5c355fcb0d3a21275f32511857720aef5c0
                          • Opcode Fuzzy Hash: a8a6e8177cbd8b682a13a2bb844deda24ae09a817a4e735513ea5a2a487d64ef
                          • Instruction Fuzzy Hash: 64512532605F898AEB25EF20D8546E8B7A1FB8CB58F848135CA8D47754EF3CD6498714
                          Function 00007FF718D4F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1BA
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F1E7
                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1FF
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit$iswspacewcschr
                          • String ID: )$=,;
                          • API String ID: 1959970872-2167043656
                          • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                          • Instruction ID: f1a42d63b15fd4677f2d4a957f866c9b97ffceb293076052d93c59e4f3613261
                          • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                          • Instruction Fuzzy Hash: A9418875E08F1F86FB647B14E548279E6A0AF19764FC850B2C9CD429B4CF3CA44D8629
                          Function 00007FF718D691B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmpfprintfwcsrchr
                          • String ID: CMD Internal Error %s$%s$Null environment
                          • API String ID: 3625580822-2781220306
                          • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                          • Instruction ID: 204cbd769e1f0875f7cbf73aef710aa2dd40ae13215966ca5d07d53c4ccb5616
                          • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                          • Instruction Fuzzy Hash: B031A221A08F4EA2EB14BB42A5001FAF260BB4DBB4FD44131CD9D17795DE3CE44D8318
                          Function 00007FF718D51FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memsetwcsspn
                          • String ID:
                          • API String ID: 3809306610-0
                          • Opcode ID: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                          • Instruction ID: 7ba139e2363e091adb7d427b75ee2bd73c8d577b275691610212b8c627089cc5
                          • Opcode Fuzzy Hash: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                          • Instruction Fuzzy Hash: BDB19161A08F4A85EB50AF15E45067AE7B0FB59BA0FC48132EA8D47794DF7CE44DC324
                          Function 00007FF718D68C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$iswdigit$wcstol
                          • String ID:
                          • API String ID: 3841054028-0
                          • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                          • Instruction ID: c93649309e263e13e7b2f890f2f1ec39b6256d499b95d74c6fd47adb29d976d3
                          • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                          • Instruction Fuzzy Hash: 7D510462904F5E86E724AB1594011B9F6A1FF6C770BD48231DEDD426D4DF3CA44DC638
                          Function 00007FF718D45984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D63687
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D636A6
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D636EB
                          • _get_osfhandle.MSVCRT ref: 00007FF718D63703
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D63722
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Write_get_osfhandle$Mode
                          • String ID:
                          • API String ID: 1066134489-0
                          • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                          • Instruction ID: 70e58f1ac48ebf456bd9a9f1f1b61df7aa01bd05b093d6df805d023acdc09c42
                          • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                          • Instruction Fuzzy Hash: D4519221B08F4E87EB286F11940457AE6A1EF5C7B4F984535DE8A03B90DF3CE44C8B28
                          Function 00007FF718D536EC Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                          • String ID:
                          • API String ID: 3249344982-0
                          • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                          • Instruction ID: 67fee4a820dd34b833065ab626e3ab4b5b73ba4fc3aa5b9ff05d23ee2c31bdea
                          • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                          • Instruction Fuzzy Hash: 8A413E72A18F4986E314AF11A845369FAB4FB8DFE8F844235DA8907794CF3CD15C8B14
                          Function 00007FF718D489C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$DriveErrorInformationLastTypeVolume
                          • String ID:
                          • API String ID: 850181435-0
                          • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                          • Instruction ID: b203889d5f0bb95d178e20f205570ae0586644dc2670e45b89647728603e37eb
                          • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                          • Instruction Fuzzy Hash: 2B415932608FC589E7609F21D8452E9F7A0FB89B98F984135DA8D4BB48CF78D54DC714
                          Function 00007FF718D534A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D53514
                          • _get_osfhandle.MSVCRT ref: 00007FF718D53522
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D53541
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D5355E
                            • Part of subcall function 00007FF718D536EC: _get_osfhandle.MSVCRT ref: 00007FF718D53715
                            • Part of subcall function 00007FF718D536EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF718D53770
                            • Part of subcall function 00007FF718D536EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D53791
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                          • String ID:
                          • API String ID: 4057327938-0
                          • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                          • Instruction ID: 316f1a47dd59a251d695d5ce6f62c7713d66e6749d275f795458ea33fc1197f2
                          • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                          • Instruction Fuzzy Hash: 91315421E0CF4A87E7587B659441079FAB1EF8D760FD88276D98E83795DE3CE40C8628
                          Function 00007FF718D6BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                          • String ID: KEYS$LIST$OFF
                          • API String ID: 411561164-4129271751
                          • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                          • Instruction ID: 753df514f3e1a36935c4872a199873cd5b91fbf6bb99680e7f300a33536de4c1
                          • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                          • Instruction Fuzzy Hash: 8F214B20E48F0F82F754BB25A441175E6A1FB8CBB4FD49235C69E422E5EE2CA44C8728
                          Function 00007FF718D501B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50212
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50228
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D5023C
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50251
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                          • String ID:
                          • API String ID: 513048808-0
                          • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                          • Instruction ID: d03c1f9f92c3210e64b1e92cb0cb6ea0720e8ec3e6c7208a28a75ab0284fff80
                          • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                          • Instruction Fuzzy Hash: EB21812190CF8AC7E7546B60A585238FAB0FF4EB75FD44235D99E42694CE3CE84C8729
                          Function 00007FF718D53578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D53584
                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                          • String ID:
                          • API String ID: 513048808-0
                          • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                          • Instruction ID: 05792f759be9a57b349bcc43e2538aaecb10f58f0d121d656a7d726e6c95407b
                          • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                          • Instruction Fuzzy Hash: 5B114F21A08F4A86EB186B64A545078EAB0FF4EB75FD45335DAAE433D0DE3CD44C8715
                          Function 00007FF718D6711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D671F9
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D6720D
                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D67300
                            • Part of subcall function 00007FF718D65740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF718D675C4,?,?,00000000,00007FF718D66999,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D65744
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: OpenSemaphore$CloseErrorHandleLast
                          • String ID: _p0$wil
                          • API String ID: 455305043-1814513734
                          • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                          • Instruction ID: fca50cf682b42d35face77218cc045240f6028504ec657056dbda288d907cf0e
                          • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                          • Instruction Fuzzy Hash: 2C61A461B18F8E81EF25AB5594101B9E3A1EF8CBA4FE54632D98E07754EF3CD50D8328
                          Function 00007FF718D41DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspacememset$AllocProcess
                          • String ID: %s
                          • API String ID: 2401724867-3043279178
                          • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                          • Instruction ID: ee73df1af08d14a386c196af009c4c73d0108abaa8434dca28edcc9b60a49866
                          • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                          • Instruction Fuzzy Hash: 3B51A172A08F8A85EB20AF21D8412B9F3B1EB4DBA4F844135DA8D47694EF3CD44DC724
                          Function 00007FF718D4E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit
                          • String ID: GeToken: (%x) '%s'
                          • API String ID: 3849470556-1994581435
                          • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                          • Instruction ID: 9cc2e445f1ee9d40ed7eecbf0cf4da1e4b74159ba150e642cccb1a79acf2aaa9
                          • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                          • Instruction Fuzzy Hash: 6F515A3190CF4A95E724AF56A484179F7A0BB58B34F888575DACD43A91DF7CE44CC328
                          Function 00007FF718D6992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D69A10
                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D69994
                            • Part of subcall function 00007FF718D6A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A77A
                            • Part of subcall function 00007FF718D6A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A839
                            • Part of subcall function 00007FF718D6A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A850
                          • wcsrchr.MSVCRT ref: 00007FF718D69A62
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorLast$CloseEnumOpenwcsrchr
                          • String ID: %s=%s$.
                          • API String ID: 3242694432-4275322459
                          • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                          • Instruction ID: b51e6a082f48b20e9b2cda08afb49785b4f931f4ab9086aa061549c0067b45f6
                          • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                          • Instruction Fuzzy Hash: B2419F21A09F4E96EF14BB52A0502B9E2A1EF4D7B0FA44231DDDD077D5DE3CE44D8228
                          Function 00007FF718D654B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF718D654E6
                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D6552E
                            • Part of subcall function 00007FF718D6758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF718D66999,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D675AE
                            • Part of subcall function 00007FF718D6758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF718D66999,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D675C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorLast$CreateCurrentMutexProcess
                          • String ID: Local\SM0:%d:%d:%hs$wil$x
                          • API String ID: 779401067-630742106
                          • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                          • Instruction ID: fdfde9f4f1a61e2d858a5bfb858fd15130f35a21367ceb26d64344892a4c5122
                          • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                          • Instruction Fuzzy Hash: D6516372618F8E81EB11AB55E4016FAE360EB887A4FE04032EA8D47A55DE3CD44DC724
                          Function 00007FF718D5417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentDirectorytowupper
                          • String ID: :$:
                          • API String ID: 238703822-3780739392
                          • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                          • Instruction ID: d5088a22474bd482a6a7f71596e2fc7e46b816613df507a7f2b26d831fd6d3bf
                          • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                          • Instruction Fuzzy Hash: BD112292608B4582EB24AB61A80563AF6B0FF4D7A9FC58232DD8D07794DE3CD00D8728
                          Function 00007FF718D458D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                          • API String ID: 3677997916-3870813718
                          • Opcode ID: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                          • Instruction ID: 2ad9cca77517636d47d5c777083e9e3e1320ae3780f69f1db63110ac429fe615
                          • Opcode Fuzzy Hash: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                          • Instruction Fuzzy Hash: 3511F576619B46C7EB109B50E44466AFBA4FB89764F844235EA8D02B68DF7CD04CCB18
                          Function 00007FF718D44C18 Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memsetwcsrchr$wcschr
                          • String ID:
                          • API String ID: 110935159-0
                          • Opcode ID: 7f89d826d325d620df1b2fcc26921faad221c5699a8a27cefdce3e68956840aa
                          • Instruction ID: cfdb750314014df78d34deafcf6d3e82b893b0df67dbd4dcf158389f9464f1f2
                          • Opcode Fuzzy Hash: 7f89d826d325d620df1b2fcc26921faad221c5699a8a27cefdce3e68956840aa
                          • Instruction Fuzzy Hash: 6351C522B0AF8A85FB21AB1198443F9D391BF4CBB4F984271CE9D07B84DE3CD18D8214
                          Function 00007FF718D55EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$CurrentDirectorytowupper
                          • String ID:
                          • API String ID: 1403193329-0
                          • Opcode ID: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
                          • Instruction ID: d3c3830ac4fa294bfd0166fbbd0880678090e88dcc72baf3060690436ba86fa5
                          • Opcode Fuzzy Hash: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
                          • Instruction Fuzzy Hash: 5E51B926605B8985EB65AF24E9006B9F7B0FF4C768FC58236D98D07694EF3CD54C8324
                          Function 00007FF718D491C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00007FF718D4921C
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D493AA
                            • Part of subcall function 00007FF718D48B20: wcsrchr.MSVCRT ref: 00007FF718D48BAB
                            • Part of subcall function 00007FF718D48B20: _wcsicmp.MSVCRT ref: 00007FF718D48BD4
                            • Part of subcall function 00007FF718D48B20: _wcsicmp.MSVCRT ref: 00007FF718D48BF2
                            • Part of subcall function 00007FF718D48B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D48C16
                            • Part of subcall function 00007FF718D48B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D48C2F
                            • Part of subcall function 00007FF718D48B20: wcschr.MSVCRT ref: 00007FF718D48CB3
                            • Part of subcall function 00007FF718D5417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D541AD
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF718D492AC), ref: 00007FF718D530CA
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D530DD
                            • Part of subcall function 00007FF718D53060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D530F6
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D53106
                          • wcsrchr.MSVCRT ref: 00007FF718D492D8
                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D49362
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D49373
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                          • String ID:
                          • API String ID: 3966000956-0
                          • Opcode ID: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
                          • Instruction ID: da95b63afb2cd9854da63f31223b6ce31f6ec4b8c7999bdc5c0510cf410f0d62
                          • Opcode Fuzzy Hash: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
                          • Instruction Fuzzy Hash: 6A519132A09B8A85EB21AF21D8552BDE3A0FB4DB64F884171DA8D07B94DF3CE15DC714
                          Function 00007FF718D42A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$_setjmp
                          • String ID:
                          • API String ID: 3883041866-0
                          • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                          • Instruction ID: 5c857462265ea7e8ece4aab7cba0a225c68c158e208e0b9ce2de64e9c7b350cf
                          • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                          • Instruction Fuzzy Hash: 13518132608B8A8AEB61EF21D8413E9F7A4FB49758F844175DA8C47A48DF3CD64CCB14
                          Function 00007FF718D4DF60 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$FreeProcess_setjmp
                          • String ID:
                          • API String ID: 777023205-0
                          • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                          • Instruction ID: 82b0b483243eae06aeca2f551c84fd05aa2fb49c38ff94c7b6a3e1b9c30da641
                          • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                          • Instruction Fuzzy Hash: E151683090DF4A89FB10BF11A882538F6A0FF5E774FD84575E98D826A5DE3CA44C8729
                          Function 00007FF718D4B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • _wcsicmp.MSVCRT ref: 00007FF718D4B4BD
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                          • _wcsicmp.MSVCRT ref: 00007FF718D4B518
                          • _wcsicmp.MSVCRT ref: 00007FF718D4B58B
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$_wcsicmp$AllocProcess
                          • String ID: ELSE$IF/?
                          • API String ID: 3223794493-1134991328
                          • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                          • Instruction ID: c1d45ca4d89ca6173850abebbcbabd48c8d9cd9f269fbe2cb0a4086bf0d8b677
                          • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                          • Instruction Fuzzy Hash: 31417B31E0CF4B82FB54BBA4A4512BDE2A1AF5D764FD84175D58D06A96EE3CE40C8328
                          Function 00007FF718D6E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                          • String ID:
                          • API String ID: 1532185241-0
                          • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                          • Instruction ID: 748c820bbf654bc4cf28379dde4f4dc9b6e640ca8bc008ed58a68016d17f3c33
                          • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                          • Instruction Fuzzy Hash: CE41B431A04F5987E714AB21E44157DF6A1FB8CBA0FE54535EA8A43785CF3CE44D8714
                          Function 00007FF718D44FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                          • String ID:
                          • API String ID: 3588551418-0
                          • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                          • Instruction ID: 87b049696ebcbe53f94a8eb8eee218eb9ba4fab12293f04f2b49af62eafdaff6
                          • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                          • Instruction Fuzzy Hash: 83417235A08F4ACBE714AF11E44167DF761EB49BA0FD84039E68A47B95CE2CE84C8754
                          Function 00007FF718D6E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorModememset$FullNamePath_wcsicmp
                          • String ID:
                          • API String ID: 2123716050-0
                          • Opcode ID: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
                          • Instruction ID: 2ede39c5e764906d82746c1559c5b1a7e0a52ce66e8702293063dc1b6383eeaf
                          • Opcode Fuzzy Hash: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
                          • Instruction Fuzzy Hash: 6B41D432705FCA8AEB359F21D8413E9A7A4EB4D75CF944134CA8D4AA98DF3CE24C8314
                          Function 00007FF718D465F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                          • String ID:
                          • API String ID: 3114114779-0
                          • Opcode ID: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                          • Instruction ID: 8581490a6cffa08ab49ed88a40f0adb06c8f3f4d525376edf5b3e0ffe83da1ce
                          • Opcode Fuzzy Hash: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                          • Instruction Fuzzy Hash: 93415832A05F0ACAE700AF65E4402ACB7B5FB48758FA44075EA4E93B54DF38E40EC764
                          Function 00007FF718D6A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A77A
                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A7AF
                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A80E
                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A839
                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A850
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: QueryValue$CloseErrorLastOpen
                          • String ID:
                          • API String ID: 2240656346-0
                          • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                          • Instruction ID: 117e47af816d2f36131012157b6a5d3264f58ffb8e0ea5fc3b9218b0b21487e5
                          • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                          • Instruction Fuzzy Hash: 6B316D32A18F4A86E750AF15E440569F7A5FB8C7B0FA44135EACE42764DF3CD84D8B24
                          Function 00007FF718D6D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D501B8: _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                            • Part of subcall function 00007FF718D501B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D6D0F9
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF718D6D10F
                          • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF718D6D166
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D6D17A
                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF718D6D18C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                          • String ID:
                          • API String ID: 3008996577-0
                          • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                          • Instruction ID: b2c43751b9d40e2640d46864356cefc4ec7a3209d36607cf2beaed4196c17def
                          • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                          • Instruction Fuzzy Hash: 2F214B22B14B558AF700AB71E4014BDB7B0FB4DB68B945235DE8D93B58DF38D048CB28
                          Function 00007FF718D55CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D6C9EE,?,?,?,00007FF718D6EA6C,?,?,?,00007FF718D6E925), ref: 00007FF718D55CCB
                          • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF718D6C9EE,?,?,?,00007FF718D6EA6C,?,?,?,00007FF718D6E925), ref: 00007FF718D55CDF
                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF718D55D03
                          • fprintf.MSVCRT ref: 00007FF718D5F4A9
                          • fflush.MSVCRT ref: 00007FF718D5F4C2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                          • String ID:
                          • API String ID: 1826527819-0
                          • Opcode ID: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                          • Instruction ID: 3bc5c544c137754e682b82902344e5c8d6b4c2028ef720f088a157da44528559
                          • Opcode Fuzzy Hash: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                          • Instruction Fuzzy Hash: E7011B21A08F8A8AE7047B15E4551B9FA71FF8E769FC45135E98F06395DF3CA04C8728
                          Function 00007FF718D65770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CreateSemaphore
                          • String ID: _p0$wil
                          • API String ID: 1078844751-1814513734
                          • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                          • Instruction ID: 486c363d064b0d6870efc7eb71d6a4781d90217a1b1c64ce1c4b3292bfcb0025
                          • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                          • Instruction Fuzzy Hash: 8451C561B19F4E86EF21AB5484542B9E3A0AF887B0FE44535EA8D07B81DF3CD44D8328
                          Function 00007FF718D6B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF718D6B934
                          • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF718D55085), ref: 00007FF718D6B9A5
                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF718D55085), ref: 00007FF718D6B9F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                          • String ID: %WINDOWS_COPYRIGHT%
                          • API String ID: 1103618819-1745581171
                          • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                          • Instruction ID: 8610d8e71620956df35c62a215f701a63faa8153a713dfa0e71daef7fcea4148
                          • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                          • Instruction Fuzzy Hash: 1D416D62A08F8AC2EB50AB159410279F7A0FB4DBA4FD55236DACD13395EF3CE44D8714
                          Function 00007FF718D70774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$_wcslwr
                          • String ID: [%s]
                          • API String ID: 886762496-302437576
                          • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                          • Instruction ID: 97f2c1c68f04d982ec991b6e49fe483f455909247b09badcbb3f45458def5a74
                          • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                          • Instruction Fuzzy Hash: 29318C32705B8A85EB21EF21D8503E9A7A0FB4CBA8F844135DA8D47B55DF3CD64D8304
                          Function 00007FF718D532E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D533A8: iswspace.MSVCRT(?,?,00000000,00007FF718D6D6EE,?,?,?,00007FF718D60632), ref: 00007FF718D533C0
                          • iswspace.MSVCRT(?,?,?,00007FF718D532A4), ref: 00007FF718D5331C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswspace
                          • String ID: off
                          • API String ID: 2389812497-733764931
                          • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                          • Instruction ID: ad7fa7c888ccb346f1c3ca85c388ce643c7487069608ed1b580f77283de28b4a
                          • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                          • Instruction Fuzzy Hash: 2E215321E0CF5A81FB687B15945527DE6B1EF4EBB0FC8823AD98D47681DE1CE44C8329
                          Function 00007FF718D69308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspace$AllocProcess
                          • String ID: %s=%s$DPATH$PATH
                          • API String ID: 3731854180-3148396303
                          • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                          • Instruction ID: b65361c612fb6f5a392367021ec2550d0bc8dc8aeae03df54dfdf37a3c662378
                          • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                          • Instruction Fuzzy Hash: 4521B021B08F5F90EB54BB65E4402B9E2B1AF88BA4FD84135DD8E47394DE2CD44C8368
                          Function 00007FF718D58198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcscmp
                          • String ID: *.*$????????.???
                          • API String ID: 3392835482-3870530610
                          • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                          • Instruction ID: 66ba722c32ac06b3c80d949fcf81467e05751207a07caeea03e1695df8630f91
                          • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                          • Instruction Fuzzy Hash: AF110225B24F6A80E764AB22A44153AF6B1FB4CBA1F884132CECD47B45DE3CE4498724
                          Function 00007FF718D69114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: fprintf
                          • String ID: CMD Internal Error %s$%s$Null environment
                          • API String ID: 383729395-2781220306
                          • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                          • Instruction ID: a901cd038995d2b4dba8008a05917e6b17997de2bdcfe5b2c5620f21dc7fbfb8
                          • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                          • Instruction Fuzzy Hash: 17118F21908F4AA1EB55AB24E9440F9E261EB587B4FE44332DABD433D4EF2CE44D8358
                          Function 00007FF718D504F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: KERNEL32.DLL$SetThreadUILanguage
                          • API String ID: 1646373207-2530943252
                          • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                          • Instruction ID: fe6e753c4efd70cc1f2ce9d4d35f7a0dbf2a7d6f9899ab216e34ccd6b0276d3a
                          • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                          • Instruction Fuzzy Hash: 15010C21A09F0AD1EB44A711A892134F2B0AF4D734BC40336D9BE027E0DE2C684D8329
                          Function 00007FF718D673C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: RaiseFailFastException$kernelbase.dll
                          • API String ID: 1646373207-919018592
                          • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                          • Instruction ID: f2dd6b6a1dee8cabe8e313870b138f1466d3e0bea6b87e23bc3d8b3cffe597c1
                          • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                          • Instruction Fuzzy Hash: 56F0DA21A18F9992EB04AB12F445079EA60FF8DBE5BC89535EA8E07B14DF3CD48DC714
                          Function 00007FF718D41130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$CurrentDirectorytowupper
                          • String ID:
                          • API String ID: 1403193329-0
                          • Opcode ID: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                          • Instruction ID: ba9da38a9d6737a6aaf5cc53de4c1bc6c47ec2e4f3ff0c51ded7d74d21885afc
                          • Opcode Fuzzy Hash: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                          • Instruction Fuzzy Hash: C8619032B08F868AEB10EB65D4402ADF7B4FB48768F944235DE9D13A99DF38D458C714
                          Function 00007FF718D54878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmp$wcschr
                          • String ID:
                          • API String ID: 3270668897-0
                          • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                          • Instruction ID: 40627050a77f7227ef01b8098dcd59417e409b252abaaf53cb8b44bd219a65c1
                          • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                          • Instruction Fuzzy Hash: 8F519151A08F4A81EB617F1194411B9E3B1EF4DBA0FD8C236CA9E072D9DE2CD94D8379
                          Function 00007FF718D53060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D51EA0: wcschr.MSVCRT(?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF718D70D54), ref: 00007FF718D51EB3
                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF718D492AC), ref: 00007FF718D530CA
                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D530DD
                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D530F6
                          • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D53106
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorMode$FullNamePathwcschr
                          • String ID:
                          • API String ID: 1464828906-0
                          • Opcode ID: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                          • Instruction ID: c889df3ebdacfdb04711b6fce73e33ff5ff8fd4858718324fa43cf76411395ed
                          • Opcode Fuzzy Hash: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                          • Instruction Fuzzy Hash: 18310361A08B5982E724BF15A40047EF671EB4EBA4FD48336DA8A473D0DE7DE84D8318
                          Function 00007FF718D6F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$DriveFullNamePathType
                          • String ID:
                          • API String ID: 3442494845-0
                          • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                          • Instruction ID: 0c11b9a37a9eceea58ed4e2e1fd2dc80805efd23bb4418196a992fd0d39c592a
                          • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                          • Instruction Fuzzy Hash: 3C31AF32605FC98AEB60EF11E8407E9B3A4FB88B88F844175DA8D47B54CF38D209C710
                          Function 00007FF718D58F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                          • String ID:
                          • API String ID: 140117192-0
                          • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                          • Instruction ID: 82200f3491292aad5026a8191ba7ae4ea7c0f38d56c0fb814d41d48ac875d4cd
                          • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                          • Instruction Fuzzy Hash: 80419226A08F4985EB50AB18F881369E364FB8C768FD04136D9CD92768DF3DE44DC724
                          Function 00007FF718D44F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File_get_osfhandle$TimeWrite
                          • String ID:
                          • API String ID: 4019809305-0
                          • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                          • Instruction ID: d211a0eefdb75d2fa537275f58f4717569da6899fc596df81fb4ef00a9f09b1a
                          • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                          • Instruction Fuzzy Hash: 8631A121A08F4E86E7906B159481379E7A1AF4EB74FA49239D9CD43B95CF3CD84C8618
                          Function 00007FF718D58470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcstol$lstrcmp
                          • String ID:
                          • API String ID: 3515581199-0
                          • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                          • Instruction ID: 0c1b3612ab7b3288d07a16fb3f0ebad290aa84f2ee98ded7763c0231b41da0d4
                          • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                          • Instruction Fuzzy Hash: A1218032A08B4683E7656B69E09513FEAB0FB4D760F855235DBCF02754CE6CE44D8614
                          Function 00007FF718D6E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File$DeleteErrorLastWrite_get_osfhandle
                          • String ID:
                          • API String ID: 2448200120-0
                          • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                          • Instruction ID: 46ceecc5a0e39e90d7fb4646135b52793178a5330898db7b16a1bda6f2697f07
                          • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                          • Instruction Fuzzy Hash: E5213A31A08F4E8BE7157B11A401279F7A1EBCDBA1FE44135E98943794CF3CE44D8A28
                          Function 00007FF718D71914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$DriveNamePathTypeVolume
                          • String ID:
                          • API String ID: 1029679093-0
                          • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                          • Instruction ID: 6f466a01c41ebd13fe00cec33db520b6f9950a6ee2f23499533c673f3417006c
                          • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                          • Instruction Fuzzy Hash: 34312932705F858AEB209F21D8553E8A7A5FB8DB98F844135CA8D47B48DF38D64DC714
                          Function 00007FF718D57CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                          • Instruction ID: 2317785fe519c490819a965629c3e331c58cec34f674025e2de6e5cc13149f3a
                          • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                          • Instruction Fuzzy Hash: A5219261A08F49C6EB04AB51A900079F7B1FF8DFE5B959231CA9E03795DE3CE40D8724
                          Function 00007FF718D46A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D53D0C
                            • Part of subcall function 00007FF718D53C24: towupper.MSVCRT ref: 00007FF718D53D2F
                            • Part of subcall function 00007FF718D53C24: iswalpha.MSVCRT ref: 00007FF718D53D4F
                            • Part of subcall function 00007FF718D53C24: towupper.MSVCRT ref: 00007FF718D53D75
                            • Part of subcall function 00007FF718D53C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D53DBF
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D46ABF
                          • RtlFreeHeap.NTDLL ref: 00007FF718D46AD3
                            • Part of subcall function 00007FF718D46B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF718D46AE8,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B8B
                            • Part of subcall function 00007FF718D46B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF718D46AE8,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B97
                            • Part of subcall function 00007FF718D46B84: RtlFreeHeap.NTDLL ref: 00007FF718D46BAF
                            • Part of subcall function 00007FF718D46B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D46AF1,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B39
                            • Part of subcall function 00007FF718D46B30: RtlFreeHeap.NTDLL ref: 00007FF718D46B4D
                            • Part of subcall function 00007FF718D46B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D46AF1,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B59
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D46B03
                          • RtlFreeHeap.NTDLL ref: 00007FF718D46B17
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                          • String ID:
                          • API String ID: 3512109576-0
                          • Opcode ID: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                          • Instruction ID: f42d970d601c5e6634eb633fce20940771660511a128658ad0c6f260eb06a008
                          • Opcode Fuzzy Hash: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                          • Instruction Fuzzy Hash: D3219F21909F8AC5EB04BF65A4153B8FBA1EF5DB59F988071CA8E03351DE2CA44DC338
                          Function 00007FF718D4B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B6D0
                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B6E7
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B701
                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B715
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocSize
                          • String ID:
                          • API String ID: 2549470565-0
                          • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                          • Instruction ID: 6b200a1628b1971bd647378313e4c0b820458c63185ef431d3856d4167e8f1c3
                          • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                          • Instruction Fuzzy Hash: CC214531A09F8A86EB18AB55E440078F6A1FB5DBA4BDC9571DA8E03B54DF3CE44DC324
                          Function 00007FF718D6CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF718D5507A), ref: 00007FF718D6D01C
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF718D5507A), ref: 00007FF718D6D033
                          • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF718D5507A), ref: 00007FF718D6D06D
                          • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF718D5507A), ref: 00007FF718D6D07F
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                          • String ID:
                          • API String ID: 1033415088-0
                          • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                          • Instruction ID: 42b132d44e5f9cf2501d1c40f15658e93d7699485f8d3bf1b539a597676311d9
                          • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                          • Instruction Fuzzy Hash: C0117C31618B8686EB049B20B00517AF7A0FB8EBA5F805135EACE47B54DF3CC0498B14
                          Function 00007FF718D459E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D51EA0: wcschr.MSVCRT(?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF718D70D54), ref: 00007FF718D51EB3
                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D45A2E
                          • _open_osfhandle.MSVCRT ref: 00007FF718D45A4F
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D637AA
                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF718D637D2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                          • String ID:
                          • API String ID: 22757656-0
                          • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                          • Instruction ID: ad23408d0f4b4a7dc82d0f14924b4b3dbe66e2beeff0bde0b77f5d87b1c545b6
                          • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                          • Instruction Fuzzy Hash: 9A115E71A14B498BE7146B24E449339EAA0EB8DB78FA44334D6AA077D0CF3CD44D8B14
                          Function 00007FF718D59158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                          • String ID:
                          • API String ID: 140117192-0
                          • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                          • Instruction ID: f4002d9b01eb0b71fdb9cf5f5ef3d3bb77ca4d3c8a0d209f1062cd42d8c43493
                          • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                          • Instruction Fuzzy Hash: 8D216D36918F4985E740AB04E885369F7B4FB89768F900136EA8D82768DF7DE44DC728
                          Function 00007FF718D65690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF718D65433,?,?,?,00007FF718D669B8,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D656C5
                          • RtlFreeHeap.NTDLL ref: 00007FF718D656D9
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF718D65433,?,?,?,00007FF718D669B8,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D656FD
                          • RtlFreeHeap.NTDLL ref: 00007FF718D65711
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$FreeProcess
                          • String ID:
                          • API String ID: 3859560861-0
                          • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                          • Instruction ID: f34df002d96e504040e0ef05f15a3baa538542540be2dae09cbd49f7f54d69ca
                          • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                          • Instruction Fuzzy Hash: 55111672A04F8586DB049F56E4040A8FBB0F74DF99B988135DB8E03718DF38E49AC754
                          Function 00007FF718D54AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AD6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AEF
                            • Part of subcall function 00007FF718D54A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                            • Part of subcall function 00007FF718D54A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                            • Part of subcall function 00007FF718D54A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                            • Part of subcall function 00007FF718D54A14: memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                            • Part of subcall function 00007FF718D54A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D5EE64
                          • RtlFreeHeap.NTDLL ref: 00007FF718D5EE78
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                          • String ID:
                          • API String ID: 2759988882-0
                          • Opcode ID: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                          • Instruction ID: 846b0f8ef4ba59fb6c60c5467aaee5f563d42ba14470364107582182c9568d99
                          • Opcode Fuzzy Hash: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                          • Instruction Fuzzy Hash: EDF03C60A15F8686EB08AB669405178E9F1EF8EB65BC89134C98E42340EE3CA50C8235
                          Function 00007FF718D6F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleMode_get_osfhandle
                          • String ID:
                          • API String ID: 1606018815-0
                          • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                          • Instruction ID: 011371e6ab08c1bd14b20e61d2ca4a8f0386b43933e01b47c03eea6d0f943127
                          • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                          • Instruction Fuzzy Hash: 93F01C31A24F86CBE7086B10E4451B9FAA0FB8EB16FC49274DA8B02394DF3CD00C8B15
                          Function 00007FF718D710D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF718D6827A), ref: 00007FF718D711DC
                          • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF718D6827A), ref: 00007FF718D71277
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcessmemmovewcschr
                          • String ID: &()[]{}^=;!%'+,`~
                          • API String ID: 1135967885-381716982
                          • Opcode ID: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                          • Instruction ID: 8c0adb78fc90dcf04c689339a4db74ca16d9db846d4ed5abcd25df9f555525b2
                          • Opcode Fuzzy Hash: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                          • Instruction Fuzzy Hash: 6471F771908F4685EB60AF25A481679F6A1FB9C7A8FC00335DA8D87B94DF3CE40D8B14
                          Function 00007FF718D4E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                            • Part of subcall function 00007FF718D4EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F000
                            • Part of subcall function 00007FF718D4EF40: wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F031
                            • Part of subcall function 00007FF718D4EF40: iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F0D6
                          • longjmp.MSVCRT ref: 00007FF718D5CCBC
                          • longjmp.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D5CCE0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                          • String ID: GeToken: (%x) '%s'
                          • API String ID: 3282654869-1994581435
                          • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                          • Instruction ID: 8e29e765098cc899f9f2ddfe2ed2b3625bb97a875a1b66ee71f34e4704f26bb8
                          • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                          • Instruction Fuzzy Hash: DA61D171A0DF4A92FB14BB219450179E2A0AF4D7B4FD84635DA9D07AE5EE3CF44C8328
                          Function 00007FF718D708EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memmovewcsncmp
                          • String ID: 0123456789
                          • API String ID: 3879766669-2793719750
                          • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                          • Instruction ID: 2bee32cd20447f3d7095cd8d5fbf36195d8c889b90164d37034f833448ecf363
                          • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                          • Instruction Fuzzy Hash: 3E41D726F18B8E81EB25AF2694016BAF264FB48BA4F845131CE8E437C4DF3CD84D8354
                          Function 00007FF718D69784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D697D0
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D698D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                          • String ID: Software\Classes
                          • API String ID: 2714550308-1656466771
                          • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                          • Instruction ID: 4c7445bac551ff06c33f72b93d3b12bb5c24c500f35602062b816b1c0598c12d
                          • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                          • Instruction Fuzzy Hash: BE417F22A09F5A91EB00AB169445079E3A4FB48BF0FA08131DA9D477E1DF39D84EC358
                          Function 00007FF718D6A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D6A0FC
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D6A1FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                          • String ID: Software\Classes
                          • API String ID: 2714550308-1656466771
                          • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                          • Instruction ID: 1457d519c7ca30dc79dea9ca514e287ebf6fe501f7f20b2d36a69e3feee7b503
                          • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                          • Instruction Fuzzy Hash: 02417022A09F5E81EB00AB16D445439E3A4FB487E0FA48131DEDD477A1EE3DD85DC359
                          Function 00007FF718D4CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleTitle
                          • String ID: -
                          • API String ID: 3358957663-3695764949
                          • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                          • Instruction ID: e0cc102f887cf4f1236685ebf5e4a65a350bc9eb5616785561388ded8f615944
                          • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                          • Instruction Fuzzy Hash: 1D318521A08F4A85EB14BB11A445178E6B4BB4DFB0FD84275D99E07B95DF3CE44DC328
                          Function 00007FF718D57280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmpswscanf
                          • String ID: :EOF
                          • API String ID: 1534968528-551370653
                          • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                          • Instruction ID: e21558fe738b027e712647675cc2b57b4ced1a3f84873971b3681cefa0a7d4e8
                          • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                          • Instruction Fuzzy Hash: 41316431E08F4A86FB14BB15A444278F2B1EF4D770FD58632EADD06295DF2CE44D8668
                          Function 00007FF718D43BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmp
                          • String ID: /-Y
                          • API String ID: 1886669725-4274875248
                          • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                          • Instruction ID: 96b7aa829114eb9b4aef391378d92b81d1bc261fd6428a7071db5824e13bd432
                          • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                          • Instruction Fuzzy Hash: D0217175A08F5981EB18BB16944057AF6A0BB5CFE0F884071DEC817B94DE3CE49ED718
                          Function 00007FF718D4B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID:
                          • String ID: 3$3
                          • API String ID: 0-2538865259
                          • Opcode ID: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                          • Instruction ID: 8c1ff121b7cad58c2a964449d6499c649f0efbf5a2db63c4245294b0ebb30393
                          • Opcode Fuzzy Hash: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                          • Instruction Fuzzy Hash: 21017970D0AF4A8AF708BBA1A8C1274F230BF5E330FD90175D48E059A5CF2C248C8729
                          Function 00007FF718D509F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswspacewcschr
                          • String ID: =,;
                          • API String ID: 287713880-1539845467
                          • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                          • Instruction ID: 5033c28191224679497346b7bc36d5742b9ead833b8052889a72e0027e8a3387
                          • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                          • Instruction Fuzzy Hash: A1F04421A19F5A81FB64AB02E45017AF5B0FF4CF61FC99232D99D42254DF2CD84CC628
                          Function 00007FF718D506C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                          Memory Dump Source
                          • Source File: 00000005.00000002.2059195351.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000005.00000002.2059144065.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059294844.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000005.00000002.2059334343.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                          • Instruction ID: dec06e250faa5415965adebbbc86acae3a217f4eab025246808695af8dab5c96
                          • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                          • Instruction Fuzzy Hash: 1A413A72A09B4A86EB14AF10E441179FAB0EF99BA0BD48135DA8D43754DF3CE84DC768

                          Execution Graph

                          Execution Coverage:3.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:1227
                          Total number of Limit Nodes:9
                          execution_graph 16801 7ff718d601fb 16803 7ff718d57f67 16801->16803 16802 7ff718d602b7 16898 7ff718d54cb0 16802->16898 16803->16802 16816 7ff718d53c24 16803->16816 16806 7ff718d602bc GetProcessHeap RtlFreeHeap 16809 7ff718d602ec 16806->16809 16808 7ff718d57fb2 16808->16802 16810 7ff718d57fbe 16808->16810 16904 7ff718d43278 16809->16904 16890 7ff718d58f80 16810->16890 16817 7ff718d53c67 16816->16817 16818 7ff718d5412c 16817->16818 16907 7ff718d4ca40 16817->16907 16819 7ff718d58f80 7 API calls 16818->16819 16821 7ff718d5413e 16819->16821 16821->16808 16881 7ff718d5417c 16821->16881 16823 7ff718d5ec97 16824 7ff718d5855c ??_V@YAXPEAX 16823->16824 16826 7ff718d5eca1 16824->16826 16828 7ff718d53cb8 GetCurrentDirectoryW towupper iswalpha 16830 7ff718d53fb8 16828->16830 16831 7ff718d53d68 16828->16831 16833 7ff718d53fc6 GetLastError 16830->16833 16831->16830 16832 7ff718d53d72 towupper GetFullPathNameW 16831->16832 16832->16833 16834 7ff718d53dd3 16832->16834 16940 7ff718d5855c 16833->16940 16836 7ff718d53fe0 16834->16836 16852 7ff718d53de3 16834->16852 16838 7ff718d5855c ??_V@YAXPEAX 16836->16838 16837 7ff718d540fe 16840 7ff718d5855c ??_V@YAXPEAX 16837->16840 16839 7ff718d53ffb _local_unwind 16838->16839 16841 7ff718d5400c GetLastError 16839->16841 16842 7ff718d54108 _local_unwind 16840->16842 16843 7ff718d54028 16841->16843 16844 7ff718d53e95 16841->16844 16845 7ff718d53f98 16842->16845 16843->16844 16847 7ff718d54031 16843->16847 16848 7ff718d53ecf 16844->16848 16922 7ff718d52978 16844->16922 16943 7ff718d4ff70 16845->16943 16854 7ff718d5855c ??_V@YAXPEAX 16847->16854 16850 7ff718d53f08 16848->16850 16851 7ff718d53ed5 GetFileAttributesW 16848->16851 16859 7ff718d53f1e SetCurrentDirectoryW 16850->16859 16865 7ff718d53f46 16850->16865 16857 7ff718d53efd 16851->16857 16858 7ff718d54067 GetLastError 16851->16858 16852->16837 16853 7ff718d53e66 GetFileAttributesW 16852->16853 16853->16841 16853->16844 16860 7ff718d5403b _local_unwind 16854->16860 16856 7ff718d5855c ??_V@YAXPEAX 16856->16818 16857->16850 16864 7ff718d5409d 16857->16864 16863 7ff718d5855c ??_V@YAXPEAX 16858->16863 16859->16865 16866 7ff718d540b8 GetLastError 16859->16866 16862 7ff718d5404c 16860->16862 16861 7ff718d53ec7 16861->16848 16861->16862 16871 7ff718d5855c ??_V@YAXPEAX 16862->16871 16867 7ff718d5408c _local_unwind 16863->16867 16868 7ff718d5855c ??_V@YAXPEAX 16864->16868 16935 7ff718d5498c 16865->16935 16869 7ff718d5855c ??_V@YAXPEAX 16866->16869 16867->16864 16872 7ff718d540a7 _local_unwind 16868->16872 16873 7ff718d540d2 _local_unwind 16869->16873 16875 7ff718d54056 _local_unwind 16871->16875 16872->16866 16876 7ff718d540e3 16873->16876 16875->16858 16878 7ff718d5855c ??_V@YAXPEAX 16876->16878 16877 7ff718d53f6f 16879 7ff718d5417c 146 API calls 16877->16879 16880 7ff718d540ed _local_unwind 16878->16880 16879->16845 16880->16837 16882 7ff718d541a8 GetCurrentDirectoryW 16881->16882 16883 7ff718d541d4 towupper 16881->16883 16889 7ff718d541b9 16882->16889 17035 7ff718d5081c GetEnvironmentVariableW 16883->17035 16885 7ff718d58f80 7 API calls 16887 7ff718d541c8 16885->16887 16887->16808 16888 7ff718d5ecac towupper 16889->16885 16891 7ff718d58f89 16890->16891 16892 7ff718d57fd4 16891->16892 16893 7ff718d58fe0 RtlCaptureContext RtlLookupFunctionEntry 16891->16893 16894 7ff718d59067 16893->16894 16895 7ff718d59025 RtlVirtualUnwind 16893->16895 17186 7ff718d58fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16894->17186 16895->16894 16900 7ff718d54cda 16898->16900 16903 7ff718d54cfa 16898->16903 16899 7ff718d58f80 7 API calls 16901 7ff718d54ce9 16899->16901 16900->16899 16901->16806 16902 7ff718d5eefe realloc 16902->16900 16903->16900 16903->16902 17187 7ff718d432b0 16904->17187 16908 7ff718d4ca59 16907->16908 16917 7ff718d4cab8 16907->16917 16947 7ff718d59324 16908->16947 16911 7ff718d4ca84 16913 7ff718d5c706 ??_V@YAXPEAX 16911->16913 16916 7ff718d4ca9b memset 16911->16916 16912 7ff718d5c6e0 16951 7ff718d66d1c 16912->16951 16916->16917 16917->16823 16918 7ff718d4b900 16917->16918 16919 7ff718d4b914 16918->16919 16919->16919 17023 7ff718d4cd90 16919->17023 16933 7ff718d529b9 16922->16933 16923 7ff718d5e3f7 16923->16861 16924 7ff718d52a1e FindFirstFileW 16924->16923 16925 7ff718d52a44 FindClose 16924->16925 16925->16933 16926 7ff718d529ed 16928 7ff718d58f80 7 API calls 16926->16928 16927 7ff718d52aeb _wcsnicmp 16927->16933 16929 7ff718d52a02 16928->16929 16929->16861 16930 7ff718d5e3d6 _wcsicmp 16930->16923 16930->16933 16931 7ff718d52a9d memmove 16931->16933 16932 7ff718d5e404 memmove 16932->16923 16933->16923 16933->16924 16933->16926 16933->16927 16933->16930 16933->16931 16933->16932 16936 7ff718d549ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 16935->16936 16937 7ff718d549a4 16935->16937 17029 7ff718d54a14 GetEnvironmentStringsW 16936->17029 16937->16936 16941 7ff718d58574 ??_V@YAXPEAX 16940->16941 16942 7ff718d58583 16940->16942 16941->16942 16942->16836 16944 7ff718d4ff7c 16943->16944 16945 7ff718d4ffdb 16943->16945 16944->16945 16946 7ff718d4ffb5 GetProcessHeap RtlFreeHeap 16944->16946 16945->16856 16946->16945 16948 7ff718d59330 16947->16948 16954 7ff718d59a6c 16948->16954 16950 7ff718d4ca7b 16950->16911 16950->16912 16959 7ff718d66c5c 16951->16959 16955 7ff718d59a86 malloc 16954->16955 16956 7ff718d59a77 16955->16956 16957 7ff718d59a91 16955->16957 16956->16955 16958 7ff718d59a97 Concurrency::cancel_current_task 16956->16958 16957->16950 16958->16950 16962 7ff718d66a34 16959->16962 16963 7ff718d66a41 16962->16963 16970 7ff718d663fc 16963->16970 16966 7ff718d66b1d 16967 7ff718d58f80 7 API calls 16966->16967 16969 7ff718d66b2e 16967->16969 16969->16917 16971 7ff718d66461 16970->16971 16972 7ff718d66455 16970->16972 16974 7ff718d664f9 GetCurrentThreadId 16971->16974 16972->16971 16973 7ff718d66c5c 11 API calls 16972->16973 16973->16971 16975 7ff718d66561 16974->16975 16976 7ff718d665ea 16975->16976 16977 7ff718d665f5 IsDebuggerPresent 16975->16977 16978 7ff718d6666c OutputDebugStringW 16976->16978 16980 7ff718d6660b 16976->16980 16985 7ff718d65bf4 16976->16985 16977->16976 16978->16980 16980->16966 16981 7ff718d6742c 16980->16981 16982 7ff718d6744a memset 16981->16982 16983 7ff718d67444 16981->16983 16984 7ff718d67489 16982->16984 16983->16982 16988 7ff718d65c2e 16985->16988 17011 7ff718d65e13 16985->17011 16986 7ff718d58f80 7 API calls 16987 7ff718d65e49 16986->16987 16987->16978 16989 7ff718d65ca7 FormatMessageW 16988->16989 16988->17011 16990 7ff718d65cfc 16989->16990 16991 7ff718d65d1f 16989->16991 17014 7ff718d666bc 16990->17014 16993 7ff718d666bc _vsnwprintf 16991->16993 16994 7ff718d65d1d 16993->16994 16995 7ff718d65d54 GetCurrentThreadId 16994->16995 16997 7ff718d666bc _vsnwprintf 16994->16997 16996 7ff718d666bc _vsnwprintf 16995->16996 16999 7ff718d65d91 16996->16999 16998 7ff718d65d51 16997->16998 16998->16995 17000 7ff718d666bc _vsnwprintf 16999->17000 16999->17011 17001 7ff718d65db9 17000->17001 17002 7ff718d65dd4 17001->17002 17003 7ff718d666bc _vsnwprintf 17001->17003 17004 7ff718d65def 17002->17004 17005 7ff718d666bc _vsnwprintf 17002->17005 17003->17002 17006 7ff718d65e15 17004->17006 17007 7ff718d65dff 17004->17007 17005->17004 17009 7ff718d65e2b 17006->17009 17010 7ff718d65e1d 17006->17010 17008 7ff718d666bc _vsnwprintf 17007->17008 17008->17011 17013 7ff718d666bc _vsnwprintf 17009->17013 17012 7ff718d666bc _vsnwprintf 17010->17012 17011->16986 17012->17011 17013->17011 17017 7ff718d5363c 17014->17017 17018 7ff718d53671 17017->17018 17019 7ff718d53664 17017->17019 17018->16994 17021 7ff718d53684 _vsnwprintf 17019->17021 17022 7ff718d536b7 17021->17022 17022->17018 17024 7ff718d5c84e 17023->17024 17025 7ff718d4cda1 GetProcessHeap HeapAlloc 17023->17025 17027 7ff718d43278 164 API calls 17024->17027 17025->17024 17026 7ff718d4b92a 17025->17026 17026->16823 17026->16828 17028 7ff718d5c858 17027->17028 17030 7ff718d53f67 17029->17030 17031 7ff718d54a40 GetProcessHeap HeapAlloc 17029->17031 17030->16876 17030->16877 17033 7ff718d54a9f FreeEnvironmentStringsW 17031->17033 17034 7ff718d54a91 memmove 17031->17034 17033->17030 17034->17033 17036 7ff718d5085e 17035->17036 17037 7ff718d50877 17035->17037 17036->16888 17036->16889 17038 7ff718d50884 _wcsicmp 17037->17038 17039 7ff718d50970 17037->17039 17040 7ff718d508a2 _wcsicmp 17038->17040 17042 7ff718d50989 17038->17042 17056 7ff718d53140 17039->17056 17041 7ff718d508c0 _wcsicmp 17040->17041 17040->17042 17041->17042 17045 7ff718d508de _wcsicmp 17041->17045 17043 7ff718d5417c 154 API calls 17042->17043 17082 7ff718d533f0 17042->17082 17086 7ff718d46ee4 17042->17086 17120 7ff718d59158 RtlCaptureContext RtlLookupFunctionEntry 17042->17120 17043->17042 17047 7ff718d508fc _wcsicmp 17045->17047 17048 7ff718d5d8d3 GetCommandLineW 17045->17048 17047->17042 17049 7ff718d5091a _wcsicmp 17047->17049 17052 7ff718d5d8e5 rand 17048->17052 17049->17039 17053 7ff718d50934 _wcsicmp 17049->17053 17052->17042 17053->17052 17054 7ff718d50952 _wcsicmp 17053->17054 17054->17039 17055 7ff718d5d8f9 GetNumaHighestNodeNumber 17054->17055 17055->17042 17057 7ff718d5e59e 17056->17057 17058 7ff718d53184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17056->17058 17125 7ff718d68654 17057->17125 17059 7ff718d5e5ed 17058->17059 17060 7ff718d531e0 17058->17060 17063 7ff718d5e5fe 17059->17063 17070 7ff718d5e750 17059->17070 17062 7ff718d5e5a8 17060->17062 17064 7ff718d531ff 17060->17064 17131 7ff718d53448 17062->17131 17136 7ff718d55508 GetUserDefaultLCID 17063->17136 17067 7ff718d533f0 _vsnwprintf 17064->17067 17069 7ff718d53247 17067->17069 17072 7ff718d58f80 7 API calls 17069->17072 17071 7ff718d533f0 _vsnwprintf 17070->17071 17078 7ff718d5e748 17071->17078 17075 7ff718d53266 17072->17075 17073 7ff718d5e711 17076 7ff718d55508 GetUserDefaultLCID 17073->17076 17074 7ff718d5e5e8 17075->17042 17077 7ff718d5e716 GetTimeFormatW 17076->17077 17077->17078 17078->17074 17138 7ff718d534a0 17078->17138 17080 7ff718d5e629 17080->17073 17081 7ff718d5e6e7 memmove 17080->17081 17081->17080 17083 7ff718d53421 17082->17083 17085 7ff718d53433 17082->17085 17084 7ff718d53684 _vsnwprintf 17083->17084 17084->17085 17085->17042 17087 7ff718d46f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17086->17087 17095 7ff718d46fbf 17086->17095 17088 7ff718d46f90 17087->17088 17097 7ff718d642b6 17087->17097 17090 7ff718d55508 GetUserDefaultLCID 17088->17090 17089 7ff718d68654 9 API calls 17089->17095 17091 7ff718d46f97 GetLocaleInfoW 17090->17091 17091->17095 17092 7ff718d64322 realloc 17093 7ff718d6433f 17092->17093 17092->17097 17094 7ff718d533f0 _vsnwprintf 17093->17094 17105 7ff718d6437d 17094->17105 17095->17089 17096 7ff718d55508 GetUserDefaultLCID 17095->17096 17103 7ff718d6427f memmove 17095->17103 17110 7ff718d47020 memmove 17095->17110 17098 7ff718d47042 GetDateFormatW 17096->17098 17097->17092 17097->17093 17099 7ff718d43278 153 API calls 17097->17099 17100 7ff718d4707a 17098->17100 17099->17097 17101 7ff718d55508 GetUserDefaultLCID 17100->17101 17104 7ff718d4708a 17100->17104 17102 7ff718d4714a GetDateFormatW 17101->17102 17106 7ff718d642a0 GetLastError 17102->17106 17107 7ff718d47175 realloc 17102->17107 17103->17095 17104->17105 17117 7ff718d470bd 17104->17117 17111 7ff718d643ea 17105->17111 17114 7ff718d643fb 17105->17114 17106->17097 17107->17097 17108 7ff718d4719c 17107->17108 17109 7ff718d55508 GetUserDefaultLCID 17108->17109 17112 7ff718d471ae GetDateFormatW 17109->17112 17110->17095 17113 7ff718d53448 153 API calls 17111->17113 17112->17095 17112->17106 17116 7ff718d643f9 17113->17116 17115 7ff718d53448 153 API calls 17114->17115 17115->17116 17117->17116 17117->17117 17118 7ff718d58f80 7 API calls 17117->17118 17119 7ff718d47129 17118->17119 17119->17042 17121 7ff718d591d7 17120->17121 17122 7ff718d59195 RtlVirtualUnwind 17120->17122 17185 7ff718d58fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17121->17185 17122->17121 17126 7ff718d68686 17125->17126 17127 7ff718d68673 GetSystemTime 17125->17127 17128 7ff718d686cc SystemTimeToFileTime 17126->17128 17127->17128 17129 7ff718d58f80 7 API calls 17128->17129 17130 7ff718d686ed 17129->17130 17130->17062 17132 7ff718d5363c _vsnwprintf 17131->17132 17133 7ff718d5347b 17132->17133 17134 7ff718d534a0 166 API calls 17133->17134 17135 7ff718d53491 17134->17135 17135->17074 17137 7ff718d55529 GetLocaleInfoW 17136->17137 17137->17080 17139 7ff718d534f5 17138->17139 17140 7ff718d534bf 17138->17140 17139->17074 17161 7ff718d53578 _get_osfhandle 17140->17161 17143 7ff718d5350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17145 7ff718d53557 ReleaseSRWLockShared 17143->17145 17146 7ff718d5e8d2 GetLastError 17143->17146 17144 7ff718d534cd 17168 7ff718d536ec _get_osfhandle 17144->17168 17148 7ff718d534e1 17145->17148 17149 7ff718d5e8e5 GetLastError 17146->17149 17148->17139 17148->17149 17175 7ff718d501b8 _get_osfhandle GetFileType 17149->17175 17152 7ff718d5e918 17180 7ff718d6f318 _get_osfhandle GetFileType 17152->17180 17153 7ff718d5e908 17154 7ff718d43278 160 API calls 17153->17154 17154->17139 17156 7ff718d5e91f 17157 7ff718d5e923 17156->17157 17158 7ff718d5e931 17156->17158 17160 7ff718d43278 160 API calls 17157->17160 17181 7ff718d6f1d8 17158->17181 17160->17139 17162 7ff718d53599 GetFileType 17161->17162 17163 7ff718d534c9 17161->17163 17162->17163 17166 7ff718d535b1 17162->17166 17163->17143 17163->17144 17164 7ff718d5e940 17165 7ff718d535c3 GetStdHandle 17167 7ff718d535d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17165->17167 17166->17164 17166->17165 17166->17167 17167->17163 17169 7ff718d5e95c WriteFile 17168->17169 17173 7ff718d53731 17168->17173 17170 7ff718d5e980 WideCharToMultiByte WriteFile 17169->17170 17172 7ff718d537a1 17170->17172 17170->17173 17171 7ff718d53747 17171->17172 17174 7ff718d5374b WideCharToMultiByte WriteFile 17171->17174 17172->17148 17173->17170 17173->17171 17173->17172 17174->17172 17176 7ff718d501eb 17175->17176 17178 7ff718d50200 17175->17178 17176->17152 17176->17153 17177 7ff718d50212 GetStdHandle 17179 7ff718d50221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17177->17179 17178->17176 17178->17177 17178->17179 17179->17176 17180->17156 17183 7ff718d6f1e8 17181->17183 17182 7ff718d6f220 17182->17139 17183->17182 17184 7ff718d43278 166 API calls 17183->17184 17184->17182 17188 7ff718d53578 6 API calls 17187->17188 17189 7ff718d432e8 17188->17189 17190 7ff718d4331d 17189->17190 17191 7ff718d432f0 _get_osfhandle GetConsoleScreenBufferInfo 17189->17191 17223 7ff718d43410 17190->17223 17191->17190 17193 7ff718d433a8 17197 7ff718d611ff 17193->17197 17210 7ff718d433b0 17193->17210 17194 7ff718d536ec 6 API calls 17203 7ff718d4333d 17194->17203 17195 7ff718d43368 WriteConsoleW 17198 7ff718d611cc GetLastError 17195->17198 17195->17203 17196 7ff718d61057 GetConsoleScreenBufferInfo 17200 7ff718d61079 WriteConsoleW 17196->17200 17196->17203 17239 7ff718d54c1c 17197->17239 17198->17203 17199 7ff718d58f80 7 API calls 17204 7ff718d432a4 17199->17204 17200->17203 17205 7ff718d610a8 9 API calls 17200->17205 17202 7ff718d611df GetLastError 17202->17193 17203->17193 17203->17194 17203->17195 17203->17196 17203->17198 17203->17202 17207 7ff718d43400 17203->17207 17205->17203 17208 7ff718d61181 17205->17208 17207->17202 17238 7ff718d6bde4 EnterCriticalSection LeaveCriticalSection 17208->17238 17210->17199 17224 7ff718d612cd _ultoa GetACP 17223->17224 17225 7ff718d4345c FormatMessageW 17223->17225 17243 7ff718d50460 17224->17243 17225->17224 17235 7ff718d4348b 17225->17235 17228 7ff718d4349d wcschr 17229 7ff718d434b4 17228->17229 17228->17235 17230 7ff718d6121d GetProcessHeap HeapAlloc 17229->17230 17231 7ff718d434c4 FormatMessageW 17229->17231 17232 7ff718d434ef 17230->17232 17237 7ff718d6124f FormatMessageW GetProcessHeap RtlFreeHeap 17230->17237 17231->17232 17233 7ff718d58f80 7 API calls 17232->17233 17236 7ff718d434ff 17233->17236 17235->17228 17235->17229 17236->17203 17237->17224 17241 7ff718d54c24 17239->17241 17242 7ff718d54c2f exit 17241->17242 17245 7ff718d54c50 17241->17245 17244 7ff718d50472 MultiByteToWideChar 17243->17244 17246 7ff718d54cb0 8 API calls 17245->17246 17247 7ff718d54c64 17246->17247 17248 7ff718d54c6c 17247->17248 17249 7ff718d53c24 164 API calls 17247->17249 17248->17241 17250 7ff718d54c84 GetProcessHeap RtlFreeHeap 17249->17250 17250->17248 18374 7ff718d46be0 18375 7ff718d4cd90 166 API calls 18374->18375 18376 7ff718d46c04 18375->18376 18377 7ff718d641a2 18376->18377 18378 7ff718d46c13 _pipe 18376->18378 18381 7ff718d43278 166 API calls 18377->18381 18379 7ff718d46e26 18378->18379 18382 7ff718d46c32 18378->18382 18380 7ff718d43278 166 API calls 18379->18380 18380->18377 18383 7ff718d641bc 18381->18383 18386 7ff718d46df1 18382->18386 18425 7ff718d4affc _dup 18382->18425 18384 7ff718d6e91c 198 API calls 18383->18384 18385 7ff718d641c1 18384->18385 18388 7ff718d43278 166 API calls 18385->18388 18390 7ff718d641d2 18388->18390 18389 7ff718d46c7d 18389->18377 18392 7ff718d4b038 _dup2 18389->18392 18391 7ff718d6e91c 198 API calls 18390->18391 18393 7ff718d641d7 18391->18393 18394 7ff718d46c93 18392->18394 18395 7ff718d43278 166 API calls 18393->18395 18394->18393 18396 7ff718d4d208 _close 18394->18396 18397 7ff718d641e4 18395->18397 18398 7ff718d46ca4 18396->18398 18399 7ff718d6e91c 198 API calls 18397->18399 18427 7ff718d4be00 18398->18427 18401 7ff718d641e9 18399->18401 18403 7ff718d46d07 18405 7ff718d4b038 _dup2 18403->18405 18404 7ff718d46ccf _get_osfhandle DuplicateHandle 18404->18403 18406 7ff718d46d11 18405->18406 18406->18393 18407 7ff718d4d208 _close 18406->18407 18408 7ff718d46d22 18407->18408 18409 7ff718d46e21 18408->18409 18411 7ff718d4affc _dup 18408->18411 18410 7ff718d6e91c 198 API calls 18409->18410 18410->18379 18412 7ff718d46d57 18411->18412 18412->18385 18413 7ff718d4b038 _dup2 18412->18413 18414 7ff718d46d6c 18413->18414 18414->18393 18415 7ff718d4d208 _close 18414->18415 18416 7ff718d46d7c 18415->18416 18417 7ff718d4be00 659 API calls 18416->18417 18418 7ff718d46d9c 18417->18418 18419 7ff718d4b038 _dup2 18418->18419 18420 7ff718d46da8 18419->18420 18420->18393 18421 7ff718d4d208 _close 18420->18421 18422 7ff718d46db9 18421->18422 18422->18409 18423 7ff718d46dc1 18422->18423 18423->18386 18464 7ff718d46e60 18423->18464 18426 7ff718d4b018 18425->18426 18426->18389 18428 7ff718d46cc4 18427->18428 18429 7ff718d4be1b 18427->18429 18428->18403 18428->18404 18429->18428 18430 7ff718d4be67 18429->18430 18431 7ff718d4be47 memset 18429->18431 18433 7ff718d4be73 18430->18433 18435 7ff718d4bf29 18430->18435 18452 7ff718d4beaf 18430->18452 18514 7ff718d4bff0 18431->18514 18434 7ff718d4be92 18433->18434 18438 7ff718d4bf0c 18433->18438 18436 7ff718d4bea1 18434->18436 18468 7ff718d4c620 GetConsoleTitleW 18434->18468 18437 7ff718d4cd90 166 API calls 18435->18437 18449 7ff718d4af98 2 API calls 18436->18449 18436->18452 18440 7ff718d4bf33 18437->18440 18552 7ff718d4b0d8 memset 18438->18552 18443 7ff718d4bf9e 18440->18443 18440->18452 18612 7ff718d488a8 18440->18612 18442 7ff718d4bff0 185 API calls 18442->18428 18697 7ff718d471ec 18443->18697 18446 7ff718d4bf1e 18446->18452 18449->18452 18450 7ff718d4bfa9 18450->18452 18453 7ff718d4cd90 166 API calls 18450->18453 18451 7ff718d4bf5f 18616 7ff718d50a6c 18451->18616 18452->18428 18452->18442 18455 7ff718d4bfbb 18453->18455 18455->18452 18457 7ff718d4bfc7 18455->18457 18459 7ff718d5081c 166 API calls 18457->18459 18458 7ff718d4bf75 18460 7ff718d4b0d8 194 API calls 18458->18460 18459->18458 18461 7ff718d4bf7f 18460->18461 18461->18452 18668 7ff718d55ad8 18461->18668 18467 7ff718d46e6d 18464->18467 18465 7ff718d46eb9 18465->18386 18466 7ff718d55cb4 7 API calls 18466->18467 18467->18465 18467->18466 18469 7ff718d4ca2f 18468->18469 18471 7ff718d4c675 18468->18471 18470 7ff718d5c5fc GetLastError 18469->18470 18473 7ff718d43278 166 API calls 18469->18473 18474 7ff718d5855c ??_V@YAXPEAX 18469->18474 18470->18469 18472 7ff718d4ca40 17 API calls 18471->18472 18479 7ff718d4c69b 18472->18479 18473->18469 18474->18469 18475 7ff718d5291c 8 API calls 18477 7ff718d4c94a 18475->18477 18476 7ff718d4c9b5 18482 7ff718d5855c ??_V@YAXPEAX 18476->18482 18477->18469 18477->18470 18477->18475 18477->18476 18478 7ff718d4c762 18477->18478 18480 7ff718d4c978 towupper 18477->18480 18485 7ff718d6ec14 173 API calls 18477->18485 18503 7ff718d5c684 18477->18503 18506 7ff718d489c0 23 API calls 18477->18506 18510 7ff718d4ca16 GetLastError 18477->18510 18478->18469 18478->18477 18481 7ff718d5855c ??_V@YAXPEAX 18478->18481 18495 7ff718d4c83d 18478->18495 18498 7ff718d4c78a wcschr 18478->18498 18501 7ff718d4ca25 18478->18501 18508 7ff718d4ca2a 18478->18508 18479->18469 18479->18476 18479->18477 18479->18478 18484 7ff718d4d3f0 223 API calls 18479->18484 18480->18477 18481->18478 18483 7ff718d4c862 18482->18483 18487 7ff718d4c872 18483->18487 18490 7ff718d5c6b8 SetConsoleTitleW 18483->18490 18486 7ff718d4c741 18484->18486 18485->18478 18488 7ff718d4c74d 18486->18488 18492 7ff718d4c8b5 wcsncmp 18486->18492 18489 7ff718d5855c ??_V@YAXPEAX 18487->18489 18488->18478 18493 7ff718d4bd38 207 API calls 18488->18493 18491 7ff718d4c87c 18489->18491 18490->18487 18494 7ff718d58f80 7 API calls 18491->18494 18492->18478 18492->18488 18493->18478 18497 7ff718d4c88e 18494->18497 18703 7ff718d4cb40 18495->18703 18497->18436 18498->18478 18500 7ff718d4c855 18707 7ff718d47a70 18500->18707 18504 7ff718d43278 166 API calls 18501->18504 18505 7ff718d43278 166 API calls 18503->18505 18504->18469 18507 7ff718d5c675 18505->18507 18506->18477 18507->18469 18509 7ff718d59158 7 API calls 18508->18509 18509->18469 18512 7ff718d43278 166 API calls 18510->18512 18512->18507 18515 7ff718d4c01c 18514->18515 18541 7ff718d4c0c4 18514->18541 18516 7ff718d4c086 18515->18516 18517 7ff718d4c022 18515->18517 18520 7ff718d4c144 18516->18520 18526 7ff718d4c094 18516->18526 18518 7ff718d4c030 18517->18518 18525 7ff718d4c113 18517->18525 18519 7ff718d4c039 wcschr 18518->18519 18545 7ff718d4c053 18518->18545 18522 7ff718d4c301 18519->18522 18519->18545 18521 7ff718d4c151 18520->18521 18551 7ff718d4c1c8 18520->18551 18796 7ff718d4c460 18521->18796 18530 7ff718d4cd90 166 API calls 18522->18530 18523 7ff718d4c058 18534 7ff718d4ff70 2 API calls 18523->18534 18537 7ff718d4c073 18523->18537 18524 7ff718d4c0c6 18529 7ff718d4c0cf wcschr 18524->18529 18524->18537 18531 7ff718d4ff70 2 API calls 18525->18531 18525->18545 18528 7ff718d4c460 183 API calls 18526->18528 18526->18541 18528->18526 18533 7ff718d4c1be 18529->18533 18529->18537 18550 7ff718d4c30b 18530->18550 18531->18545 18535 7ff718d4cd90 166 API calls 18533->18535 18534->18537 18535->18551 18536 7ff718d4c460 183 API calls 18536->18541 18538 7ff718d4c460 183 API calls 18537->18538 18537->18541 18538->18537 18539 7ff718d4c211 18544 7ff718d4ff70 2 API calls 18539->18544 18540 7ff718d4c285 18540->18539 18546 7ff718d4b6b0 170 API calls 18540->18546 18541->18430 18542 7ff718d4b6b0 170 API calls 18542->18545 18543 7ff718d4d840 178 API calls 18543->18550 18544->18541 18545->18523 18545->18524 18545->18539 18548 7ff718d4c2ac 18546->18548 18547 7ff718d4d840 178 API calls 18547->18551 18548->18537 18548->18539 18549 7ff718d4c3d4 18549->18537 18549->18539 18549->18542 18550->18539 18550->18541 18550->18543 18550->18549 18551->18539 18551->18540 18551->18541 18551->18547 18553 7ff718d4ca40 17 API calls 18552->18553 18560 7ff718d4b162 18553->18560 18554 7ff718d4b1d9 18559 7ff718d4cd90 166 API calls 18554->18559 18573 7ff718d4b1ed 18554->18573 18555 7ff718d4b2f7 ??_V@YAXPEAX 18556 7ff718d4b303 18555->18556 18558 7ff718d58f80 7 API calls 18556->18558 18557 7ff718d51ea0 8 API calls 18557->18560 18561 7ff718d4b315 18558->18561 18559->18573 18560->18554 18560->18557 18586 7ff718d4b2e1 18560->18586 18561->18434 18561->18446 18563 7ff718d4b228 _get_osfhandle 18565 7ff718d4b23f _get_osfhandle 18563->18565 18563->18573 18564 7ff718d5bfef _get_osfhandle SetFilePointer 18566 7ff718d5c01d 18564->18566 18564->18573 18565->18573 18568 7ff718d533f0 _vsnwprintf 18566->18568 18567 7ff718d4affc _dup 18567->18573 18570 7ff718d5c038 18568->18570 18569 7ff718d501b8 6 API calls 18569->18573 18575 7ff718d43278 166 API calls 18570->18575 18571 7ff718d5c1c3 18572 7ff718d533f0 _vsnwprintf 18571->18572 18572->18570 18573->18563 18573->18564 18573->18567 18573->18569 18573->18571 18574 7ff718d4d208 _close 18573->18574 18576 7ff718d5c060 18573->18576 18578 7ff718d5c246 18573->18578 18579 7ff718d5c1a5 18573->18579 18581 7ff718d4b038 _dup2 18573->18581 18583 7ff718d526e0 19 API calls 18573->18583 18573->18586 18588 7ff718d4b356 18573->18588 18810 7ff718d6f318 _get_osfhandle GetFileType 18573->18810 18574->18573 18577 7ff718d5c1f9 18575->18577 18576->18578 18584 7ff718d509f4 2 API calls 18576->18584 18580 7ff718d4af98 2 API calls 18577->18580 18585 7ff718d4af98 2 API calls 18578->18585 18582 7ff718d4b038 _dup2 18579->18582 18580->18586 18581->18573 18587 7ff718d5c1b7 18582->18587 18583->18573 18589 7ff718d5c084 18584->18589 18590 7ff718d5c24b 18585->18590 18586->18555 18586->18556 18591 7ff718d5c1be 18587->18591 18592 7ff718d5c207 18587->18592 18595 7ff718d4af98 2 API calls 18588->18595 18593 7ff718d4b900 166 API calls 18589->18593 18594 7ff718d6f1d8 166 API calls 18590->18594 18596 7ff718d4d208 _close 18591->18596 18598 7ff718d4d208 _close 18592->18598 18597 7ff718d5c08c 18593->18597 18594->18586 18599 7ff718d5c211 18595->18599 18596->18571 18600 7ff718d5c094 wcsrchr 18597->18600 18610 7ff718d5c0ad 18597->18610 18598->18588 18601 7ff718d533f0 _vsnwprintf 18599->18601 18600->18610 18602 7ff718d5c22c 18601->18602 18603 7ff718d43278 166 API calls 18602->18603 18603->18586 18604 7ff718d5c106 18605 7ff718d4ff70 2 API calls 18604->18605 18607 7ff718d5c13b 18605->18607 18606 7ff718d5c0e0 _wcsnicmp 18606->18610 18607->18578 18608 7ff718d5c146 SearchPathW 18607->18608 18608->18578 18609 7ff718d5c188 18608->18609 18611 7ff718d526e0 19 API calls 18609->18611 18610->18604 18610->18606 18611->18579 18613 7ff718d488fc 18612->18613 18615 7ff718d488cf 18612->18615 18613->18443 18613->18451 18614 7ff718d488df _wcsicmp 18614->18615 18615->18613 18615->18614 18617 7ff718d51ea0 8 API calls 18616->18617 18618 7ff718d50ab9 18617->18618 18619 7ff718d50b12 memset 18618->18619 18620 7ff718d50aee _wcsnicmp 18618->18620 18621 7ff718d5d927 18618->18621 18624 7ff718d5128f ??_V@YAXPEAX 18618->18624 18622 7ff718d4ca40 17 API calls 18619->18622 18620->18619 18620->18621 18623 7ff718d5081c 166 API calls 18621->18623 18625 7ff718d50b5a 18622->18625 18626 7ff718d5d933 18623->18626 18627 7ff718d4b364 17 API calls 18625->18627 18641 7ff718d5d94e 18625->18641 18626->18619 18626->18624 18628 7ff718d50b6f 18627->18628 18628->18624 18630 7ff718d50b8c wcschr 18628->18630 18634 7ff718d50c0f wcsrchr 18628->18634 18637 7ff718d5081c 166 API calls 18628->18637 18628->18641 18642 7ff718d4cd90 166 API calls 18628->18642 18643 7ff718d53060 171 API calls 18628->18643 18644 7ff718d4d3f0 223 API calls 18628->18644 18645 7ff718d4af74 170 API calls 18628->18645 18646 7ff718d50d71 wcsrchr 18628->18646 18648 7ff718d51ea0 8 API calls 18628->18648 18649 7ff718d5291c 8 API calls 18628->18649 18650 7ff718d50fb1 wcsrchr 18628->18650 18651 7ff718d50fd0 wcschr 18628->18651 18654 7ff718d510fd wcsrchr 18628->18654 18659 7ff718d52eb4 22 API calls 18628->18659 18664 7ff718d51087 _wcsicmp 18628->18664 18667 7ff718d5da74 18628->18667 18811 7ff718d53bac 18628->18811 18815 7ff718d52efc 18628->18815 18629 7ff718d5d96b ??_V@YAXPEAX 18629->18641 18630->18628 18633 7ff718d5d99a wcschr 18633->18641 18634->18628 18634->18641 18635 7ff718d5d9ca GetFileAttributesW 18636 7ff718d5da64 18635->18636 18635->18641 18637->18628 18638 7ff718d5da90 GetFileAttributesW 18640 7ff718d5daa8 GetLastError 18638->18640 18638->18641 18639 7ff718d5d9fd ??_V@YAXPEAX 18639->18641 18640->18636 18640->18641 18641->18629 18641->18633 18641->18635 18641->18636 18641->18639 18642->18628 18643->18628 18644->18628 18645->18628 18646->18628 18647 7ff718d50d97 NeedCurrentDirectoryForExePathW 18646->18647 18647->18628 18647->18641 18648->18628 18649->18628 18650->18628 18650->18651 18651->18636 18652 7ff718d50fed wcschr 18651->18652 18652->18628 18652->18636 18654->18628 18655 7ff718d5111a _wcsicmp 18654->18655 18656 7ff718d5123d 18655->18656 18657 7ff718d51138 _wcsicmp 18655->18657 18660 7ff718d51175 18656->18660 18661 7ff718d51250 ??_V@YAXPEAX 18656->18661 18657->18656 18658 7ff718d510c5 18657->18658 18658->18660 18662 7ff718d51169 ??_V@YAXPEAX 18658->18662 18659->18628 18663 7ff718d58f80 7 API calls 18660->18663 18661->18660 18662->18660 18665 7ff718d4bf70 18663->18665 18666 7ff718d510a7 _wcsicmp 18664->18666 18664->18667 18665->18443 18665->18458 18666->18658 18666->18667 18667->18636 18667->18638 18669 7ff718d4cd90 166 API calls 18668->18669 18670 7ff718d55b12 18669->18670 18671 7ff718d4cb40 166 API calls 18670->18671 18696 7ff718d55b8b 18670->18696 18674 7ff718d55b26 18671->18674 18672 7ff718d58f80 7 API calls 18673 7ff718d4bf99 18672->18673 18673->18436 18675 7ff718d50a6c 273 API calls 18674->18675 18674->18696 18676 7ff718d55b43 18675->18676 18677 7ff718d55bb8 18676->18677 18678 7ff718d55b48 GetConsoleTitleW 18676->18678 18680 7ff718d55bbd GetConsoleTitleW 18677->18680 18681 7ff718d55bf4 18677->18681 18679 7ff718d4cad4 172 API calls 18678->18679 18682 7ff718d55b66 18679->18682 18685 7ff718d4cad4 172 API calls 18680->18685 18683 7ff718d55bfd 18681->18683 18684 7ff718d5f452 18681->18684 18829 7ff718d54224 InitializeProcThreadAttributeList 18682->18829 18691 7ff718d55c1b 18683->18691 18692 7ff718d5f462 18683->18692 18683->18696 18687 7ff718d53c24 166 API calls 18684->18687 18688 7ff718d55bdb 18685->18688 18687->18696 18886 7ff718d496e8 18688->18886 18693 7ff718d43278 166 API calls 18691->18693 18694 7ff718d43278 166 API calls 18692->18694 18693->18696 18694->18696 18695 7ff718d55c3c SetConsoleTitleW 18695->18696 18696->18672 18698 7ff718d47211 _setjmp 18697->18698 18702 7ff718d47279 18697->18702 18700 7ff718d47265 18698->18700 18698->18702 19211 7ff718d472b0 18700->19211 18702->18450 18704 7ff718d4cb63 18703->18704 18705 7ff718d4cd90 166 API calls 18704->18705 18706 7ff718d4c848 18705->18706 18706->18500 18710 7ff718d4cad4 18706->18710 18722 7ff718d47d30 memset 18707->18722 18709 7ff718d47a8a 18709->18483 18711 7ff718d4cad9 18710->18711 18720 7ff718d4cb05 18710->18720 18712 7ff718d4cd90 166 API calls 18711->18712 18711->18720 18713 7ff718d5c722 18712->18713 18714 7ff718d5c72e GetConsoleTitleW 18713->18714 18713->18720 18715 7ff718d5c74a 18714->18715 18714->18720 18716 7ff718d4b6b0 170 API calls 18715->18716 18717 7ff718d5c778 18716->18717 18718 7ff718d5c7ec 18717->18718 18721 7ff718d5c7dd SetConsoleTitleW 18717->18721 18719 7ff718d4ff70 2 API calls 18718->18719 18719->18720 18720->18500 18721->18718 18723 7ff718d4ca40 17 API calls 18722->18723 18724 7ff718d47dc3 18723->18724 18725 7ff718d5af72 18724->18725 18726 7ff718d5417c 166 API calls 18724->18726 18728 7ff718d43278 166 API calls 18725->18728 18727 7ff718d47dee 18726->18727 18729 7ff718d4d3f0 223 API calls 18727->18729 18730 7ff718d5af91 18728->18730 18731 7ff718d47dfb 18729->18731 18730->18709 18732 7ff718d5af7e 18731->18732 18740 7ff718d47e09 18731->18740 18732->18725 18733 7ff718d5af89 18732->18733 18734 7ff718d51ea0 8 API calls 18733->18734 18734->18730 18735 7ff718d51ea0 8 API calls 18735->18740 18736 7ff718d4b900 166 API calls 18736->18740 18737 7ff718d5823c 10 API calls 18756 7ff718d47ef1 18737->18756 18738 7ff718d5afae 18742 7ff718d5b03f 18738->18742 18750 7ff718d5afce 18738->18750 18739 7ff718d48b20 231 API calls 18739->18756 18740->18725 18740->18730 18740->18735 18740->18736 18741 7ff718d47ea4 18740->18741 18747 7ff718d5b024 18740->18747 18740->18756 18758 7ff718d47aa0 18740->18758 18743 7ff718d47eb7 ??_V@YAXPEAX 18741->18743 18744 7ff718d47ec3 18741->18744 18742->18725 18743->18744 18746 7ff718d58f80 7 API calls 18744->18746 18745 7ff718d4b364 17 API calls 18745->18756 18748 7ff718d47ed5 18746->18748 18749 7ff718d43278 166 API calls 18747->18749 18748->18709 18749->18730 18750->18730 18751 7ff718d5aff6 18750->18751 18752 7ff718d43278 166 API calls 18750->18752 18751->18730 18752->18751 18753 7ff718d48940 17 API calls 18753->18756 18754 7ff718d58a70 2 API calls 18754->18756 18755 7ff718d53a0c 2 API calls 18755->18756 18756->18730 18756->18737 18756->18738 18756->18739 18756->18740 18756->18742 18756->18745 18756->18753 18756->18754 18756->18755 18759 7ff718d47aeb memset 18758->18759 18760 7ff718d47adb 18758->18760 18762 7ff718d4ca40 17 API calls 18759->18762 18793 7ff718d5291c GetDriveTypeW 18760->18793 18764 7ff718d47b36 18762->18764 18766 7ff718d47b3e GetFullPathNameW 18764->18766 18783 7ff718d5ae4e 18764->18783 18765 7ff718d5ae3a 18767 7ff718d43278 166 API calls 18765->18767 18768 7ff718d5ae55 GetLastError 18766->18768 18769 7ff718d47b73 18766->18769 18770 7ff718d5ae44 18767->18770 18768->18783 18771 7ff718d5ae68 18769->18771 18772 7ff718d47b7e CreateDirectoryW 18769->18772 18773 7ff718d47bb5 18770->18773 18779 7ff718d43278 166 API calls 18771->18779 18774 7ff718d47bdf GetLastError 18772->18774 18775 7ff718d47b93 18772->18775 18781 7ff718d58f80 7 API calls 18773->18781 18774->18771 18777 7ff718d47bf8 18774->18777 18775->18773 18780 7ff718d47ba9 free 18775->18780 18776 7ff718d43278 166 API calls 18778 7ff718d5af6b 18776->18778 18777->18783 18784 7ff718d47cd1 CreateDirectoryW 18777->18784 18787 7ff718d47c52 CreateDirectoryW 18777->18787 18788 7ff718d47c8f 18777->18788 18789 7ff718d5ae7e 18777->18789 18791 7ff718d47cca 18777->18791 18779->18789 18780->18773 18782 7ff718d47bc6 18781->18782 18782->18740 18783->18776 18784->18775 18785 7ff718d47cf3 18784->18785 18786 7ff718d5af46 GetLastError 18785->18786 18786->18775 18786->18783 18787->18788 18790 7ff718d47c7b GetLastError 18787->18790 18788->18777 18788->18787 18789->18783 18789->18784 18792 7ff718d5af3d 18789->18792 18790->18783 18790->18788 18791->18784 18792->18786 18794 7ff718d58f80 7 API calls 18793->18794 18795 7ff718d47ae3 18794->18795 18795->18759 18795->18765 18797 7ff718d4c4c9 18796->18797 18798 7ff718d4c486 18796->18798 18802 7ff718d4ff70 2 API calls 18797->18802 18803 7ff718d4c161 18797->18803 18799 7ff718d4c48e wcschr 18798->18799 18798->18803 18800 7ff718d4c4ef 18799->18800 18799->18803 18801 7ff718d4cd90 166 API calls 18800->18801 18809 7ff718d4c4f9 18801->18809 18802->18803 18803->18536 18803->18541 18804 7ff718d4c5bd 18805 7ff718d4c541 18804->18805 18807 7ff718d4b6b0 170 API calls 18804->18807 18805->18803 18806 7ff718d4ff70 2 API calls 18805->18806 18806->18803 18807->18805 18808 7ff718d4d840 178 API calls 18808->18809 18809->18803 18809->18804 18809->18805 18809->18808 18810->18573 18812 7ff718d53bcf 18811->18812 18814 7ff718d53bfe 18811->18814 18813 7ff718d53bdc wcschr 18812->18813 18812->18814 18813->18812 18813->18814 18814->18628 18816 7ff718d52f97 18815->18816 18817 7ff718d52f2a 18815->18817 18816->18817 18818 7ff718d52f9c wcschr 18816->18818 18819 7ff718d5823c 10 API calls 18817->18819 18820 7ff718d52fb6 wcschr 18818->18820 18821 7ff718d52f5a 18818->18821 18822 7ff718d52f56 18819->18822 18820->18817 18820->18821 18824 7ff718d58f80 7 API calls 18821->18824 18828 7ff718d5e4ec 18821->18828 18822->18821 18823 7ff718d53a0c 2 API calls 18822->18823 18825 7ff718d52fe0 18823->18825 18826 7ff718d52f83 18824->18826 18825->18821 18827 7ff718d52fe9 wcsrchr 18825->18827 18826->18628 18827->18821 18830 7ff718d542ab UpdateProcThreadAttribute 18829->18830 18831 7ff718d5ecd4 GetLastError 18829->18831 18832 7ff718d542eb memset memset GetStartupInfoW 18830->18832 18833 7ff718d5ecf0 GetLastError 18830->18833 18834 7ff718d5ecee 18831->18834 18836 7ff718d53a90 170 API calls 18832->18836 18923 7ff718d69eec 18833->18923 18838 7ff718d543a8 18836->18838 18839 7ff718d4b900 166 API calls 18838->18839 18840 7ff718d543bb 18839->18840 18841 7ff718d54638 _local_unwind 18840->18841 18845 7ff718d543cc 18840->18845 18841->18845 18842 7ff718d543de wcsrchr 18843 7ff718d543f7 lstrcmpW 18842->18843 18850 7ff718d54415 18842->18850 18846 7ff718d54668 18843->18846 18843->18850 18845->18842 18845->18850 18911 7ff718d69044 18846->18911 18910 7ff718d55a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18850->18910 18903 7ff718d49737 18886->18903 18888 7ff718d4977d memset 18890 7ff718d4ca40 17 API calls 18888->18890 18889 7ff718d4cd90 166 API calls 18889->18903 18890->18903 18891 7ff718d5b76e 18894 7ff718d43278 166 API calls 18891->18894 18892 7ff718d5b7b3 18893 7ff718d5b79a 18896 7ff718d5855c ??_V@YAXPEAX 18893->18896 18897 7ff718d5b787 18894->18897 18895 7ff718d4b364 17 API calls 18895->18903 18896->18892 18898 7ff718d5b795 18897->18898 19013 7ff718d6e944 18897->19013 19021 7ff718d67694 18898->19021 18903->18888 18903->18889 18903->18891 18903->18892 18903->18893 18903->18895 18905 7ff718d4986d 18903->18905 18925 7ff718d51fac memset 18903->18925 18952 7ff718d4ce10 18903->18952 19002 7ff718d496b4 18903->19002 19007 7ff718d55920 18903->19007 18906 7ff718d4988c 18905->18906 18907 7ff718d49880 ??_V@YAXPEAX 18905->18907 18908 7ff718d58f80 7 API calls 18906->18908 18907->18906 18909 7ff718d4989d 18908->18909 18909->18695 18912 7ff718d53a90 170 API calls 18911->18912 18913 7ff718d69064 18912->18913 18914 7ff718d6906e 18913->18914 18915 7ff718d69083 18913->18915 18916 7ff718d5498c 8 API calls 18914->18916 18917 7ff718d4cd90 166 API calls 18915->18917 18922 7ff718d69081 18916->18922 18918 7ff718d6909b 18917->18918 18919 7ff718d5498c 8 API calls 18918->18919 18918->18922 18920 7ff718d690ec 18919->18920 18921 7ff718d4ff70 2 API calls 18920->18921 18921->18922 18922->18850 18924 7ff718d5ed0a DeleteProcThreadAttributeList 18923->18924 18924->18834 18926 7ff718d5203b 18925->18926 18927 7ff718d520b0 18926->18927 18928 7ff718d52094 18926->18928 18929 7ff718d53060 171 API calls 18927->18929 18931 7ff718d5211c 18927->18931 18930 7ff718d520a6 18928->18930 18932 7ff718d43278 166 API calls 18928->18932 18929->18931 18933 7ff718d58f80 7 API calls 18930->18933 18931->18930 18934 7ff718d52e44 2 API calls 18931->18934 18932->18930 18935 7ff718d52325 18933->18935 18936 7ff718d52148 18934->18936 18935->18903 18936->18930 19027 7ff718d52d70 18936->19027 18939 7ff718d4b900 166 API calls 18941 7ff718d521d0 18939->18941 18940 7ff718d5e04a ??_V@YAXPEAX 18940->18930 18941->18940 18942 7ff718d5221c wcsspn 18941->18942 18951 7ff718d522a4 ??_V@YAXPEAX 18941->18951 18943 7ff718d4b900 166 API calls 18942->18943 18945 7ff718d5223b 18943->18945 18945->18940 18948 7ff718d52252 18945->18948 18946 7ff718d4d3f0 223 API calls 18946->18951 18947 7ff718d5e06d wcschr 18947->18948 18948->18947 18949 7ff718d5e090 towupper 18948->18949 18950 7ff718d5228f 18948->18950 18949->18948 18949->18950 18950->18946 18951->18930 18953 7ff718d4d0f8 18952->18953 18984 7ff718d4ce5b 18952->18984 18954 7ff718d58f80 7 API calls 18953->18954 18956 7ff718d4d10a 18954->18956 18955 7ff718d5c860 18957 7ff718d5c97c 18955->18957 18960 7ff718d6ee88 390 API calls 18955->18960 18956->18903 18959 7ff718d6e9b4 197 API calls 18957->18959 18961 7ff718d5c981 longjmp 18959->18961 18962 7ff718d5c879 18960->18962 18963 7ff718d5c99a 18961->18963 18964 7ff718d5c95c 18962->18964 18965 7ff718d5c882 EnterCriticalSection LeaveCriticalSection 18962->18965 18963->18953 18967 7ff718d5c9b3 ??_V@YAXPEAX 18963->18967 18964->18957 18969 7ff718d496b4 186 API calls 18964->18969 18968 7ff718d4d0e3 18965->18968 18967->18953 18968->18903 18969->18964 18971 7ff718d4cd90 166 API calls 18971->18984 18972 7ff718d4d208 _close 18972->18984 18973 7ff718d5c9d5 19111 7ff718d6d610 18973->19111 18975 7ff718d4b900 166 API calls 18975->18984 18977 7ff718d5ca07 18978 7ff718d6e91c 198 API calls 18977->18978 18983 7ff718d5ca0c 18978->18983 18979 7ff718d6bfec 176 API calls 18980 7ff718d5c9f1 18979->18980 18982 7ff718d43240 166 API calls 18980->18982 18981 7ff718d4cf33 memset 18981->18984 18982->18977 18983->18903 18984->18953 18984->18955 18984->18963 18984->18968 18984->18971 18984->18973 18984->18975 18984->18981 18985 7ff718d4ca40 17 API calls 18984->18985 18986 7ff718d6bfec 176 API calls 18984->18986 18987 7ff718d4d184 wcschr 18984->18987 18988 7ff718d4d1a7 wcschr 18984->18988 18989 7ff718d5c9c9 18984->18989 18992 7ff718d50a6c 273 API calls 18984->18992 18993 7ff718d4be00 647 API calls 18984->18993 18994 7ff718d53448 166 API calls 18984->18994 18995 7ff718d4cfab _wcsicmp 18984->18995 18996 7ff718d50580 12 API calls 18984->18996 19000 7ff718d51fac 238 API calls 18984->19000 19001 7ff718d4d044 ??_V@YAXPEAX 18984->19001 19037 7ff718d50494 18984->19037 19050 7ff718d4df60 18984->19050 19070 7ff718d6778c 18984->19070 19101 7ff718d6c738 18984->19101 18985->18984 18986->18984 18987->18984 18988->18984 18990 7ff718d5855c ??_V@YAXPEAX 18989->18990 18990->18953 18992->18984 18993->18984 18994->18984 18995->18984 18997 7ff718d4d003 GetConsoleOutputCP GetCPInfo 18996->18997 18998 7ff718d504f4 3 API calls 18997->18998 18998->18984 19000->18984 19001->18984 19003 7ff718d496c8 19002->19003 19004 7ff718d5b6e2 RevertToSelf CloseHandle 19002->19004 19005 7ff718d496ce 19003->19005 19006 7ff718d46a48 184 API calls 19003->19006 19005->18903 19006->19003 19008 7ff718d5596c 19007->19008 19009 7ff718d55a12 19007->19009 19008->19009 19010 7ff718d5598d VirtualQuery 19008->19010 19009->18903 19010->19009 19012 7ff718d559ad 19010->19012 19011 7ff718d559b7 VirtualQuery 19011->19009 19011->19012 19012->19009 19012->19011 19014 7ff718d6e954 19013->19014 19015 7ff718d6e990 19013->19015 19017 7ff718d6ee88 390 API calls 19014->19017 19016 7ff718d6e9b4 197 API calls 19015->19016 19018 7ff718d6e995 longjmp 19016->19018 19019 7ff718d6e964 19017->19019 19019->19015 19020 7ff718d496b4 186 API calls 19019->19020 19020->19019 19022 7ff718d676a3 19021->19022 19023 7ff718d676b7 19022->19023 19024 7ff718d496b4 186 API calls 19022->19024 19025 7ff718d6e9b4 197 API calls 19023->19025 19024->19022 19026 7ff718d676bc longjmp 19025->19026 19028 7ff718d52d89 19027->19028 19029 7ff718d52da3 19027->19029 19032 7ff718d521af 19028->19032 19033 7ff718d52e0c 19028->19033 19029->19028 19030 7ff718d52dbc GetProcessHeap RtlFreeHeap 19029->19030 19030->19028 19030->19029 19032->18939 19034 7ff718d52e32 19033->19034 19035 7ff718d52e11 19033->19035 19034->19028 19035->19034 19036 7ff718d5e494 VirtualFree 19035->19036 19039 7ff718d504a4 19037->19039 19038 7ff718d526e0 19 API calls 19038->19039 19039->19038 19040 7ff718d504b9 _get_osfhandle SetFilePointer 19039->19040 19041 7ff718d5d845 19039->19041 19042 7ff718d5d839 19039->19042 19044 7ff718d43278 166 API calls 19039->19044 19040->18984 19043 7ff718d6f1d8 166 API calls 19041->19043 19045 7ff718d43278 166 API calls 19042->19045 19046 7ff718d5d837 19043->19046 19047 7ff718d5d819 _getch 19044->19047 19045->19046 19047->19039 19048 7ff718d5d832 19047->19048 19120 7ff718d6bde4 EnterCriticalSection LeaveCriticalSection 19048->19120 19051 7ff718d4df93 19050->19051 19052 7ff718d4dfe2 19050->19052 19051->19052 19053 7ff718d4df9f GetProcessHeap RtlFreeHeap 19051->19053 19054 7ff718d4e100 VirtualFree 19052->19054 19055 7ff718d4e00b _setjmp 19052->19055 19053->19051 19053->19052 19054->19052 19056 7ff718d4e04a 19055->19056 19057 7ff718d4ceaa _tell 19055->19057 19058 7ff718d4e600 473 API calls 19056->19058 19057->18972 19059 7ff718d4e073 19058->19059 19060 7ff718d4e0e0 longjmp 19059->19060 19061 7ff718d4e081 19059->19061 19069 7ff718d4e0b0 19060->19069 19121 7ff718d4d250 19061->19121 19066 7ff718d4e600 473 API calls 19067 7ff718d4e0a7 19066->19067 19068 7ff718d6d610 167 API calls 19067->19068 19067->19069 19068->19069 19069->19057 19152 7ff718d6d3fc 19069->19152 19090 7ff718d677bc 19070->19090 19071 7ff718d679ef 19071->18984 19072 7ff718d679c0 19081 7ff718d534a0 166 API calls 19072->19081 19073 7ff718d67aca 19075 7ff718d534a0 166 API calls 19073->19075 19076 7ff718d67adb 19075->19076 19079 7ff718d67af0 19076->19079 19084 7ff718d53448 166 API calls 19076->19084 19077 7ff718d67984 19077->19072 19080 7ff718d67989 19077->19080 19078 7ff718d67ab5 19082 7ff718d53448 166 API calls 19078->19082 19085 7ff718d6778c 166 API calls 19079->19085 19080->19071 19204 7ff718d676e0 19080->19204 19087 7ff718d679d6 19081->19087 19082->19071 19083 7ff718d67a00 19083->19071 19089 7ff718d67a0b 19083->19089 19099 7ff718d67a33 19083->19099 19084->19079 19088 7ff718d67afb 19085->19088 19086 7ff718d53448 166 API calls 19086->19090 19091 7ff718d53448 166 API calls 19087->19091 19100 7ff718d679e7 19087->19100 19088->19080 19094 7ff718d53448 166 API calls 19088->19094 19089->19071 19095 7ff718d534a0 166 API calls 19089->19095 19090->19071 19090->19072 19090->19073 19090->19077 19090->19078 19090->19080 19090->19083 19090->19086 19097 7ff718d6778c 166 API calls 19090->19097 19091->19100 19093 7ff718d53448 166 API calls 19093->19071 19094->19080 19096 7ff718d67a23 19095->19096 19098 7ff718d6778c 166 API calls 19096->19098 19097->19090 19098->19100 19099->19093 19200 7ff718d67730 19100->19200 19102 7ff718d6c775 19101->19102 19109 7ff718d6c7ab 19101->19109 19103 7ff718d4cd90 166 API calls 19102->19103 19105 7ff718d6c781 19103->19105 19104 7ff718d6c8d4 19104->18984 19105->19104 19106 7ff718d4b0d8 194 API calls 19105->19106 19106->19104 19107 7ff718d4b6b0 170 API calls 19107->19109 19108 7ff718d4b038 _dup2 19108->19109 19109->19104 19109->19105 19109->19107 19109->19108 19110 7ff718d4d208 _close 19109->19110 19110->19109 19112 7ff718d6d63d 19111->19112 19118 7ff718d6d635 19111->19118 19113 7ff718d6d64a 19112->19113 19115 7ff718d6d658 19112->19115 19114 7ff718d43278 166 API calls 19113->19114 19114->19118 19115->19118 19119 7ff718d43278 166 API calls 19115->19119 19116 7ff718d5c9da 19116->18977 19116->18979 19117 7ff718d6d672 longjmp 19117->19116 19118->19116 19118->19117 19119->19118 19122 7ff718d4d2d3 19121->19122 19132 7ff718d4d267 19121->19132 19126 7ff718d4e600 473 API calls 19122->19126 19128 7ff718d4d305 19122->19128 19122->19132 19123 7ff718d4d2a6 19125 7ff718d4d316 19123->19125 19130 7ff718d4ef40 472 API calls 19123->19130 19124 7ff718d4d284 _wcsicmp 19124->19123 19129 7ff718d4d32b 19124->19129 19125->19066 19125->19069 19126->19122 19127 7ff718d4e600 473 API calls 19127->19129 19128->19125 19131 7ff718d4e600 473 API calls 19128->19131 19129->19123 19129->19127 19141 7ff718d4edf8 19130->19141 19131->19132 19132->19123 19132->19124 19133 7ff718d5d0a2 longjmp 19134 7ff718d5d0c5 19133->19134 19135 7ff718d53448 166 API calls 19134->19135 19136 7ff718d5d0d4 19135->19136 19137 7ff718d4ee68 19139 7ff718d4ef40 472 API calls 19137->19139 19138 7ff718d4eece 19138->19125 19140 7ff718d4cd90 166 API calls 19138->19140 19139->19125 19142 7ff718d4eee7 19140->19142 19141->19133 19141->19134 19141->19137 19144 7ff718d4eeb1 19141->19144 19145 7ff718d4eeef 19142->19145 19146 7ff718d4ef31 19142->19146 19143 7ff718d4e600 473 API calls 19143->19144 19144->19138 19144->19143 19148 7ff718d4eec2 19144->19148 19149 7ff718d4e600 473 API calls 19145->19149 19147 7ff718d6e91c 198 API calls 19146->19147 19150 7ff718d4ef36 19147->19150 19151 7ff718d4ef40 472 API calls 19148->19151 19149->19125 19150->19133 19151->19138 19168 7ff718d6d419 19152->19168 19153 7ff718d5cadf 19154 7ff718d6d576 19155 7ff718d6d592 19154->19155 19166 7ff718d6d555 19154->19166 19156 7ff718d53448 166 API calls 19155->19156 19159 7ff718d6d5a5 19156->19159 19157 7ff718d6d5c4 19161 7ff718d53448 166 API calls 19157->19161 19162 7ff718d6d5ba 19159->19162 19164 7ff718d53448 166 API calls 19159->19164 19160 7ff718d6d541 19160->19155 19163 7ff718d6d546 19160->19163 19161->19153 19170 7ff718d6d36c 19162->19170 19163->19157 19163->19166 19164->19162 19177 7ff718d6d31c 19166->19177 19167 7ff718d6d3fc 166 API calls 19167->19168 19168->19153 19168->19154 19168->19155 19168->19157 19168->19160 19168->19166 19168->19167 19169 7ff718d53448 166 API calls 19168->19169 19169->19168 19171 7ff718d6d3d8 19170->19171 19172 7ff718d6d381 19170->19172 19173 7ff718d534a0 166 API calls 19172->19173 19175 7ff718d6d390 19173->19175 19174 7ff718d53448 166 API calls 19174->19175 19175->19171 19175->19174 19176 7ff718d534a0 166 API calls 19175->19176 19176->19175 19178 7ff718d53448 166 API calls 19177->19178 19179 7ff718d6d33b 19178->19179 19180 7ff718d6d36c 166 API calls 19179->19180 19181 7ff718d6d343 19180->19181 19182 7ff718d6d3fc 166 API calls 19181->19182 19199 7ff718d6d34e 19182->19199 19183 7ff718d6d5c2 19183->19153 19184 7ff718d6d576 19185 7ff718d6d592 19184->19185 19197 7ff718d6d555 19184->19197 19186 7ff718d53448 166 API calls 19185->19186 19189 7ff718d6d5a5 19186->19189 19187 7ff718d6d5c4 19191 7ff718d53448 166 API calls 19187->19191 19188 7ff718d6d31c 166 API calls 19188->19183 19192 7ff718d6d5ba 19189->19192 19195 7ff718d53448 166 API calls 19189->19195 19190 7ff718d6d541 19190->19185 19193 7ff718d6d546 19190->19193 19191->19183 19196 7ff718d6d36c 166 API calls 19192->19196 19193->19187 19193->19197 19194 7ff718d53448 166 API calls 19194->19199 19195->19192 19196->19183 19197->19188 19198 7ff718d6d3fc 166 API calls 19198->19199 19199->19183 19199->19184 19199->19185 19199->19187 19199->19190 19199->19194 19199->19197 19199->19198 19203 7ff718d6773c 19200->19203 19201 7ff718d6777d 19201->19071 19202 7ff718d53448 166 API calls 19202->19203 19203->19201 19203->19202 19205 7ff718d6778c 166 API calls 19204->19205 19206 7ff718d676fb 19205->19206 19207 7ff718d6771c 19206->19207 19208 7ff718d53448 166 API calls 19206->19208 19207->19071 19209 7ff718d67711 19208->19209 19210 7ff718d6778c 166 API calls 19209->19210 19210->19207 19212 7ff718d472de 19211->19212 19213 7ff718d64621 19211->19213 19215 7ff718d472eb 19212->19215 19220 7ff718d64467 19212->19220 19221 7ff718d64530 19212->19221 19214 7ff718d647e0 19213->19214 19218 7ff718d6447b longjmp 19213->19218 19222 7ff718d64639 19213->19222 19237 7ff718d6475e 19213->19237 19216 7ff718d47348 168 API calls 19214->19216 19272 7ff718d47348 19215->19272 19271 7ff718d64524 19216->19271 19223 7ff718d64492 19218->19223 19220->19215 19220->19223 19233 7ff718d64475 19220->19233 19228 7ff718d47348 168 API calls 19221->19228 19225 7ff718d6463e 19222->19225 19226 7ff718d64695 19222->19226 19227 7ff718d47348 168 API calls 19223->19227 19224 7ff718d47315 19287 7ff718d473d4 19224->19287 19225->19218 19241 7ff718d64654 19225->19241 19232 7ff718d473d4 168 API calls 19226->19232 19244 7ff718d644a8 19227->19244 19235 7ff718d64549 19228->19235 19229 7ff718d472b0 168 API calls 19238 7ff718d6480e 19229->19238 19230 7ff718d47348 168 API calls 19230->19224 19240 7ff718d6469a 19232->19240 19233->19218 19233->19226 19234 7ff718d47348 168 API calls 19234->19214 19236 7ff718d645b2 19235->19236 19257 7ff718d47348 168 API calls 19235->19257 19262 7ff718d6455e 19235->19262 19242 7ff718d47348 168 API calls 19236->19242 19237->19234 19238->18702 19239 7ff718d47323 19239->18702 19255 7ff718d646e1 19240->19255 19263 7ff718d646c7 19240->19263 19264 7ff718d646ea 19240->19264 19245 7ff718d47348 168 API calls 19241->19245 19247 7ff718d645c7 19242->19247 19243 7ff718d644e2 19251 7ff718d472b0 168 API calls 19243->19251 19244->19243 19250 7ff718d47348 168 API calls 19244->19250 19245->19239 19246 7ff718d472b0 168 API calls 19252 7ff718d64738 19246->19252 19249 7ff718d47348 168 API calls 19247->19249 19248 7ff718d47348 168 API calls 19248->19236 19253 7ff718d645db 19249->19253 19250->19243 19254 7ff718d644f1 19251->19254 19256 7ff718d47348 168 API calls 19252->19256 19258 7ff718d47348 168 API calls 19253->19258 19259 7ff718d472b0 168 API calls 19254->19259 19255->19246 19256->19271 19257->19262 19260 7ff718d645ec 19258->19260 19261 7ff718d64503 19259->19261 19266 7ff718d47348 168 API calls 19260->19266 19261->19239 19269 7ff718d47348 168 API calls 19261->19269 19262->19236 19262->19248 19263->19255 19267 7ff718d47348 168 API calls 19263->19267 19265 7ff718d47348 168 API calls 19264->19265 19265->19255 19268 7ff718d64600 19266->19268 19267->19255 19270 7ff718d47348 168 API calls 19268->19270 19269->19271 19270->19271 19271->19229 19271->19239 19279 7ff718d4735d 19272->19279 19273 7ff718d43278 166 API calls 19274 7ff718d64820 longjmp 19273->19274 19275 7ff718d64838 19274->19275 19276 7ff718d43278 166 API calls 19275->19276 19277 7ff718d64844 longjmp 19276->19277 19278 7ff718d6485a 19277->19278 19280 7ff718d47348 166 API calls 19278->19280 19279->19273 19279->19275 19279->19279 19286 7ff718d473ab 19279->19286 19281 7ff718d6487b 19280->19281 19282 7ff718d47348 166 API calls 19281->19282 19283 7ff718d648ad 19282->19283 19284 7ff718d47348 166 API calls 19283->19284 19285 7ff718d472ff 19284->19285 19285->19224 19285->19230 19288 7ff718d6485a 19287->19288 19289 7ff718d47401 19287->19289 19290 7ff718d47348 168 API calls 19288->19290 19289->19239 19291 7ff718d6487b 19290->19291 19292 7ff718d47348 168 API calls 19291->19292 19293 7ff718d648ad 19292->19293 19294 7ff718d47348 168 API calls 19293->19294 19295 7ff718d648be 19294->19295 19295->19239 16744 7ff718d58d80 16745 7ff718d58da4 16744->16745 16746 7ff718d58db6 16745->16746 16747 7ff718d58dbf Sleep 16745->16747 16748 7ff718d58ddb _amsg_exit 16746->16748 16752 7ff718d58de7 16746->16752 16747->16745 16748->16752 16749 7ff718d58e56 _initterm 16750 7ff718d58e73 _IsNonwritableInCurrentImage 16749->16750 16758 7ff718d537d8 GetCurrentThreadId OpenThread 16750->16758 16751 7ff718d58e3c 16752->16749 16752->16750 16752->16751 16791 7ff718d504f4 16758->16791 16760 7ff718d53839 HeapSetInformation RegOpenKeyExW 16761 7ff718d5388d 16760->16761 16762 7ff718d5e9f8 RegQueryValueExW RegCloseKey 16760->16762 16763 7ff718d55920 VirtualQuery VirtualQuery 16761->16763 16765 7ff718d5ea41 GetThreadLocale 16762->16765 16764 7ff718d538ab GetConsoleOutputCP GetCPInfo 16763->16764 16764->16765 16766 7ff718d538f1 memset 16764->16766 16773 7ff718d53919 16765->16773 16766->16773 16767 7ff718d54d5c 391 API calls 16767->16773 16768 7ff718d43240 166 API calls 16768->16773 16769 7ff718d5eb27 _setjmp 16769->16773 16770 7ff718d53948 _setjmp 16770->16773 16771 7ff718d68530 370 API calls 16771->16773 16772 7ff718d501b8 6 API calls 16772->16773 16773->16762 16773->16767 16773->16768 16773->16769 16773->16770 16773->16771 16773->16772 16774 7ff718d4df60 481 API calls 16773->16774 16775 7ff718d5eb71 _setmode 16773->16775 16776 7ff718d586f0 182 API calls 16773->16776 16777 7ff718d50580 12 API calls 16773->16777 16778 7ff718d54c1c 166 API calls 16773->16778 16780 7ff718d558e4 EnterCriticalSection LeaveCriticalSection 16773->16780 16782 7ff718d4be00 659 API calls 16773->16782 16783 7ff718d558e4 EnterCriticalSection LeaveCriticalSection 16773->16783 16774->16773 16775->16773 16776->16773 16779 7ff718d5398b GetConsoleOutputCP GetCPInfo 16777->16779 16778->16773 16781 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16779->16781 16780->16773 16781->16773 16782->16773 16784 7ff718d5ebbe GetConsoleOutputCP GetCPInfo 16783->16784 16785 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16784->16785 16786 7ff718d5ebe6 16785->16786 16787 7ff718d4be00 659 API calls 16786->16787 16788 7ff718d50580 12 API calls 16786->16788 16787->16786 16789 7ff718d5ebfc GetConsoleOutputCP GetCPInfo 16788->16789 16790 7ff718d504f4 GetModuleHandleW GetProcAddress SetThreadLocale 16789->16790 16790->16773 16792 7ff718d50504 16791->16792 16793 7ff718d5051e GetModuleHandleW 16792->16793 16794 7ff718d5054d GetProcAddress 16792->16794 16795 7ff718d5056c SetThreadLocale 16792->16795 16793->16792 16794->16792

                          Executed Functions

                          Function 00007FF718D4AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 7ff718d4aa54-7ff718d4aa98 call 7ff718d4cd90 3 7ff718d4aa9e 0->3 4 7ff718d5bf5a-7ff718d5bf70 call 7ff718d54c1c call 7ff718d4ff70 0->4 5 7ff718d4aaa5-7ff718d4aaa8 3->5 7 7ff718d4acde-7ff718d4ad00 5->7 8 7ff718d4aaae-7ff718d4aac8 wcschr 5->8 13 7ff718d4ad06 7->13 8->7 10 7ff718d4aace-7ff718d4aae9 towlower 8->10 10->7 12 7ff718d4aaef-7ff718d4aaf3 10->12 16 7ff718d5beb7-7ff718d5bec4 call 7ff718d6eaf0 12->16 17 7ff718d4aaf9-7ff718d4aafd 12->17 18 7ff718d4ad0d-7ff718d4ad1f 13->18 30 7ff718d5bf43-7ff718d5bf59 call 7ff718d54c1c 16->30 31 7ff718d5bec6-7ff718d5bed8 call 7ff718d43240 16->31 20 7ff718d4ab03-7ff718d4ab07 17->20 21 7ff718d5bbcf 17->21 22 7ff718d4ad22-7ff718d4ad2a call 7ff718d513e0 18->22 25 7ff718d4ab7d-7ff718d4ab81 20->25 26 7ff718d4ab09-7ff718d4ab0d 20->26 32 7ff718d5bbde 21->32 22->5 28 7ff718d5be63 25->28 33 7ff718d4ab87-7ff718d4ab95 25->33 27 7ff718d4ab13-7ff718d4ab17 26->27 26->28 27->25 34 7ff718d4ab19-7ff718d4ab1d 27->34 39 7ff718d5be72-7ff718d5be88 call 7ff718d43278 call 7ff718d54c1c 28->39 30->4 31->30 46 7ff718d5beda-7ff718d5bee9 call 7ff718d43240 31->46 42 7ff718d5bbea-7ff718d5bbec 32->42 37 7ff718d4ab98-7ff718d4aba0 33->37 34->32 38 7ff718d4ab23-7ff718d4ab27 34->38 37->37 43 7ff718d4aba2-7ff718d4abb3 call 7ff718d4cd90 37->43 38->42 44 7ff718d4ab2d-7ff718d4ab31 38->44 67 7ff718d5be89-7ff718d5be8c 39->67 51 7ff718d5bbf8-7ff718d5bc01 42->51 43->4 53 7ff718d4abb9-7ff718d4abde call 7ff718d513e0 call 7ff718d533a8 43->53 44->13 48 7ff718d4ab37-7ff718d4ab3b 44->48 61 7ff718d5beeb-7ff718d5bef1 46->61 62 7ff718d5bef3-7ff718d5bef9 46->62 48->51 54 7ff718d4ab41-7ff718d4ab45 48->54 51->18 89 7ff718d4abe4-7ff718d4abe7 53->89 90 7ff718d4ac75 53->90 58 7ff718d4ab4b-7ff718d4ab4f 54->58 59 7ff718d5bc06-7ff718d5bc2a call 7ff718d513e0 54->59 65 7ff718d4ab55-7ff718d4ab78 call 7ff718d513e0 58->65 66 7ff718d4ad2f-7ff718d4ad33 58->66 77 7ff718d5bc2c-7ff718d5bc4c _wcsnicmp 59->77 78 7ff718d5bc5a-7ff718d5bc61 59->78 61->30 61->62 62->30 68 7ff718d5befb-7ff718d5bf0d call 7ff718d43240 62->68 65->5 71 7ff718d4ad39-7ff718d4ad3d 66->71 72 7ff718d5bc66-7ff718d5bc8a call 7ff718d513e0 66->72 74 7ff718d4acbe 67->74 75 7ff718d5be92-7ff718d5beaa call 7ff718d43278 call 7ff718d54c1c 67->75 68->30 87 7ff718d5bf0f-7ff718d5bf21 call 7ff718d43240 68->87 80 7ff718d5bcde-7ff718d5bd02 call 7ff718d513e0 71->80 81 7ff718d4ad43-7ff718d4ad49 71->81 107 7ff718d5bc8c-7ff718d5bcaa _wcsnicmp 72->107 108 7ff718d5bcc4-7ff718d5bcdc 72->108 84 7ff718d4acc0-7ff718d4acc7 74->84 127 7ff718d5beab-7ff718d5beb6 call 7ff718d54c1c 75->127 77->78 88 7ff718d5bc4e-7ff718d5bc55 77->88 93 7ff718d5bd31-7ff718d5bd4f _wcsnicmp 78->93 119 7ff718d5bd2a 80->119 120 7ff718d5bd04-7ff718d5bd24 _wcsnicmp 80->120 91 7ff718d5bd5e-7ff718d5bd65 81->91 92 7ff718d4ad4f-7ff718d4ad68 81->92 84->84 95 7ff718d4acc9-7ff718d4acda 84->95 87->30 122 7ff718d5bf23-7ff718d5bf35 call 7ff718d43240 87->122 102 7ff718d5bbb3-7ff718d5bbb7 88->102 89->74 104 7ff718d4abed-7ff718d4ac0b call 7ff718d4cd90 * 2 89->104 99 7ff718d4ac77-7ff718d4ac7f 90->99 91->92 103 7ff718d5bd6b-7ff718d5bd73 91->103 105 7ff718d4ad6d-7ff718d4ad70 92->105 106 7ff718d4ad6a 92->106 100 7ff718d5bd55 93->100 101 7ff718d5bbc2-7ff718d5bbca 93->101 95->7 99->74 116 7ff718d4ac81-7ff718d4ac85 99->116 100->91 101->5 111 7ff718d5bbba-7ff718d5bbbd call 7ff718d513e0 102->111 112 7ff718d5be4a-7ff718d5be5e 103->112 113 7ff718d5bd79-7ff718d5bd8b iswxdigit 103->113 104->127 140 7ff718d4ac11-7ff718d4ac14 104->140 105->22 106->105 107->108 117 7ff718d5bcac-7ff718d5bcbf 107->117 108->93 111->101 112->111 113->112 125 7ff718d5bd91-7ff718d5bda3 iswxdigit 113->125 123 7ff718d4ac88-7ff718d4ac8f 116->123 117->102 119->93 120->119 121 7ff718d5bbac 120->121 121->102 122->30 141 7ff718d5bf37-7ff718d5bf3e call 7ff718d43240 122->141 123->123 132 7ff718d4ac91-7ff718d4ac94 123->132 125->112 129 7ff718d5bda9-7ff718d5bdbb iswxdigit 125->129 127->16 129->112 136 7ff718d5bdc1-7ff718d5bdd7 iswdigit 129->136 132->74 135 7ff718d4ac96-7ff718d4acaa wcsrchr 132->135 135->74 142 7ff718d4acac-7ff718d4acb9 call 7ff718d51300 135->142 138 7ff718d5bdd9-7ff718d5bddd 136->138 139 7ff718d5bddf-7ff718d5bdeb towlower 136->139 145 7ff718d5bdee-7ff718d5be0f iswdigit 138->145 139->145 140->127 146 7ff718d4ac1a-7ff718d4ac33 memset 140->146 141->30 142->74 147 7ff718d5be17-7ff718d5be23 towlower 145->147 148 7ff718d5be11-7ff718d5be15 145->148 146->90 149 7ff718d4ac35-7ff718d4ac4b wcschr 146->149 150 7ff718d5be26-7ff718d5be45 call 7ff718d513e0 147->150 148->150 149->90 151 7ff718d4ac4d-7ff718d4ac54 149->151 150->112 152 7ff718d4ac5a-7ff718d4ac6f wcschr 151->152 153 7ff718d4ad72-7ff718d4ad91 wcschr 151->153 152->90 152->153 155 7ff718d4ad97-7ff718d4adac wcschr 153->155 156 7ff718d4af03-7ff718d4af07 153->156 155->156 157 7ff718d4adb2-7ff718d4adc7 wcschr 155->157 156->90 157->156 158 7ff718d4adcd-7ff718d4ade2 wcschr 157->158 158->156 159 7ff718d4ade8-7ff718d4adfd wcschr 158->159 159->156 160 7ff718d4ae03-7ff718d4ae18 wcschr 159->160 160->156 161 7ff718d4ae1e-7ff718d4ae21 160->161 162 7ff718d4ae24-7ff718d4ae27 161->162 162->156 163 7ff718d4ae2d-7ff718d4ae40 iswspace 162->163 164 7ff718d4ae4b-7ff718d4ae5e 163->164 165 7ff718d4ae42-7ff718d4ae49 163->165 166 7ff718d4ae66-7ff718d4ae6d 164->166 165->162 166->166 167 7ff718d4ae6f-7ff718d4ae77 166->167 167->39 168 7ff718d4ae7d-7ff718d4ae97 call 7ff718d513e0 167->168 171 7ff718d4ae9a-7ff718d4aea4 168->171 172 7ff718d4aebc-7ff718d4aef8 call 7ff718d50a6c call 7ff718d4ff70 * 2 171->172 173 7ff718d4aea6-7ff718d4aead 171->173 172->99 181 7ff718d4aefe 172->181 173->172 174 7ff718d4aeaf-7ff718d4aeba 173->174 174->171 174->172 181->67
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                          • String ID: :$:$:$:ON$OFF
                          • API String ID: 972821348-467788257
                          • Opcode ID: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                          • Instruction ID: 3899f5b58632f2d57bad750863e14eadcb2ef4c251859ad5345cd454f452a09f
                          • Opcode Fuzzy Hash: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                          • Instruction Fuzzy Hash: 0322C221A08F4A86FB54BF219415279E6B1EF4DBA0FC88176C98E47794DF3CA44C8729
                          Function 00007FF718D551EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 182 7ff718d551ec-7ff718d55248 call 7ff718d55508 GetLocaleInfoW 185 7ff718d5524e-7ff718d55272 GetLocaleInfoW 182->185 186 7ff718d5ef32-7ff718d5ef3c 182->186 187 7ff718d55274-7ff718d5527a 185->187 188 7ff718d55295-7ff718d552b9 GetLocaleInfoW 185->188 189 7ff718d5ef3f-7ff718d5ef49 186->189 190 7ff718d554f7-7ff718d554f9 187->190 191 7ff718d55280-7ff718d55286 187->191 192 7ff718d552bb-7ff718d552c3 188->192 193 7ff718d552de-7ff718d55305 GetLocaleInfoW 188->193 194 7ff718d5ef4b-7ff718d5ef52 189->194 195 7ff718d5ef61-7ff718d5ef6c 189->195 190->186 191->190 197 7ff718d5528c-7ff718d5528f 191->197 198 7ff718d552c9-7ff718d552d7 192->198 199 7ff718d5ef75-7ff718d5ef78 192->199 200 7ff718d55307-7ff718d5531b 193->200 201 7ff718d55321-7ff718d55343 GetLocaleInfoW 193->201 194->195 196 7ff718d5ef54-7ff718d5ef5f 194->196 195->199 196->189 196->195 197->188 198->193 202 7ff718d5ef7a-7ff718d5ef7d 199->202 203 7ff718d5ef99-7ff718d5efa3 199->203 200->201 204 7ff718d55349-7ff718d5536e GetLocaleInfoW 201->204 205 7ff718d5efaf-7ff718d5efb9 201->205 202->193 208 7ff718d5ef83-7ff718d5ef8d 202->208 203->205 206 7ff718d55374-7ff718d55396 GetLocaleInfoW 204->206 207 7ff718d5eff2-7ff718d5effc 204->207 209 7ff718d5efbc-7ff718d5efc6 205->209 211 7ff718d5539c-7ff718d553be GetLocaleInfoW 206->211 212 7ff718d5f035-7ff718d5f03f 206->212 210 7ff718d5efff-7ff718d5f009 207->210 208->203 213 7ff718d5efde-7ff718d5efe9 209->213 214 7ff718d5efc8-7ff718d5efcf 209->214 215 7ff718d5f00b-7ff718d5f012 210->215 216 7ff718d5f021-7ff718d5f02c 210->216 217 7ff718d5f078-7ff718d5f082 211->217 218 7ff718d553c4-7ff718d553e6 GetLocaleInfoW 211->218 219 7ff718d5f042-7ff718d5f04c 212->219 213->207 214->213 220 7ff718d5efd1-7ff718d5efdc 214->220 215->216 221 7ff718d5f014-7ff718d5f01f 215->221 216->212 226 7ff718d5f085-7ff718d5f08f 217->226 222 7ff718d5f0bb-7ff718d5f0c5 218->222 223 7ff718d553ec-7ff718d5540e GetLocaleInfoW 218->223 224 7ff718d5f04e-7ff718d5f055 219->224 225 7ff718d5f064-7ff718d5f06f 219->225 220->209 220->213 221->210 221->216 227 7ff718d5f0c8-7ff718d5f0d2 222->227 228 7ff718d5f0fe-7ff718d5f108 223->228 229 7ff718d55414-7ff718d55436 GetLocaleInfoW 223->229 224->225 230 7ff718d5f057-7ff718d5f062 224->230 225->217 231 7ff718d5f0a7-7ff718d5f0b2 226->231 232 7ff718d5f091-7ff718d5f098 226->232 233 7ff718d5f0ea-7ff718d5f0f5 227->233 234 7ff718d5f0d4-7ff718d5f0db 227->234 237 7ff718d5f10b-7ff718d5f115 228->237 235 7ff718d5543c-7ff718d5545e GetLocaleInfoW 229->235 236 7ff718d5f141-7ff718d5f14b 229->236 230->219 230->225 231->222 232->231 238 7ff718d5f09a-7ff718d5f0a5 232->238 233->228 234->233 239 7ff718d5f0dd-7ff718d5f0e8 234->239 240 7ff718d5f184-7ff718d5f18b 235->240 241 7ff718d55464-7ff718d55486 GetLocaleInfoW 235->241 244 7ff718d5f14e-7ff718d5f158 236->244 242 7ff718d5f12d-7ff718d5f138 237->242 243 7ff718d5f117-7ff718d5f11e 237->243 238->226 238->231 239->227 239->233 245 7ff718d5f18e-7ff718d5f198 240->245 246 7ff718d5548c-7ff718d554ae GetLocaleInfoW 241->246 247 7ff718d5f1c4-7ff718d5f1ce 241->247 242->236 243->242 248 7ff718d5f120-7ff718d5f12b 243->248 249 7ff718d5f15a-7ff718d5f161 244->249 250 7ff718d5f170-7ff718d5f17b 244->250 252 7ff718d5f19a-7ff718d5f1a1 245->252 253 7ff718d5f1b0-7ff718d5f1bb 245->253 254 7ff718d5f207-7ff718d5f20e 246->254 255 7ff718d554b4-7ff718d554f5 setlocale call 7ff718d58f80 246->255 256 7ff718d5f1d1-7ff718d5f1db 247->256 248->237 248->242 249->250 251 7ff718d5f163-7ff718d5f16e 249->251 250->240 251->244 251->250 252->253 258 7ff718d5f1a3-7ff718d5f1ae 252->258 253->247 257 7ff718d5f211-7ff718d5f21b 254->257 260 7ff718d5f1dd-7ff718d5f1e4 256->260 261 7ff718d5f1f3-7ff718d5f1fe 256->261 262 7ff718d5f21d-7ff718d5f224 257->262 263 7ff718d5f233-7ff718d5f23e 257->263 258->245 258->253 260->261 265 7ff718d5f1e6-7ff718d5f1f1 260->265 261->254 262->263 266 7ff718d5f226-7ff718d5f231 262->266 265->256 265->261 266->257 266->263
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InfoLocale$DefaultUsersetlocale
                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                          • API String ID: 1351325837-2236139042
                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                          • Instruction ID: 8161ed9b0cdea9e0b2741457a39ebb61d6d9dba22c0652d29eba2148c7a1af0a
                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                          • Instruction Fuzzy Hash: 96F14B25B08B4A85EB15AF15D5102B9E2B4BF0DBA4FD44236DA8D477A4EF3CE50DC328
                          Function 00007FF718D55554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 267 7ff718d55554-7ff718d555b9 call 7ff718d5a640 270 7ff718d555bc-7ff718d555e8 RegOpenKeyExW 267->270 271 7ff718d555ee-7ff718d55631 RegQueryValueExW 270->271 272 7ff718d55887-7ff718d5588e 270->272 273 7ff718d5f248-7ff718d5f24d 271->273 274 7ff718d55637-7ff718d55675 RegQueryValueExW 271->274 272->270 275 7ff718d55894-7ff718d558db time srand call 7ff718d58f80 272->275 279 7ff718d5f260-7ff718d5f265 273->279 280 7ff718d5f24f-7ff718d5f25b 273->280 276 7ff718d5568e-7ff718d556cc RegQueryValueExW 274->276 277 7ff718d55677-7ff718d5567c 274->277 284 7ff718d5f2b6-7ff718d5f2bb 276->284 285 7ff718d556d2-7ff718d55710 RegQueryValueExW 276->285 282 7ff718d5f28b-7ff718d5f290 277->282 283 7ff718d55682-7ff718d55687 277->283 279->274 281 7ff718d5f26b-7ff718d5f286 _wtol 279->281 280->274 281->274 282->276 287 7ff718d5f296-7ff718d5f2b1 _wtol 282->287 283->276 288 7ff718d5f2ce-7ff718d5f2d3 284->288 289 7ff718d5f2bd-7ff718d5f2c9 284->289 290 7ff718d55729-7ff718d55767 RegQueryValueExW 285->290 291 7ff718d55712-7ff718d55717 285->291 287->276 288->285 292 7ff718d5f2d9-7ff718d5f2f4 _wtol 288->292 289->285 295 7ff718d55769-7ff718d5576e 290->295 296 7ff718d5579f-7ff718d557dd RegQueryValueExW 290->296 293 7ff718d5571d-7ff718d55722 291->293 294 7ff718d5f2f9-7ff718d5f2fe 291->294 292->285 293->290 294->290 299 7ff718d5f304-7ff718d5f31a wcstol 294->299 300 7ff718d55774-7ff718d5578f 295->300 301 7ff718d5f320-7ff718d5f325 295->301 297 7ff718d5f3a9 296->297 298 7ff718d557e3-7ff718d557e8 296->298 312 7ff718d5f3b5-7ff718d5f3b8 297->312 304 7ff718d557ee-7ff718d55809 298->304 305 7ff718d5f363-7ff718d5f368 298->305 299->301 302 7ff718d5f357-7ff718d5f35e 300->302 303 7ff718d55795-7ff718d55799 300->303 306 7ff718d5f34b 301->306 307 7ff718d5f327-7ff718d5f33f wcstol 301->307 302->296 303->296 303->302 310 7ff718d5f39a-7ff718d5f39d 304->310 311 7ff718d5580f-7ff718d55813 304->311 308 7ff718d5f38e 305->308 309 7ff718d5f36a-7ff718d5f382 wcstol 305->309 306->302 307->306 308->310 309->308 310->297 311->310 313 7ff718d55819-7ff718d55823 311->313 314 7ff718d5582c 312->314 315 7ff718d5f3be-7ff718d5f3c5 312->315 313->312 316 7ff718d55829 313->316 317 7ff718d5f3ca-7ff718d5f3d1 314->317 318 7ff718d55832-7ff718d55870 RegQueryValueExW 314->318 315->318 316->314 319 7ff718d5f3dd-7ff718d5f3e2 317->319 318->319 320 7ff718d55876-7ff718d55882 RegCloseKey 318->320 321 7ff718d5f3e4-7ff718d5f412 ExpandEnvironmentStringsW 319->321 322 7ff718d5f433-7ff718d5f439 319->322 320->272 323 7ff718d5f428 321->323 324 7ff718d5f414-7ff718d5f426 call 7ff718d513e0 321->324 322->320 325 7ff718d5f43f-7ff718d5f44c call 7ff718d4b900 322->325 327 7ff718d5f42e 323->327 324->327 325->320 327->322
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpensrandtime
                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                          • API String ID: 145004033-3846321370
                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                          • Instruction ID: cb7799b12b6521e97310c5ca65dc329cbd234d29441052a8e0563b1355e43f39
                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                          • Instruction Fuzzy Hash: 2BE13A32519F8A86E751AB10E44017AF7B0FB89765FC05236EACE42A58DF7CE54CCB24
                          Function 00007FF718D537D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 509 7ff718d537d8-7ff718d53887 GetCurrentThreadId OpenThread call 7ff718d504f4 HeapSetInformation RegOpenKeyExW 512 7ff718d5388d-7ff718d538eb call 7ff718d55920 GetConsoleOutputCP GetCPInfo 509->512 513 7ff718d5e9f8-7ff718d5ea3b RegQueryValueExW RegCloseKey 509->513 516 7ff718d5ea41-7ff718d5ea59 GetThreadLocale 512->516 517 7ff718d538f1-7ff718d53913 memset 512->517 513->516 518 7ff718d5ea5b-7ff718d5ea67 516->518 519 7ff718d5ea74-7ff718d5ea77 516->519 520 7ff718d53919-7ff718d53935 call 7ff718d54d5c 517->520 521 7ff718d5eaa5 517->521 518->519 522 7ff718d5ea79-7ff718d5ea7d 519->522 523 7ff718d5ea94-7ff718d5ea96 519->523 529 7ff718d5393b-7ff718d53942 520->529 530 7ff718d5eae2-7ff718d5eaff call 7ff718d43240 call 7ff718d68530 call 7ff718d54c1c 520->530 526 7ff718d5eaa8-7ff718d5eab4 521->526 522->523 525 7ff718d5ea7f-7ff718d5ea89 522->525 523->521 525->523 526->520 528 7ff718d5eaba-7ff718d5eac3 526->528 531 7ff718d5eacb-7ff718d5eace 528->531 533 7ff718d5eb27-7ff718d5eb40 _setjmp 529->533 534 7ff718d53948-7ff718d53962 _setjmp 529->534 540 7ff718d5eb00-7ff718d5eb0d 530->540 535 7ff718d5eac5-7ff718d5eac9 531->535 536 7ff718d5ead0-7ff718d5eadb 531->536 541 7ff718d539fe-7ff718d53a05 call 7ff718d54c1c 533->541 542 7ff718d5eb46-7ff718d5eb49 533->542 539 7ff718d53968-7ff718d5396d 534->539 534->540 535->531 536->526 537 7ff718d5eadd 536->537 537->520 546 7ff718d539b9-7ff718d539bb 539->546 547 7ff718d5396f 539->547 555 7ff718d5eb15-7ff718d5eb1f call 7ff718d54c1c 540->555 541->513 543 7ff718d5eb4b-7ff718d5eb65 call 7ff718d43240 call 7ff718d68530 call 7ff718d54c1c 542->543 544 7ff718d5eb66-7ff718d5eb6f call 7ff718d501b8 542->544 543->544 568 7ff718d5eb87-7ff718d5eb89 call 7ff718d586f0 544->568 569 7ff718d5eb71-7ff718d5eb82 _setmode 544->569 550 7ff718d5eb20 546->550 551 7ff718d539c1-7ff718d539c3 call 7ff718d54c1c 546->551 554 7ff718d53972-7ff718d5397d 547->554 550->533 565 7ff718d539c8 551->565 561 7ff718d539c9-7ff718d539de call 7ff718d4df60 554->561 562 7ff718d5397f-7ff718d53984 554->562 555->550 561->555 577 7ff718d539e4-7ff718d539e8 561->577 562->554 570 7ff718d53986-7ff718d539ae call 7ff718d50580 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 562->570 565->561 578 7ff718d5eb8e-7ff718d5ebad call 7ff718d558e4 call 7ff718d4df60 568->578 569->568 584 7ff718d539b3 570->584 577->541 581 7ff718d539ea-7ff718d539ef call 7ff718d4be00 577->581 590 7ff718d5ebaf-7ff718d5ebb3 578->590 588 7ff718d539f4-7ff718d539fc 581->588 584->546 588->562 590->541 591 7ff718d5ebb9-7ff718d5ec24 call 7ff718d558e4 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 call 7ff718d4be00 call 7ff718d50580 GetConsoleOutputCP GetCPInfo call 7ff718d504f4 590->591 591->578
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                          • API String ID: 2624720099-1920437939
                          • Opcode ID: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                          • Instruction ID: f3a5d52e787c499db80ef41b758dbff7cf1eb4f250ecf78b3a4b347f963f2960
                          • Opcode Fuzzy Hash: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                          • Instruction Fuzzy Hash: 25C1C131E08F4A8AF714BB609441178FAB1FF4E734FC4823AD99E56695DE3CA44D8728
                          Function 00007FF718D52978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                          • Instruction ID: 7d3d4f061d33efecd404d077a79c841b505941160734e29a406f1e165d341a09
                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                          • Instruction Fuzzy Hash: F651D621B08B8685EB20AB15D54427AE770FB58BB4FC44332DEAD076D1DF3CE44D8614
                          Function 00007FF718D47D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00007FF718D47DA1
                            • Part of subcall function 00007FF718D5417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D541AD
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D47EB7
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                          • String ID:
                          • API String ID: 168394030-0
                          • Opcode ID: b6050c66f82dc7928a1abc4fa5bbb3c506f83fcae6e66a9ce87afb692c1e7a8d
                          • Instruction ID: b6caba322b15b6d30f6027e2d6eaeaea24ece01cf2eeca58cbde49c46beb5303
                          • Opcode Fuzzy Hash: b6050c66f82dc7928a1abc4fa5bbb3c506f83fcae6e66a9ce87afb692c1e7a8d
                          • Instruction Fuzzy Hash: C3A11521B08F4A85FB24AB2994416B9E3B1BF8D7A4FC44232D99D47AD5DF3CE40D8714
                          Function 00007FF718D54D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 331 7ff718d54d5c-7ff718d54e4b InitializeCriticalSection call 7ff718d558e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff718d50580 call 7ff718d54a14 call 7ff718d54ad0 call 7ff718d55554 GetCommandLineW 342 7ff718d54e4d-7ff718d54e54 331->342 342->342 343 7ff718d54e56-7ff718d54e61 342->343 344 7ff718d54e67-7ff718d54e7b call 7ff718d52e44 343->344 345 7ff718d551cf-7ff718d551e3 call 7ff718d43278 call 7ff718d54c1c 343->345 351 7ff718d551ba-7ff718d551ce call 7ff718d43278 call 7ff718d54c1c 344->351 352 7ff718d54e81-7ff718d54ec3 GetCommandLineW call 7ff718d513e0 call 7ff718d4ca40 344->352 351->345 352->351 362 7ff718d54ec9-7ff718d54ee8 call 7ff718d5417c call 7ff718d52394 352->362 366 7ff718d54eed-7ff718d54ef5 362->366 366->366 367 7ff718d54ef7-7ff718d54f1f call 7ff718d4aa54 366->367 370 7ff718d54f95-7ff718d54fee GetConsoleOutputCP GetCPInfo call 7ff718d551ec GetProcessHeap HeapAlloc 367->370 371 7ff718d54f21-7ff718d54f30 367->371 376 7ff718d54ff0-7ff718d55006 GetConsoleTitleW 370->376 377 7ff718d55012-7ff718d55018 370->377 371->370 372 7ff718d54f32-7ff718d54f39 371->372 372->370 375 7ff718d54f3b-7ff718d54f77 call 7ff718d43278 GetWindowsDirectoryW 372->375 384 7ff718d54f7d-7ff718d54f90 call 7ff718d53c24 375->384 385 7ff718d551b1-7ff718d551b9 call 7ff718d54c1c 375->385 376->377 379 7ff718d55008-7ff718d5500f 376->379 380 7ff718d5507a-7ff718d5507e 377->380 381 7ff718d5501a-7ff718d55024 call 7ff718d53578 377->381 379->377 386 7ff718d550eb-7ff718d55161 GetModuleHandleW GetProcAddress * 3 380->386 387 7ff718d55080-7ff718d550b3 call 7ff718d6b89c call 7ff718d4586c call 7ff718d43240 call 7ff718d53448 380->387 381->380 397 7ff718d55026-7ff718d55030 381->397 384->370 385->351 388 7ff718d55163-7ff718d55167 386->388 389 7ff718d5516f 386->389 412 7ff718d550b5-7ff718d550d0 call 7ff718d53448 * 2 387->412 413 7ff718d550d2-7ff718d550d7 call 7ff718d43278 387->413 388->389 395 7ff718d55169-7ff718d5516d 388->395 396 7ff718d55172-7ff718d551af free call 7ff718d58f80 389->396 395->389 395->396 401 7ff718d55075 call 7ff718d6cff0 397->401 402 7ff718d55032-7ff718d55059 GetStdHandle GetConsoleScreenBufferInfo 397->402 401->380 405 7ff718d5505b-7ff718d55067 402->405 406 7ff718d55069-7ff718d55073 402->406 405->380 406->380 406->401 417 7ff718d550dc-7ff718d550e6 GlobalFree 412->417 413->417 417->386
                          APIs
                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54D9A
                            • Part of subcall function 00007FF718D558E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF718D6C6DB), ref: 00007FF718D558EF
                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54DBB
                          • _get_osfhandle.MSVCRT ref: 00007FF718D54DCA
                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54DE0
                          • _get_osfhandle.MSVCRT ref: 00007FF718D54DEE
                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E04
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D50589
                            • Part of subcall function 00007FF718D50580: SetConsoleMode.KERNELBASE ref: 00007FF718D5059E
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D505AF
                            • Part of subcall function 00007FF718D50580: GetConsoleMode.KERNELBASE ref: 00007FF718D505C5
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D505EF
                            • Part of subcall function 00007FF718D50580: GetConsoleMode.KERNELBASE ref: 00007FF718D50605
                            • Part of subcall function 00007FF718D50580: _get_osfhandle.MSVCRT ref: 00007FF718D50632
                            • Part of subcall function 00007FF718D50580: SetConsoleMode.KERNELBASE ref: 00007FF718D50647
                            • Part of subcall function 00007FF718D54A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                            • Part of subcall function 00007FF718D54A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                            • Part of subcall function 00007FF718D54A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                            • Part of subcall function 00007FF718D54A14: memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                            • Part of subcall function 00007FF718D54A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                            • Part of subcall function 00007FF718D54AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AD6
                            • Part of subcall function 00007FF718D54AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AEF
                            • Part of subcall function 00007FF718D55554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF718D54E35), ref: 00007FF718D555DA
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55623
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55667
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D556BE
                            • Part of subcall function 00007FF718D55554: RegQueryValueExW.KERNELBASE ref: 00007FF718D55702
                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E35
                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54E81
                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54F69
                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54F95
                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FB0
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FC1
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FD8
                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D54FF8
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55037
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5504B
                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D550DF
                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D550F2
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5510F
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55130
                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D5514A
                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF718D55175
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                          • API String ID: 1049357271-3021193919
                          • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                          • Instruction ID: bbe90bd8c78fd4c7fe8e6d92604338f93252f1983bf6e026e76d0992b7e6061b
                          • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                          • Instruction Fuzzy Hash: EBC15D61A08F4A86EB05BB11A851179F6B1FF8DBB4FC48235D98E43795DF3CA44D8328
                          Function 00007FF718D53C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 420 7ff718d53c24-7ff718d53c61 421 7ff718d53c67-7ff718d53c99 call 7ff718d4af14 call 7ff718d4ca40 420->421 422 7ff718d5ec5a-7ff718d5ec5f 420->422 431 7ff718d5ec97-7ff718d5eca1 call 7ff718d5855c 421->431 432 7ff718d53c9f-7ff718d53cb2 call 7ff718d4b900 421->432 422->421 424 7ff718d5ec65-7ff718d5ec6a 422->424 426 7ff718d5412e-7ff718d5415b call 7ff718d58f80 424->426 432->431 437 7ff718d53cb8-7ff718d53cbc 432->437 438 7ff718d53cbf-7ff718d53cc7 437->438 438->438 439 7ff718d53cc9-7ff718d53ccd 438->439 440 7ff718d53cd2-7ff718d53cd8 439->440 441 7ff718d53cda-7ff718d53cdf 440->441 442 7ff718d53ce5-7ff718d53d62 GetCurrentDirectoryW towupper iswalpha 440->442 441->442 443 7ff718d53faa-7ff718d53fb3 441->443 444 7ff718d53fb8 442->444 445 7ff718d53d68-7ff718d53d6c 442->445 443->440 447 7ff718d53fc6-7ff718d53fec GetLastError call 7ff718d5855c call 7ff718d5a5d6 444->447 445->444 446 7ff718d53d72-7ff718d53dcd towupper GetFullPathNameW 445->446 446->447 448 7ff718d53dd3-7ff718d53ddd 446->448 451 7ff718d53ff1-7ff718d54007 call 7ff718d5855c _local_unwind 447->451 450 7ff718d53de3-7ff718d53dfb 448->450 448->451 453 7ff718d540fe-7ff718d54119 call 7ff718d5855c _local_unwind 450->453 454 7ff718d53e01-7ff718d53e11 450->454 461 7ff718d5400c-7ff718d54022 GetLastError 451->461 466 7ff718d5411a-7ff718d5412c call 7ff718d4ff70 call 7ff718d5855c 453->466 454->453 457 7ff718d53e17-7ff718d53e28 454->457 460 7ff718d53e2c-7ff718d53e34 457->460 460->460 463 7ff718d53e36-7ff718d53e3f 460->463 464 7ff718d54028-7ff718d5402b 461->464 465 7ff718d53e95-7ff718d53e9c 461->465 468 7ff718d53e42-7ff718d53e55 463->468 464->465 469 7ff718d54031-7ff718d54047 call 7ff718d5855c _local_unwind 464->469 470 7ff718d53e9e-7ff718d53ec2 call 7ff718d52978 465->470 471 7ff718d53ecf-7ff718d53ed3 465->471 466->426 475 7ff718d53e57-7ff718d53e60 468->475 476 7ff718d53e66-7ff718d53e8f GetFileAttributesW 468->476 487 7ff718d5404c-7ff718d54062 call 7ff718d5855c _local_unwind 469->487 486 7ff718d53ec7-7ff718d53ec9 470->486 473 7ff718d53f08-7ff718d53f0b 471->473 474 7ff718d53ed5-7ff718d53ef7 GetFileAttributesW 471->474 482 7ff718d53f0d-7ff718d53f11 473->482 483 7ff718d53f1e-7ff718d53f40 SetCurrentDirectoryW 473->483 480 7ff718d53efd-7ff718d53f02 474->480 481 7ff718d54067-7ff718d54098 GetLastError call 7ff718d5855c _local_unwind 474->481 475->476 484 7ff718d53f9d-7ff718d53fa5 475->484 476->461 476->465 480->473 490 7ff718d5409d-7ff718d540b3 call 7ff718d5855c _local_unwind 480->490 481->490 491 7ff718d53f13-7ff718d53f1c 482->491 492 7ff718d53f46-7ff718d53f69 call 7ff718d5498c 482->492 483->492 493 7ff718d540b8-7ff718d540de GetLastError call 7ff718d5855c _local_unwind 483->493 484->468 486->471 486->487 487->481 490->493 491->483 491->492 503 7ff718d540e3-7ff718d540f9 call 7ff718d5855c _local_unwind 492->503 504 7ff718d53f6f-7ff718d53f98 call 7ff718d5417c 492->504 493->503 503->453 504->466
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                          • String ID: :
                          • API String ID: 1809961153-336475711
                          • Opcode ID: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                          • Instruction ID: 16c68941097148f4859e30e19119dce06b363c8a5774dc3edc17895876dc76d8
                          • Opcode Fuzzy Hash: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                          • Instruction Fuzzy Hash: 19D15F6260CF8981EB24AB15E4552BAF7B1FB89760F844236DA8E437A4DF3CE54CC714
                          Function 00007FF718D52394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 602 7ff718d52394-7ff718d52416 memset call 7ff718d4ca40 605 7ff718d5241c-7ff718d52453 GetModuleFileNameW call 7ff718d5081c 602->605 606 7ff718d5e0d2-7ff718d5e0da call 7ff718d54c1c 602->606 611 7ff718d5e0db-7ff718d5e0ee call 7ff718d5498c 605->611 612 7ff718d52459-7ff718d52468 call 7ff718d5081c 605->612 606->611 618 7ff718d5e0f4-7ff718d5e107 call 7ff718d5498c 611->618 617 7ff718d5246e-7ff718d5247d call 7ff718d5081c 612->617 612->618 623 7ff718d52483-7ff718d52492 call 7ff718d5081c 617->623 624 7ff718d52516-7ff718d52529 call 7ff718d5498c 617->624 625 7ff718d5e10d-7ff718d5e123 618->625 623->625 632 7ff718d52498-7ff718d524a7 call 7ff718d5081c 623->632 624->623 628 7ff718d5e125-7ff718d5e139 wcschr 625->628 629 7ff718d5e13f-7ff718d5e17a _wcsupr 625->629 628->629 633 7ff718d5e27c 628->633 634 7ff718d5e17c-7ff718d5e17f 629->634 635 7ff718d5e181-7ff718d5e199 wcsrchr 629->635 642 7ff718d524ad-7ff718d524c5 call 7ff718d53c24 632->642 643 7ff718d5e2a1-7ff718d5e2c3 _wcsicmp 632->643 637 7ff718d5e283-7ff718d5e29b call 7ff718d5498c 633->637 638 7ff718d5e19c 634->638 635->638 637->643 641 7ff718d5e1a0-7ff718d5e1a7 638->641 641->641 645 7ff718d5e1a9-7ff718d5e1bb 641->645 651 7ff718d524ca-7ff718d524db 642->651 646 7ff718d5e264-7ff718d5e277 call 7ff718d51300 645->646 647 7ff718d5e1c1-7ff718d5e1e6 645->647 646->633 649 7ff718d5e1e8-7ff718d5e1f1 647->649 650 7ff718d5e21a 647->650 653 7ff718d5e1f3-7ff718d5e1f6 649->653 654 7ff718d5e201-7ff718d5e210 649->654 657 7ff718d5e21d-7ff718d5e21f 650->657 655 7ff718d524dd-7ff718d524e4 ??_V@YAXPEAX@Z 651->655 656 7ff718d524e9-7ff718d52514 call 7ff718d58f80 651->656 653->654 658 7ff718d5e1f8-7ff718d5e1ff 653->658 654->650 659 7ff718d5e212-7ff718d5e218 654->659 655->656 657->637 661 7ff718d5e221-7ff718d5e228 657->661 658->653 658->654 659->657 663 7ff718d5e22a-7ff718d5e231 661->663 664 7ff718d5e254-7ff718d5e262 661->664 665 7ff718d5e234-7ff718d5e237 663->665 664->633 665->664 666 7ff718d5e239-7ff718d5e242 665->666 666->664 667 7ff718d5e244-7ff718d5e252 666->667 667->664 667->665
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                          • API String ID: 2622545777-4197029667
                          • Opcode ID: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                          • Instruction ID: 09d390c02a9ce2b8f079c5455b2ced51ab0abd1dd628dace76babded7e3864a0
                          • Opcode Fuzzy Hash: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                          • Instruction Fuzzy Hash: D1914C61A09F8A85EF25BB10D8505B9E3B1BF4CBA4FC48236C98E47695DE3CE50C8324
                          Function 00007FF718D50580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleMode_get_osfhandle
                          • String ID: CMD.EXE
                          • API String ID: 1606018815-3025314500
                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                          • Instruction ID: 26f1c0749396bdd1615f345a6cdda60f82e76e23410354b7f165d45a27f474b6
                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                          • Instruction Fuzzy Hash: C741D531A09F168BE718BB24E856578F7A0BB8E775FC84175C99E43350DF3CA40C8629
                          Function 00007FF718D4C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 680 7ff718d4c620-7ff718d4c66f GetConsoleTitleW 681 7ff718d4c675-7ff718d4c687 call 7ff718d4af14 680->681 682 7ff718d5c5f2 680->682 687 7ff718d4c68e-7ff718d4c69d call 7ff718d4ca40 681->687 688 7ff718d4c689 681->688 684 7ff718d5c5fc-7ff718d5c60c GetLastError 682->684 686 7ff718d5c5e3 call 7ff718d43278 684->686 692 7ff718d5c5e8-7ff718d5c5ed call 7ff718d5855c 686->692 687->692 693 7ff718d4c6a3-7ff718d4c6ac 687->693 688->687 692->682 695 7ff718d4c954-7ff718d4c95e call 7ff718d5291c 693->695 696 7ff718d4c6b2-7ff718d4c6c5 call 7ff718d4b9c0 693->696 703 7ff718d5c5de-7ff718d5c5e0 695->703 704 7ff718d4c964-7ff718d4c972 call 7ff718d489c0 695->704 701 7ff718d4c6cb-7ff718d4c6ce 696->701 702 7ff718d4c9b5-7ff718d4c9c9 call 7ff718d55c6c call 7ff718d5855c 696->702 701->692 705 7ff718d4c6d4-7ff718d4c6e9 701->705 727 7ff718d4c9d0-7ff718d4c9d7 702->727 703->686 704->684 712 7ff718d4c978-7ff718d4c99a towupper 704->712 709 7ff718d5c616-7ff718d5c620 call 7ff718d5855c 705->709 710 7ff718d4c6ef-7ff718d4c6fa 705->710 713 7ff718d5c627 709->713 710->713 714 7ff718d4c700-7ff718d4c713 710->714 717 7ff718d4c9a0-7ff718d4c9a9 712->717 719 7ff718d5c631 713->719 718 7ff718d4c719-7ff718d4c72c 714->718 714->719 717->717 722 7ff718d4c9ab-7ff718d4c9af 717->722 723 7ff718d5c63b 718->723 724 7ff718d4c732-7ff718d4c747 call 7ff718d4d3f0 718->724 719->723 722->702 725 7ff718d5c60e-7ff718d5c611 call 7ff718d6ec14 722->725 732 7ff718d5c645 723->732 733 7ff718d4c8ac-7ff718d4c8af 724->733 734 7ff718d4c74d-7ff718d4c750 724->734 725->709 730 7ff718d4c9dd-7ff718d5c6da SetConsoleTitleW 727->730 731 7ff718d4c872-7ff718d4c8aa call 7ff718d5855c call 7ff718d58f80 727->731 730->731 737 7ff718d5c64e-7ff718d5c651 732->737 733->734 741 7ff718d4c8b5-7ff718d4c8d3 wcsncmp 733->741 738 7ff718d4c76a-7ff718d4c76d 734->738 739 7ff718d4c752-7ff718d4c764 call 7ff718d4bd38 734->739 743 7ff718d4c80d-7ff718d4c811 737->743 744 7ff718d5c657-7ff718d5c65b 737->744 747 7ff718d4c773-7ff718d4c77a 738->747 748 7ff718d4c840-7ff718d4c84b call 7ff718d4cb40 738->748 739->692 739->738 741->738 742 7ff718d4c8d9 741->742 742->734 750 7ff718d4c817-7ff718d4c81b 743->750 751 7ff718d4c9e2-7ff718d4c9e7 743->751 744->743 754 7ff718d4c780-7ff718d4c784 747->754 763 7ff718d4c84d-7ff718d4c855 call 7ff718d4cad4 748->763 764 7ff718d4c856-7ff718d4c85c call 7ff718d47a70 748->764 758 7ff718d4ca1b-7ff718d4ca1f 750->758 759 7ff718d4c821 750->759 751->750 760 7ff718d4c9ed-7ff718d4c9f7 call 7ff718d5291c 751->760 755 7ff718d4c83d 754->755 756 7ff718d4c78a-7ff718d4c7a4 wcschr 754->756 755->748 761 7ff718d4c8de-7ff718d4c8f7 756->761 762 7ff718d4c7aa-7ff718d4c7ad 756->762 758->759 765 7ff718d4ca25-7ff718d5c6b3 call 7ff718d43278 758->765 766 7ff718d4c824-7ff718d4c82d 759->766 774 7ff718d4c9fd-7ff718d4ca00 760->774 775 7ff718d5c684-7ff718d5c698 call 7ff718d43278 760->775 768 7ff718d4c900-7ff718d4c908 761->768 769 7ff718d4c7b0-7ff718d4c7b8 762->769 763->764 779 7ff718d4c862-7ff718d4c86c 764->779 765->692 766->766 772 7ff718d4c82f-7ff718d4c837 766->772 768->768 776 7ff718d4c90a-7ff718d4c915 768->776 769->769 777 7ff718d4c7ba-7ff718d4c7c7 769->777 772->754 772->755 774->750 781 7ff718d4ca06-7ff718d4ca10 call 7ff718d489c0 774->781 775->692 782 7ff718d4c917 776->782 783 7ff718d4c93a-7ff718d4c944 776->783 777->737 784 7ff718d4c7cd-7ff718d4c7db 777->784 779->727 779->731 781->750 799 7ff718d4ca16-7ff718d5c67f GetLastError call 7ff718d43278 781->799 788 7ff718d4c920-7ff718d4c928 782->788 791 7ff718d4ca2a-7ff718d4ca2f call 7ff718d59158 783->791 792 7ff718d4c94a 783->792 789 7ff718d4c7e0-7ff718d4c7e7 784->789 794 7ff718d4c92a-7ff718d4c92f 788->794 795 7ff718d4c932-7ff718d4c938 788->795 796 7ff718d4c7e9-7ff718d4c7f1 789->796 797 7ff718d4c800-7ff718d4c803 789->797 791->703 792->695 794->795 795->783 795->788 796->797 800 7ff718d4c7f3-7ff718d4c7fe 796->800 797->732 801 7ff718d4c809 797->801 799->692 800->789 800->797 801->743
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleTitlewcschr
                          • String ID: /$:
                          • API String ID: 2364928044-4222935259
                          • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                          • Instruction ID: f5897a2460a5fda66329b52555a8555ac64d56fe15eb757648239965e7b04f29
                          • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                          • Instruction Fuzzy Hash: 30C19D61A08F4A81EB24BB1594452B9E2F0EF59BB4FC84271D99E476E5DF3CE44CC328
                          Function 00007FF718D47AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 807 7ff718d47aa0-7ff718d47ad9 808 7ff718d47aeb-7ff718d47b38 memset call 7ff718d4ca40 807->808 809 7ff718d47adb-7ff718d47ae5 call 7ff718d5291c 807->809 815 7ff718d5ae4e-7ff718d5ae53 808->815 816 7ff718d47b3e-7ff718d47b6d GetFullPathNameW 808->816 809->808 814 7ff718d5ae3a-7ff718d5ae49 call 7ff718d43278 809->814 825 7ff718d47bb7-7ff718d47bdd call 7ff718d58f80 814->825 818 7ff718d5ae61-7ff718d5ae63 815->818 819 7ff718d5ae55-7ff718d5ae5c GetLastError 816->819 820 7ff718d47b73-7ff718d47b78 816->820 822 7ff718d5af64-7ff718d5af6b call 7ff718d43278 818->822 819->818 823 7ff718d5ae68-7ff718d5ae6d 820->823 824 7ff718d47b7e-7ff718d47b91 CreateDirectoryW 820->824 826 7ff718d5ae74-7ff718d5ae7e call 7ff718d43278 823->826 827 7ff718d47bdf-7ff718d47bf2 GetLastError 824->827 828 7ff718d47b93-7ff718d47ba7 824->828 842 7ff718d5ae84-7ff718d5ae8e 826->842 830 7ff718d47bf8-7ff718d47bfb 827->830 831 7ff718d5ae6f 827->831 834 7ff718d47ba9-7ff718d47bb0 free 828->834 835 7ff718d47bb5 828->835 830->818 837 7ff718d47c01-7ff718d47c08 830->837 831->826 834->835 835->825 840 7ff718d47c0e-7ff718d47c2e 837->840 841 7ff718d5af5f 837->841 840->842 843 7ff718d47c34-7ff718d47c4a 840->843 841->822 842->841 846 7ff718d5ae94-7ff718d5aea4 842->846 844 7ff718d47cd1-7ff718d47ced CreateDirectoryW 843->844 845 7ff718d47c50 843->845 844->828 847 7ff718d47cf3 844->847 848 7ff718d47cbe-7ff718d47cc1 845->848 846->841 849 7ff718d5aeaa-7ff718d5aeca 846->849 852 7ff718d5af46-7ff718d5af54 GetLastError 847->852 853 7ff718d47cad-7ff718d47cb0 848->853 854 7ff718d47cc3-7ff718d47cc6 848->854 850 7ff718d5aecc 849->850 851 7ff718d5aef1-7ff718d5aef5 849->851 855 7ff718d5aecf-7ff718d5aed6 850->855 856 7ff718d5aef7-7ff718d5af00 851->856 857 7ff718d5af03-7ff718d5af0b 851->857 852->828 860 7ff718d5af5a 852->860 858 7ff718d47c52-7ff718d47c79 CreateDirectoryW 853->858 859 7ff718d47cb2-7ff718d47cbb 853->859 861 7ff718d47cc8 854->861 862 7ff718d47ca5-7ff718d47cab 854->862 855->851 863 7ff718d5aed8-7ff718d5aeef 855->863 856->857 857->844 864 7ff718d5af11-7ff718d5af18 857->864 865 7ff718d47c7b-7ff718d47c89 GetLastError 858->865 866 7ff718d47c8f-7ff718d47ca0 858->866 859->848 860->818 861->858 862->853 867 7ff718d47cca 862->867 863->851 863->855 868 7ff718d5af1a-7ff718d5af31 864->868 869 7ff718d5af33-7ff718d5af37 864->869 865->841 865->866 866->862 867->844 868->864 868->869 869->844 870 7ff718d5af3d 869->870 870->852
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CreateDirectoryDriveFullNamePathTypefreememset
                          • String ID:
                          • API String ID: 1445986735-0
                          • Opcode ID: fe82e3eae3579b7f0e88292875d89759f9dd0f662728a8192ad32f6f8a3809eb
                          • Instruction ID: 063d474c2508422dbf452949602a28def1a7605e280948bf922f0d6ae63115a6
                          • Opcode Fuzzy Hash: fe82e3eae3579b7f0e88292875d89759f9dd0f662728a8192ad32f6f8a3809eb
                          • Instruction Fuzzy Hash: 04916132B08F9986EB64AB1194406B9F3B1FB4CBA4F858136DA8D07B94DF3CD54C8725
                          Function 00007FF718D58D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                          • String ID:
                          • API String ID: 4291973834-0
                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                          • Instruction ID: 1189ae2a5ae61fa3b7cca3c7ac9d0b98648099412c25f26f9ba842c4fed01512
                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                          • Instruction Fuzzy Hash: 6441EC21A08F0A86F750BB10E842236E2B0AF4C378FD40536D99D976A4DF7DE94CC768
                          Function 00007FF718D54A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                          • memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                          • String ID:
                          • API String ID: 1623332820-0
                          • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                          • Instruction ID: 49b706479c9ec15682a12ec367f5ad59a9c100a2f86f5e4e780a5cf160e3329a
                          • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                          • Instruction Fuzzy Hash: 6B11C122B04B5682DF54AB02A004039FBB1FB8DFA8BC88135DE8E03744DE3CE44C8728
                          Function 00007FF718D4CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                          • API String ID: 2221118986-3416068913
                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                          • Instruction ID: 235ea427dc6a2ed7764fe92438c5b636eee05c1da4cbacbab64aaf3232b21c47
                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                          • Instruction Fuzzy Hash: 7C11CA21A08F4A81EB54EB16A145279D2A09F4CBB4F984331DEAD477D5DD3CD04C4328
                          Function 00007FF718D4BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 958 7ff718d4be00-7ff718d4be15 959 7ff718d4befb-7ff718d4befd 958->959 960 7ff718d4be1b-7ff718d4be22 958->960 961 7ff718d4bed2-7ff718d4bee2 959->961 960->959 962 7ff718d4be28-7ff718d4be2b 960->962 962->959 963 7ff718d4be31-7ff718d4be45 962->963 964 7ff718d4be6b-7ff718d4be6d 963->964 965 7ff718d4be47-7ff718d4be69 memset call 7ff718d4bff0 963->965 967 7ff718d4be73-7ff718d4be79 964->967 968 7ff718d4bf20-7ff718d4bf23 964->968 965->964 973 7ff718d4beaf-7ff718d4beb6 965->973 970 7ff718d4be7b-7ff718d4be89 967->970 971 7ff718d4be92-7ff718d4be9a 967->971 968->967 972 7ff718d4bf29-7ff718d4bf39 call 7ff718d4cd90 968->972 970->971 974 7ff718d4be8b-7ff718d4be90 970->974 975 7ff718d4be9c call 7ff718d4c620 971->975 976 7ff718d4bee4-7ff718d4bef9 971->976 972->973 983 7ff718d4bf3f-7ff718d4bf42 972->983 980 7ff718d4bec8-7ff718d4beca 973->980 981 7ff718d4beb8-7ff718d4bec3 call 7ff718d4bff0 973->981 974->971 978 7ff718d4bf0c-7ff718d4bf18 call 7ff718d4b0d8 974->978 986 7ff718d4bea1-7ff718d4bead 975->986 976->986 978->971 994 7ff718d4bf1e 978->994 980->961 981->980 988 7ff718d4bf9e-7ff718d4bfab call 7ff718d471ec 983->988 989 7ff718d4bf44-7ff718d4bf5d call 7ff718d488a8 983->989 986->973 991 7ff718d4beff-7ff718d4bf03 986->991 988->973 999 7ff718d4bfb1-7ff718d4bfc1 call 7ff718d4cd90 988->999 989->988 1000 7ff718d4bf5f-7ff718d4bf73 call 7ff718d50a6c 989->1000 991->973 993 7ff718d4bf05-7ff718d4bf0a call 7ff718d4af98 991->993 993->973 994->973 999->973 1006 7ff718d4bfc7-7ff718d4bfe1 call 7ff718d5081c 999->1006 1000->988 1007 7ff718d4bf75-7ff718d4bf81 call 7ff718d4b0d8 1000->1007 1006->1007 1007->973 1012 7ff718d4bf87-7ff718d4bf99 call 7ff718d55ad8 1007->1012 1012->986
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memsetwcschr
                          • String ID: 2$COMSPEC
                          • API String ID: 1764819092-1738800741
                          • Opcode ID: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                          • Instruction ID: 51825dd42125d073f38c48f7fb102c5c9c6e547a97519fa681ad4d2599864562
                          • Opcode Fuzzy Hash: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                          • Instruction Fuzzy Hash: 0C51C031A08F4A45FB70BB619441379E2A49FAD7A4FCC4071DACD42AD6DE2CE84C8768
                          Function 00007FF718D59A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Concurrency::cancel_current_taskmalloc
                          • String ID:
                          • API String ID: 1412018758-0
                          • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                          • Instruction ID: 9e08a03e03070ecb77d2cb7a2b6665314c1a04c152d55f1a04b591c84d755fa0
                          • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                          • Instruction Fuzzy Hash: B1E0C941E59B1FA1FB193B627842178D2745F5E764E982531DD9D05382EE2CA09D8238
                          Function 00007FF718D4CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                          • Instruction ID: 033659daa3aaa5e98109d821e65aae6ce5d3d0c1a1987554e33ccd3c4adf234f
                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                          • Instruction Fuzzy Hash: 74F04B31A18B4686EB08AB05E841168FBB0FB9DB20BD89135D98A03354DF3CE44D8718
                          Function 00007FF718D54C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: exit
                          • String ID:
                          • API String ID: 2483651598-0
                          • Opcode ID: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                          • Instruction ID: 363da56883751ff70acbec2ed3db043b7fb5537c26ed47cc3a06a0f76e9767ef
                          • Opcode Fuzzy Hash: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                          • Instruction Fuzzy Hash: C1C01270708B4A47EB1C773164A1079D5755B4C211F845539C68681281DD28D40C8219
                          Function 00007FF718D55508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: DefaultUser
                          • String ID:
                          • API String ID: 3358694519-0
                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                          • Instruction ID: 2516eaaa1b238ff67db580d8c14081a48363ec3cdec996f34653c72e2fe279e3
                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                          • Instruction Fuzzy Hash: 06E0C2A2D08F578BF7593E4160423B4D973CB6C7B2FC44132E68D812C04D2D284D522C
                          Function 00007FF718D52E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                          • Instruction ID: fe0838f0563912c0075f1662831a974878f4733b1de0f88c4cb74483d7f75235
                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                          • Instruction Fuzzy Hash: 3FF0B421B09B9940EB409756B540129D3A19B4CBF0B888335FABC47BC5DE3CD4598304

                          Non-executed Functions

                          Function 00007FF718D67F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67F44
                          • _get_osfhandle.MSVCRT ref: 00007FF718D67F5C
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67F9E
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D67FFF
                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68020
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68036
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68061
                          • RtlFreeHeap.NTDLL ref: 00007FF718D68075
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D680D6
                          • RtlFreeHeap.NTDLL ref: 00007FF718D680EA
                          • _wcsnicmp.MSVCRT ref: 00007FF718D68177
                          • _wcsnicmp.MSVCRT ref: 00007FF718D6819A
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681BD
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681DC
                          • _wcsnicmp.MSVCRT ref: 00007FF718D681FB
                          • _wcsnicmp.MSVCRT ref: 00007FF718D6821A
                          • _wcsnicmp.MSVCRT ref: 00007FF718D68239
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68291
                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D682D7
                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D682FB
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D6831A
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68364
                          • RtlFreeHeap.NTDLL ref: 00007FF718D68378
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D6839A
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D683AE
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D683E6
                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68403
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF718D68418
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                          • API String ID: 3637805771-3100821235
                          • Opcode ID: c15d10fa516844a3d30f6ee6566238d7eb90fade697e3424b0e4caa7a671d349
                          • Instruction ID: 1624fd992df05dac8b1f7da137e34bb7508be44d7a4d201177b0d22f20a171ab
                          • Opcode Fuzzy Hash: c15d10fa516844a3d30f6ee6566238d7eb90fade697e3424b0e4caa7a671d349
                          • Instruction Fuzzy Hash: 46E19271A08F5A8AE714AB61E401179FAB1FB4DBA9BD48230DD9E53794DF3CA40CC724
                          Function 00007FF718D47650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                          • String ID: DPATH
                          • API String ID: 95024817-2010427443
                          • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                          • Instruction ID: d80d5a8d6824c30011bb5958682cb3915ea634037319e34e1d7305702a6e703c
                          • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                          • Instruction Fuzzy Hash: 6512B332A08F8A86E764AF15A4401B9F6A2FB8D764FD45135EA8E53794DF3CE40C8B14
                          Function 00007FF718D6EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                          Download Yara Rule
                          APIs
                          • _wcsupr.MSVCRT ref: 00007FF718D6EF33
                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EF98
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFA9
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFBF
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF718D6EFDC
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6EFED
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F003
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F022
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F083
                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F092
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F0A5
                          • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF718D6F0DB
                          • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F135
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F16C
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF718D6E964), ref: 00007FF718D6F185
                            • Part of subcall function 00007FF718D501B8: _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                            • Part of subcall function 00007FF718D501B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                          • String ID: <noalias>$CMD.EXE
                          • API String ID: 1161012917-1690691951
                          • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                          • Instruction ID: da441310c98a3805eb8cccd45e034b48561ae853b1bb52edc4942ed6a163c0ce
                          • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                          • Instruction Fuzzy Hash: 87917021B09F5A8AFB04AB60E4411BDFAB0AF4DB78FD84135DD8E42695DF3CA44D8324
                          Function 00007FF718D46EE4 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 342timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                          • String ID: %02d%s%02d%s%02d$%s $%s %s
                          • API String ID: 1795611712-4023967598
                          • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                          • Instruction ID: dc5853c369473a6ca7146477d47e6b641267fcdc98bdec7d86edeacd82947d90
                          • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                          • Instruction Fuzzy Hash: 44E1B021A08F4E86FB10AF64A8411B9E6B2FF4D7A4FD44132D98E47695DF3CE50C8368
                          Function 00007FF718D41560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                          • String ID: \\?\
                          • API String ID: 628682198-4282027825
                          • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                          • Instruction ID: 9d4a8968559c1dc6bc7335e06564c5eaa3cb9701485c5ccd492a6a85f30ae9d8
                          • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                          • Instruction Fuzzy Hash: 48E18131B08F8A96EF64AB24D8502F9E3A0FB49769F844135D98E46B94EF3CD54DC314
                          Function 00007FF718D4CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                          • String ID: GOTO$mkdir "\\?\C:\Windows \SysWOW64"
                          • API String ID: 3863671652-2385155047
                          • Opcode ID: 8a7ebebe1ccbf711eb435a48e2ca9f96987f67b530ed60dee1bcce27abdacbd9
                          • Instruction ID: ade3d96499f3b27a5069a8f1ff62a733d8c024913b94394ff0027fd4d4be5dd5
                          • Opcode Fuzzy Hash: 8a7ebebe1ccbf711eb435a48e2ca9f96987f67b530ed60dee1bcce27abdacbd9
                          • Instruction Fuzzy Hash: 43E1DD31A09F4A86FB64BB159444379E6A0AF4D774FD84236C98E43AD1DF3CE84D8728
                          Function 00007FF718D71538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                          • String ID:
                          • API String ID: 3935429995-0
                          • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                          • Instruction ID: e262bebe74c5f069e6ff2c7615e8b9685dfc5013b9db2482a3780ccc22556c59
                          • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                          • Instruction Fuzzy Hash: 3A61B126A08F96C2EB14AF21A405579FBA1FB8DF68F858235DE8A43790DF3CD40D8714
                          Function 00007FF718D53140 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 229timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Time$File$System$FormatInfoLocalLocale
                          • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                          • API String ID: 55602301-695310191
                          • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                          • Instruction ID: e4e1c09b9103a124a822a8435c7c64a55bbebf752b0a5f600b7a72b126ea610f
                          • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                          • Instruction Fuzzy Hash: A1A18272A08F4A96EB10AB10E4401BAF7B5FB89764FD04236DA8E43694EF3CE54CC754
                          Function 00007FF718D435B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                          • Instruction ID: 26b99ddedf1d57922a2265bf6bf660dfbc7ecaac4b56e1808808a69afb4ec500
                          • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                          • Instruction Fuzzy Hash: 04919F32608F8A86EB28AF25D4502FDF6A0FB4D769F944135DA8E47B94DE3CD54CC224
                          Function 00007FF718D5823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorFileFindFirstLast
                          • String ID:
                          • API String ID: 873889042-0
                          • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                          • Instruction ID: f42558e83a8816533f83753d22104c85286e8e14183712f9df04dda3b31d3916
                          • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                          • Instruction Fuzzy Hash: 48512B35A09F4A8AE700AF11A441279FBB0FB5EBA1FD48232DA9D43354CF3CE45C8618
                          Function 00007FF718D43D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                          • String ID: %9d
                          • API String ID: 1006866328-2241623522
                          • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                          • Instruction ID: 6a198dbc205421cb02d477cbc51231dbbf1da7478deb92ffe7b2ad0f942f0cf5
                          • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                          • Instruction Fuzzy Hash: 1F516072A08B4A9AE700AF1198415A8FBB0FB49774FC44635DAAD53795CF3CE50CCB24
                          Function 00007FF718D48DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                          • Instruction ID: 785cd84dc2ca9042db46c23a143b05e8caa07473419494595fb88bf0b5abf10d
                          • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                          • Instruction Fuzzy Hash: 8EC1F832A09F8A86EB61EB11E450AB9E3B0FB597A4F884171DA8D07B95DF3CD14CC314
                          Function 00007FF718D502A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$iswspacewcschr
                          • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                          • API String ID: 840959033-3627297882
                          • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                          • Instruction ID: 072f1ec79d8d14a9024a761b583007744e83c5265736a651e3af6450152a9169
                          • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                          • Instruction Fuzzy Hash: FDD15B21E08F0B86FB10BB61E8452B8E7B1BF5DB64FC44136D58D462A5EE2CA40D8739
                          Function 00007FF718D432B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53578: _get_osfhandle.MSVCRT ref: 00007FF718D53584
                            • Part of subcall function 00007FF718D53578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                            • Part of subcall function 00007FF718D53578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                            • Part of subcall function 00007FF718D53578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                            • Part of subcall function 00007FF718D53578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                            • Part of subcall function 00007FF718D53578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          • _get_osfhandle.MSVCRT ref: 00007FF718D432F3
                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF718D432A4), ref: 00007FF718D43309
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF718D43384
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D611DF
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                          • String ID:
                          • API String ID: 611521582-0
                          • Opcode ID: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                          • Instruction ID: 92d55ec69ea7531689af60269d462ce89c25f578714490eb5cdd73d8fd24372a
                          • Opcode Fuzzy Hash: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                          • Instruction Fuzzy Hash: D4A1C232F08F5A86FB18AB65A4052BDE6A1FB4DB69FC44139CD8E46B40DF3C944D8724
                          Function 00007FF718D526E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CreateFile_open_osfhandle
                          • String ID: con
                          • API String ID: 2905481843-4257191772
                          • Opcode ID: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                          • Instruction ID: 4d15f64e28fc5b51f1478e93b8b6fb646ae215716a18e6cca9a1505304066dec
                          • Opcode Fuzzy Hash: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                          • Instruction Fuzzy Hash: DF718232A08B858AE720AF14A440279FBB1FB8EB75F944335EA9D42794DF3CD44D8B14
                          Function 00007FF718D71A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                          • String ID: CSVFS$NTFS$REFS
                          • API String ID: 3510147486-2605508654
                          • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                          • Instruction ID: 607ecee09e86f02c098fffcc034f065a538f20ee09a808beb2fd93aa1744daf3
                          • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                          • Instruction Fuzzy Hash: 55615932608F868AEB65AF21E8443E9F7A5FB49B98F844235CA4D4B758DF38D10CC714
                          Function 00007FF718D472B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                          Download Yara Rule
                          APIs
                          • longjmp.MSVCRT(?,00000000,00000000,00007FF718D47279,?,?,?,?,?,00007FF718D4BFA9), ref: 00007FF718D64485
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: longjmp
                          • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                          • API String ID: 1832741078-366822981
                          • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                          • Instruction ID: bc6e28422725a81fd9a7074aaaff528feaf21dac33ad8da8994c378d6af34eeb
                          • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                          • Instruction Fuzzy Hash: 6CC17C20F0CF4E85E724FA1651845BCE7A3AB4EBB4FE54036D98D53A91CF2CA44D8369
                          Function 00007FF718D4B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • memset.MSVCRT ref: 00007FF718D4BA2B
                          • wcschr.MSVCRT ref: 00007FF718D4BA8A
                          • wcschr.MSVCRT ref: 00007FF718D4BAAA
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heapwcschr$AllocProcessmemset
                          • String ID: -$:.\$=,;$=,;+/[] "
                          • API String ID: 2872855111-969133440
                          • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                          • Instruction ID: d835583ea9d37ce22172e5bd9dd944262f36099ec3a71817a17c57039e2e1424
                          • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                          • Instruction Fuzzy Hash: 66B18231A08F4A81EB60AB55908427DE6A0FF5C7A4FD94275CADE43B94DF7CE44D8328
                          Function 00007FF718D486B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$_wcsicmp$AllocProcess
                          • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                          • API String ID: 3223794493-3086019870
                          • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                          • Instruction ID: 8a16cf73e8b84ef4f4f50ec84ef19c1d8250074c3dec8f81551d67a78790c37b
                          • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                          • Instruction Fuzzy Hash: 0D516D35A08F4A8AEB04AB15A411179EBB0FB5DBB4FD84175C99E027A4DF3CE04DC728
                          Function 00007FF718D686FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LocalTime$ErrorLast_get_osfhandle
                          • String ID: %s$/-.$:
                          • API String ID: 1644023181-879152773
                          • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                          • Instruction ID: c7272a55ea01a4274ca06300b5e2a925d986a8746adb601935e68d61e7e4d6fe
                          • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                          • Instruction Fuzzy Hash: B69193A2A08F4E91EF14AB25D4522B9E3A0FF48BB4FD44136D9CE42694DE3CE54DC724
                          Function 00007FF718D6627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF718D67251), ref: 00007FF718D6628E
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ObjectSingleWait
                          • String ID: wil
                          • API String ID: 24740636-1589926490
                          • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                          • Instruction ID: d5c0364e89f76d35f7b678a08f72c01c08c8a2aa28c9d98935f29dd209503926
                          • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                          • Instruction Fuzzy Hash: 0D416121A08F4B83F3606B11F40127DE6A1EF8D7A4FF48131E98946694DF3DE84C8725
                          Function 00007FF718D6CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                          • String ID: $Application$System
                          • API String ID: 3377411628-1881496484
                          • Opcode ID: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                          • Instruction ID: 91b5ffe50e93a4e4f91f51e0ded5a2f0c5fc3cae294cd853ac092d88894eee41
                          • Opcode Fuzzy Hash: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                          • Instruction Fuzzy Hash: 7F414832B08F469AE710AB60E4403EDB7B5EB8D768F845235DA8E42B58EF38D10DC754
                          Function 00007FF718D5258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                            • Part of subcall function 00007FF718D506C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                            • Part of subcall function 00007FF718D506C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                          • _wcsicmp.MSVCRT ref: 00007FF718D525CA
                          • _wcsicmp.MSVCRT ref: 00007FF718D525E8
                          • _wcsicmp.MSVCRT ref: 00007FF718D5260F
                          • _wcsicmp.MSVCRT ref: 00007FF718D52636
                          • _wcsicmp.MSVCRT ref: 00007FF718D52650
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsicmp$Heap$AllocProcess
                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                          • API String ID: 3407644289-1668778490
                          • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                          • Instruction ID: d77ecf3db381c8a66aaa2fe7df130025494dd34f60b2c4f1351ff9d81530b148
                          • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                          • Instruction Fuzzy Hash: 0E315D21A0CF0A85F7157F21E815279E6B5AF8CB65FC48136EA8E46295DF3CE40CC729
                          Function 00007FF718D57E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D46E
                            • Part of subcall function 00007FF718D4D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF718D4D485
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D4EE
                            • Part of subcall function 00007FF718D4D3F0: iswspace.MSVCRT ref: 00007FF718D4D54D
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D569
                            • Part of subcall function 00007FF718D4D3F0: wcschr.MSVCRT ref: 00007FF718D4D58C
                          • iswspace.MSVCRT ref: 00007FF718D57EEE
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspace$AllocProcess
                          • String ID: A
                          • API String ID: 3731854180-3554254475
                          • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                          • Instruction ID: 3a466747c638f7a2f4f37ef013ba15606f98c853852929f1f0cc1b4dad51bab7
                          • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                          • Instruction Fuzzy Hash: 32A17C21909F8A8AE720BB11A451279F6B0FF4D7A4FE48135DACD47794DF3CA84D8728
                          Function 00007FF718D6A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                          • String ID: PE
                          • API String ID: 2941894976-4258593460
                          • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                          • Instruction ID: 224424bc2e105748b0ac1c47427e60060a8b72bcc7bf380fc76f82bed164be16
                          • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                          • Instruction Fuzzy Hash: 2F415161608F9986E724AB12E410279F7A1FB8DBA0F944230DADD03B95DF3CE44DCB25
                          Function 00007FF718D69B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Enum$Openwcsrchr
                          • String ID: %s=%s$.$\Shell\Open\Command
                          • API String ID: 3402383852-1459555574
                          • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                          • Instruction ID: d6aad88592c66eec9f32d1871268cc42b498b754b7e474adba26d290f8d7e2eb
                          • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                          • Instruction Fuzzy Hash: 53A1A161A09F4E92EB10BB5590502F9E2A0EF89BB4FE44131DA8D07785DF7CE94DC728
                          Function 00007FF718D57610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$wcscmp
                          • String ID: %s
                          • API String ID: 243296809-3043279178
                          • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                          • Instruction ID: 741d5141561bca077d736d9281fb106e746904ffab9713e5cc5209eadce14f29
                          • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                          • Instruction Fuzzy Hash: DEA19422709B8A96EB25EB21D8403F9E3B0FB4C758F944136DA8D4B695DF3CE64C8314
                          Function 00007FF718D499F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D4CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDA6
                            • Part of subcall function 00007FF718D4CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4B9A1,?,?,?,?,00007FF718D4D81A), ref: 00007FF718D4CDBD
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49A39
                            • Part of subcall function 00007FF718D4DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF718D4CEAA), ref: 00007FF718D4DFB8
                            • Part of subcall function 00007FF718D4DF60: RtlFreeHeap.NTDLL ref: 00007FF718D4DFCC
                            • Part of subcall function 00007FF718D4DF60: _setjmp.MSVCRT ref: 00007FF718D4E03E
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49AF0
                          • wcschr.MSVCRT(?,?,?,00007FF718D499DD), ref: 00007FF718D49B0F
                            • Part of subcall function 00007FF718D496E8: memset.MSVCRT ref: 00007FF718D497B2
                            • Part of subcall function 00007FF718D496E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D49880
                          • _wcsupr.MSVCRT ref: 00007FF718D5B844
                          • wcscmp.MSVCRT ref: 00007FF718D5B86D
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                          • String ID: FOR$ IF
                          • API String ID: 3663254013-2924197646
                          • Opcode ID: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                          • Instruction ID: 57c65a8cb56f0cd961f94f81892f172e84627d315bb8399391af1ef98b31e7fa
                          • Opcode Fuzzy Hash: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                          • Instruction Fuzzy Hash: 86518D20A09F4A91FF14BB169451279EAB1AF4DBB0FC84235D99E47BD1DF3CA40D8728
                          Function 00007FF718D4F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F0D6
                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1BA
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F1E7
                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1FF
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit$iswspacewcschr
                          • String ID: )$=,;
                          • API String ID: 1959970872-2167043656
                          • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                          • Instruction ID: 77edb9c98d02974ef9be8c98f181eafc5909187ffa9576e29b0bc66c720f11d0
                          • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                          • Instruction Fuzzy Hash: 1B41AD71E08B5A86FB647B14A448379E6A0AF18765FC850B2CACD429B4DF3CA44D8728
                          Function 00007FF718D6BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorLast$InformationVolumeiswalphatowupper
                          • String ID: %04X-%04X$:
                          • API String ID: 930873262-1938371929
                          • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                          • Instruction ID: 0bb617ca816231789e5dd26c5c0f4ade15249dee34eb819920da55e67533b9a2
                          • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                          • Instruction Fuzzy Hash: 56415E21A08F8AC2EB24BB64E4412BAE261FB8D764FD44236D9CD426D5DF3CD54CC728
                          Function 00007FF718D586F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                          • String ID:
                          • API String ID: 1313749407-0
                          • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                          • Instruction ID: 9f6cae6f7aee35e0f77e3a77ce1bbe6f1c02a03be65caf0c254e49b59fe9aabb
                          • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                          • Instruction Fuzzy Hash: 37519121A08F8A82EB14BB11A41517AE6B1BF4DBB0FD85231DD9E077D0DF3CE44C8268
                          Function 00007FF718D4F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                          Download Yara Rule
                          APIs
                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1BA
                          • wcschr.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F1E7
                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF718D4E626,?,?,00000000,00007FF718D51F69), ref: 00007FF718D4F1FF
                          • iswdigit.MSVCRT(?,?,00000000,00007FF718D51F69,?,?,?,?,?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000), ref: 00007FF718D4F2BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit$iswspacewcschr
                          • String ID: )$=,;
                          • API String ID: 1959970872-2167043656
                          • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                          • Instruction ID: f1a42d63b15fd4677f2d4a957f866c9b97ffceb293076052d93c59e4f3613261
                          • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                          • Instruction Fuzzy Hash: A9418875E08F1F86FB647B14E548279E6A0AF19764FC850B2C9CD429B4CF3CA44D8629
                          Function 00007FF718D691B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmpfprintfwcsrchr
                          • String ID: CMD Internal Error %s$%s$Null environment
                          • API String ID: 3625580822-2781220306
                          • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                          • Instruction ID: 204cbd769e1f0875f7cbf73aef710aa2dd40ae13215966ca5d07d53c4ccb5616
                          • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                          • Instruction Fuzzy Hash: B031A221A08F4EA2EB14BB42A5001FAF260BB4DBB4FD44131CD9D17795DE3CE44D8318
                          Function 00007FF718D45984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D63687
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D636A6
                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D636EB
                          • _get_osfhandle.MSVCRT ref: 00007FF718D63703
                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D63722
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Write_get_osfhandle$Mode
                          • String ID:
                          • API String ID: 1066134489-0
                          • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                          • Instruction ID: 70e58f1ac48ebf456bd9a9f1f1b61df7aa01bd05b093d6df805d023acdc09c42
                          • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                          • Instruction Fuzzy Hash: D4519221B08F4E87EB286F11940457AE6A1EF5C7B4F984535DE8A03B90DF3CE44C8B28
                          Function 00007FF718D536EC Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                          • String ID:
                          • API String ID: 3249344982-0
                          • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                          • Instruction ID: 67fee4a820dd34b833065ab626e3ab4b5b73ba4fc3aa5b9ff05d23ee2c31bdea
                          • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                          • Instruction Fuzzy Hash: 8A413E72A18F4986E314AF11A845369FAB4FB8DFE8F844235DA8907794CF3CD15C8B14
                          Function 00007FF718D489C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$DriveErrorInformationLastTypeVolume
                          • String ID:
                          • API String ID: 850181435-0
                          • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                          • Instruction ID: b203889d5f0bb95d178e20f205570ae0586644dc2670e45b89647728603e37eb
                          • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                          • Instruction Fuzzy Hash: 2B415932608FC589E7609F21D8452E9F7A0FB89B98F984135DA8D4BB48CF78D54DC714
                          Function 00007FF718D501B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D501C4
                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D501D6
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50212
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50228
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D5023C
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF718D5E904,?,?,?,?,00000000,00007FF718D53491,?,?,?,00007FF718D64420), ref: 00007FF718D50251
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                          • String ID:
                          • API String ID: 513048808-0
                          • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                          • Instruction ID: d03c1f9f92c3210e64b1e92cb0cb6ea0720e8ec3e6c7208a28a75ab0284fff80
                          • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                          • Instruction Fuzzy Hash: EB21812190CF8AC7E7546B60A585238FAB0FF4EB75FD44235D99E42694CE3CE84C8729
                          Function 00007FF718D53578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • _get_osfhandle.MSVCRT ref: 00007FF718D53584
                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D5359C
                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535C3
                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535D9
                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D535ED
                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF718D432E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF718D53602
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                          • String ID:
                          • API String ID: 513048808-0
                          • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                          • Instruction ID: 05792f759be9a57b349bcc43e2538aaecb10f58f0d121d656a7d726e6c95407b
                          • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                          • Instruction Fuzzy Hash: 5B114F21A08F4A86EB186B64A545078EAB0FF4EB75FD45335DAAE433D0DE3CD44C8715
                          Function 00007FF718D59584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                          • String ID:
                          • API String ID: 4104442557-0
                          • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                          • Instruction ID: 00bca345a54cfcdd9bb1ff5a52ff89e89671fc42a2b7c7e334c191f6a44ec001
                          • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                          • Instruction Fuzzy Hash: CE115122604F458AEB00EF61E8452A8B3A4FB0D76CF800A35EAAD47B54DF3CD1AC8354
                          Function 00007FF718D6711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D671F9
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D6720D
                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF718D67300
                            • Part of subcall function 00007FF718D65740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF718D675C4,?,?,00000000,00007FF718D66999,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D65744
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: OpenSemaphore$CloseErrorHandleLast
                          • String ID: _p0$wil
                          • API String ID: 455305043-1814513734
                          • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                          • Instruction ID: fca50cf682b42d35face77218cc045240f6028504ec657056dbda288d907cf0e
                          • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                          • Instruction Fuzzy Hash: 2C61A461B18F8E81EF25AB5594101B9E3A1EF8CBA4FE54632D98E07754EF3CD50D8328
                          Function 00007FF718D41DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspacememset$AllocProcess
                          • String ID: %s
                          • API String ID: 2401724867-3043279178
                          • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                          • Instruction ID: ee73df1af08d14a386c196af009c4c73d0108abaa8434dca28edcc9b60a49866
                          • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                          • Instruction Fuzzy Hash: 3B51A172A08F8A85EB20AF21D8412B9F3B1EB4DBA4F844135DA8D47694EF3CD44DC724
                          Function 00007FF718D4E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswdigit
                          • String ID: GeToken: (%x) '%s'
                          • API String ID: 3849470556-1994581435
                          • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                          • Instruction ID: 9cc2e445f1ee9d40ed7eecbf0cf4da1e4b74159ba150e642cccb1a79acf2aaa9
                          • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                          • Instruction Fuzzy Hash: 6F515A3190CF4A95E724AF56A484179F7A0BB58B34F888575DACD43A91DF7CE44CC328
                          Function 00007FF718D6992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D69A10
                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF718D69994
                            • Part of subcall function 00007FF718D6A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A77A
                            • Part of subcall function 00007FF718D6A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A839
                            • Part of subcall function 00007FF718D6A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF718D69A82), ref: 00007FF718D6A850
                          • wcsrchr.MSVCRT ref: 00007FF718D69A62
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorLast$CloseEnumOpenwcsrchr
                          • String ID: %s=%s$.
                          • API String ID: 3242694432-4275322459
                          • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                          • Instruction ID: b51e6a082f48b20e9b2cda08afb49785b4f931f4ab9086aa061549c0067b45f6
                          • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                          • Instruction Fuzzy Hash: B2419F21A09F4E96EF14BB52A0502B9E2A1EF4D7B0FA44231DDDD077D5DE3CE44D8228
                          Function 00007FF718D5417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CurrentDirectorytowupper
                          • String ID: :$:
                          • API String ID: 238703822-3780739392
                          • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                          • Instruction ID: d5088a22474bd482a6a7f71596e2fc7e46b816613df507a7f2b26d831fd6d3bf
                          • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                          • Instruction Fuzzy Hash: BD112292608B4582EB24AB61A80563AF6B0FF4D7A9FC58232DD8D07794DE3CD00D8728
                          Function 00007FF718D55EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$CurrentDirectorytowupper
                          • String ID:
                          • API String ID: 1403193329-0
                          • Opcode ID: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
                          • Instruction ID: d3c3830ac4fa294bfd0166fbbd0880678090e88dcc72baf3060690436ba86fa5
                          • Opcode Fuzzy Hash: 42cade6b9a84014cdd55cf9873a1d02384d54167611cbf46e5f63f406bd17b97
                          • Instruction Fuzzy Hash: 5E51B926605B8985EB65AF24E9006B9F7B0FF4C768FC58236D98D07694EF3CD54C8324
                          Function 00007FF718D491C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00007FF718D4921C
                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF718D493AA
                            • Part of subcall function 00007FF718D48B20: wcsrchr.MSVCRT ref: 00007FF718D48BAB
                            • Part of subcall function 00007FF718D48B20: _wcsicmp.MSVCRT ref: 00007FF718D48BD4
                            • Part of subcall function 00007FF718D48B20: _wcsicmp.MSVCRT ref: 00007FF718D48BF2
                            • Part of subcall function 00007FF718D48B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D48C16
                            • Part of subcall function 00007FF718D48B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D48C2F
                            • Part of subcall function 00007FF718D48B20: wcschr.MSVCRT ref: 00007FF718D48CB3
                            • Part of subcall function 00007FF718D5417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D541AD
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF718D492AC), ref: 00007FF718D530CA
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D530DD
                            • Part of subcall function 00007FF718D53060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D530F6
                            • Part of subcall function 00007FF718D53060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D53106
                          • wcsrchr.MSVCRT ref: 00007FF718D492D8
                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D49362
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF718D49373
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                          • String ID:
                          • API String ID: 3966000956-0
                          • Opcode ID: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
                          • Instruction ID: da95b63afb2cd9854da63f31223b6ce31f6ec4b8c7999bdc5c0510cf410f0d62
                          • Opcode Fuzzy Hash: ebfeb5aba0ebfd8d4bf52c22c54dc17d70488fb3d721b256590214c2a6c830f5
                          • Instruction Fuzzy Hash: 6A519132A09B8A85EB21AF21D8552BDE3A0FB4DB64F884171DA8D07B94DF3CE15DC714
                          Function 00007FF718D6E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ErrorModememset$FullNamePath_wcsicmp
                          • String ID:
                          • API String ID: 2123716050-0
                          • Opcode ID: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
                          • Instruction ID: 2ede39c5e764906d82746c1559c5b1a7e0a52ce66e8702293063dc1b6383eeaf
                          • Opcode Fuzzy Hash: adb19cba2c66798b02c2a5bbb02a13772110447b40978f30d8852c1ecb13dfff
                          • Instruction Fuzzy Hash: 6B41D432705FCA8AEB359F21D8413E9A7A4EB4D75CF944134CA8D4AA98DF3CE24C8314
                          Function 00007FF718D465F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                          • String ID:
                          • API String ID: 3114114779-0
                          • Opcode ID: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                          • Instruction ID: 8581490a6cffa08ab49ed88a40f0adb06c8f3f4d525376edf5b3e0ffe83da1ce
                          • Opcode Fuzzy Hash: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                          • Instruction Fuzzy Hash: 93415832A05F0ACAE700AF65E4402ACB7B5FB48758FA44075EA4E93B54DF38E40EC764
                          Function 00007FF718D532E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D533A8: iswspace.MSVCRT(?,?,00000000,00007FF718D6D6EE,?,?,?,00007FF718D60632), ref: 00007FF718D533C0
                          • iswspace.MSVCRT(?,?,?,00007FF718D532A4), ref: 00007FF718D5331C
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswspace
                          • String ID: off
                          • API String ID: 2389812497-733764931
                          • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                          • Instruction ID: ad7fa7c888ccb346f1c3ca85c388ce643c7487069608ed1b580f77283de28b4a
                          • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                          • Instruction Fuzzy Hash: 2E215321E0CF5A81FB687B15945527DE6B1EF4EBB0FC8823AD98D47681DE1CE44C8329
                          Function 00007FF718D69308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcschr$Heapiswspace$AllocProcess
                          • String ID: %s=%s$DPATH$PATH
                          • API String ID: 3731854180-3148396303
                          • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                          • Instruction ID: b65361c612fb6f5a392367021ec2550d0bc8dc8aeae03df54dfdf37a3c662378
                          • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                          • Instruction Fuzzy Hash: 4521B021B08F5F90EB54BB65E4402B9E2B1AF88BA4FD84135DD8E47394DE2CD44C8368
                          Function 00007FF718D58198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: wcscmp
                          • String ID: *.*$????????.???
                          • API String ID: 3392835482-3870530610
                          • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                          • Instruction ID: 66ba722c32ac06b3c80d949fcf81467e05751207a07caeea03e1695df8630f91
                          • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                          • Instruction Fuzzy Hash: AF110225B24F6A80E764AB22A44153AF6B1FB4CBA1F884132CECD47B45DE3CE4498724
                          Function 00007FF718D41130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: memset$CurrentDirectorytowupper
                          • String ID:
                          • API String ID: 1403193329-0
                          • Opcode ID: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                          • Instruction ID: ba9da38a9d6737a6aaf5cc53de4c1bc6c47ec2e4f3ff0c51ded7d74d21885afc
                          • Opcode Fuzzy Hash: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                          • Instruction Fuzzy Hash: C8619032B08F868AEB10EB65D4402ADF7B4FB48768F944235DE9D13A99DF38D458C714
                          Function 00007FF718D46A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D53C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF718D53D0C
                            • Part of subcall function 00007FF718D53C24: towupper.MSVCRT ref: 00007FF718D53D2F
                            • Part of subcall function 00007FF718D53C24: iswalpha.MSVCRT ref: 00007FF718D53D4F
                            • Part of subcall function 00007FF718D53C24: towupper.MSVCRT ref: 00007FF718D53D75
                            • Part of subcall function 00007FF718D53C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D53DBF
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D46ABF
                          • RtlFreeHeap.NTDLL ref: 00007FF718D46AD3
                            • Part of subcall function 00007FF718D46B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF718D46AE8,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B8B
                            • Part of subcall function 00007FF718D46B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF718D46AE8,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B97
                            • Part of subcall function 00007FF718D46B84: RtlFreeHeap.NTDLL ref: 00007FF718D46BAF
                            • Part of subcall function 00007FF718D46B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D46AF1,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B39
                            • Part of subcall function 00007FF718D46B30: RtlFreeHeap.NTDLL ref: 00007FF718D46B4D
                            • Part of subcall function 00007FF718D46B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D46AF1,?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925), ref: 00007FF718D46B59
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D6EA0F,?,?,?,00007FF718D6E925,?,?,?,?,00007FF718D4B9B1), ref: 00007FF718D46B03
                          • RtlFreeHeap.NTDLL ref: 00007FF718D46B17
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                          • String ID:
                          • API String ID: 3512109576-0
                          • Opcode ID: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                          • Instruction ID: f42d970d601c5e6634eb633fce20940771660511a128658ad0c6f260eb06a008
                          • Opcode Fuzzy Hash: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                          • Instruction Fuzzy Hash: D3219F21909F8AC5EB04BF65A4153B8FBA1EF5DB59F988071CA8E03351DE2CA44DC338
                          Function 00007FF718D4B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B6D0
                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B6E7
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B701
                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D4AF82), ref: 00007FF718D4B715
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocSize
                          • String ID:
                          • API String ID: 2549470565-0
                          • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                          • Instruction ID: 6b200a1628b1971bd647378313e4c0b820458c63185ef431d3856d4167e8f1c3
                          • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                          • Instruction Fuzzy Hash: CC214531A09F8A86EB18AB55E440078F6A1FB5DBA4BDC9571DA8E03B54DF3CE44DC324
                          Function 00007FF718D459E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00007FF718D51EA0: wcschr.MSVCRT(?,?,?,00007FF718D4286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF718D70D54), ref: 00007FF718D51EB3
                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF718D45A2E
                          • _open_osfhandle.MSVCRT ref: 00007FF718D45A4F
                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF718D4260D), ref: 00007FF718D637AA
                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF718D637D2
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                          • String ID:
                          • API String ID: 22757656-0
                          • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                          • Instruction ID: ad23408d0f4b4a7dc82d0f14924b4b3dbe66e2beeff0bde0b77f5d87b1c545b6
                          • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                          • Instruction Fuzzy Hash: 9A115E71A14B498BE7146B24E449339EAA0EB8DB78FA44334D6AA077D0CF3CD44D8B14
                          Function 00007FF718D59158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                          • String ID:
                          • API String ID: 140117192-0
                          • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                          • Instruction ID: f4002d9b01eb0b71fdb9cf5f5ef3d3bb77ca4d3c8a0d209f1062cd42d8c43493
                          • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                          • Instruction Fuzzy Hash: 8D216D36918F4985E740AB04E885369F7B4FB89768F900136EA8D82768DF7DE44DC728
                          Function 00007FF718D65690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF718D65433,?,?,?,00007FF718D669B8,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D656C5
                          • RtlFreeHeap.NTDLL ref: 00007FF718D656D9
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF718D65433,?,?,?,00007FF718D669B8,?,?,?,?,?,00007FF718D58C39), ref: 00007FF718D656FD
                          • RtlFreeHeap.NTDLL ref: 00007FF718D65711
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$FreeProcess
                          • String ID:
                          • API String ID: 3859560861-0
                          • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                          • Instruction ID: f34df002d96e504040e0ef05f15a3baa538542540be2dae09cbd49f7f54d69ca
                          • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                          • Instruction Fuzzy Hash: 55111672A04F8586DB049F56E4040A8FBB0F74DF99B988135DB8E03718DF38E49AC754
                          Function 00007FF718D54AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AD6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D54AEF
                            • Part of subcall function 00007FF718D54A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A28
                            • Part of subcall function 00007FF718D54A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A66
                            • Part of subcall function 00007FF718D54A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A7D
                            • Part of subcall function 00007FF718D54A14: memmove.MSVCRT(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54A9A
                            • Part of subcall function 00007FF718D54A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF718D549F1), ref: 00007FF718D54AA2
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF718D48798), ref: 00007FF718D5EE64
                          • RtlFreeHeap.NTDLL ref: 00007FF718D5EE78
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                          • String ID:
                          • API String ID: 2759988882-0
                          • Opcode ID: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                          • Instruction ID: 846b0f8ef4ba59fb6c60c5467aaee5f563d42ba14470364107582182c9568d99
                          • Opcode Fuzzy Hash: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                          • Instruction Fuzzy Hash: EDF03C60A15F8686EB08AB669405178E9F1EF8EB65BC89134C98E42340EE3CA50C8235
                          Function 00007FF718D4CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: ConsoleTitle
                          • String ID: -
                          • API String ID: 3358957663-3695764949
                          • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                          • Instruction ID: e0cc102f887cf4f1236685ebf5e4a65a350bc9eb5616785561388ded8f615944
                          • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                          • Instruction Fuzzy Hash: 1D318521A08F4A85EB14BB11A445178E6B4BB4DFB0FD84275D99E07B95DF3CE44DC328
                          Function 00007FF718D57280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: _wcsnicmpswscanf
                          • String ID: :EOF
                          • API String ID: 1534968528-551370653
                          • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                          • Instruction ID: e21558fe738b027e712647675cc2b57b4ced1a3f84873971b3681cefa0a7d4e8
                          • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                          • Instruction Fuzzy Hash: 41316431E08F4A86FB14BB15A444278F2B1EF4D770FD58632EADD06295DF2CE44D8668
                          Function 00007FF718D509F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: iswspacewcschr
                          • String ID: =,;
                          • API String ID: 287713880-1539845467
                          • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                          • Instruction ID: 5033c28191224679497346b7bc36d5742b9ead833b8052889a72e0027e8a3387
                          • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                          • Instruction Fuzzy Hash: A1F04421A19F5A81FB64AB02E45017AF5B0FF4CF61FC99232D99D42254DF2CD84CC628
                          Function 00007FF718D506C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506D6
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D506F0
                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D5074D
                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF718D4B4DB), ref: 00007FF718D50762
                          Memory Dump Source
                          • Source File: 00000006.00000002.2060522217.00007FF718D41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF718D40000, based on PE: true
                          • Associated: 00000006.00000002.2060498675.00007FF718D40000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D7D000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D81000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060574555.00007FF718D8F000.00000004.00000001.01000000.00000004.sdmpDownload File
                          • Associated: 00000006.00000002.2060638788.00007FF718D99000.00000002.00000001.01000000.00000004.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ff718d40000_alpha.jbxd
                          Similarity
                          • API ID: Heap$AllocProcess
                          • String ID:
                          • API String ID: 1617791916-0
                          • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                          • Instruction ID: dec06e250faa5415965adebbbc86acae3a217f4eab025246808695af8dab5c96
                          • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                          • Instruction Fuzzy Hash: 1A413A72A09B4A86EB14AF10E441179FAB0EF99BA0BD48135DA8D43754DF3CE84DC768