Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dry.dll

Overview

General Information

Sample Name:dry.dll
Analysis ID:575240
MD5:4bec705de3584b911018c84f31659a17
SHA1:b29ff37578ef950b702ec5db59161294c2e1a7b3
SHA256:13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635
Tags:dlldridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Contains functionality to inject code into remote processes
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6572 cmdline: loaddll64.exe "C:\Users\user\Desktop\dry.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6612 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4484 cmdline: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5792 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • consent.exe (PID: 4904 cmdline: C:\Windows\system32\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • consent.exe (PID: 3576 cmdline: C:\Users\user\AppData\Local\DLKXiO\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • SysResetErr.exe (PID: 4676 cmdline: C:\Windows\system32\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • SysResetErr.exe (PID: 2064 cmdline: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • consent.exe (PID: 6440 cmdline: C:\Windows\system32\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • consent.exe (PID: 4740 cmdline: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • rdpshell.exe (PID: 6520 cmdline: C:\Windows\system32\rdpshell.exe MD5: 4994A0ADA359924026FE631E54FC7A5D)
        • cmstp.exe (PID: 4628 cmdline: C:\Windows\system32\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)
        • cmstp.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\y1c6p\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)
        • DWWIN.EXE (PID: 5392 cmdline: C:\Windows\system32\DWWIN.EXE MD5: 3C21F944D5FF44E45BC753919F6AE445)
        • DWWIN.EXE (PID: 4336 cmdline: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE MD5: 3C21F944D5FF44E45BC753919F6AE445)
        • sppsvc.exe (PID: 5788 cmdline: C:\Windows\system32\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • sppsvc.exe (PID: 5012 cmdline: C:\Users\user\AppData\Local\GsjW\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • SndVol.exe (PID: 3156 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 5664 cmdline: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
    • rundll32.exe (PID: 568 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5456 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmpcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
    • 0x37e93:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
    00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
      • 0x37e93:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
      00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          4.2.rundll32.exe.7ffc68290000.2.unpackcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
          • 0x38293:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
          8.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            8.2.rundll32.exe.7ffc68290000.2.unpackcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
            • 0x38293:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
            3.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              Click to see the 13 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Call by Ordinal
              Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6612, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, ProcessId: 4484

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: dry.dllVirustotal: Detection: 70%Perma Link
              Source: dry.dllMetadefender: Detection: 55%Perma Link
              Source: dry.dllReversingLabs: Detection: 82%
              Antivirus / Scanner detection for submitted sample
              Source: dry.dllAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
              Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
              Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
              Machine Learning detection for sample
              Source: dry.dllJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9CF6C VirtualAlloc,GetLastError,BCryptCreateHash,ReadProcessMemory,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,VirtualFree,BCryptFinishHash,BCryptDestroyHash,GetLastError,30_2_00007FF7EAE9CF6C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9D15C BCryptCreateHash,_wcsnicmp,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,30_2_00007FF7EAE9D15C
              Source: dry.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: consent.pdb source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: FFgnji|RgnjiR.pdb source: SysResetErr.exe, 0000000F.00000002.410461412.00000204E63D7000.00000004.00000020.00020000.00000000.sdmp, SysResetErr.exe, 0000000F.00000002.410154109.00000204E622E000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448408637.0000016FCD5A2000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448269347.0000016FCD449000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.476969443.0000025594C81000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.477066927.0000025594DE1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513393199.0000029561289000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513278214.0000029561127000.00000004.00000020.00020000.00000000.sdmp, dry.dll, VERSION.dll.5.dr, VERSION.dll0.5.dr, UxTheme.dll.5.dr, WINSTA.dll.5.dr, DUI70.dll.5.dr, XmlLite.dll.5.dr, WMsgAPI.dll.5.dr
              Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: Binary string: dwwin.pdbGCTL source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: cmstp.pdb source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: dwwin.pdb source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: consent.pdbUGP source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdb source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EDBE0 FindFirstFileExW,0_2_00007FFC682EDBE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3DBE0 FindFirstFileExW,15_2_00007FFC67E3DBE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F871E0 memset,GetPrivateProfileStringW,FindFirstFileW,wcscmp,memset,FindNextFileW,27_2_00007FF768F871E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F84008 memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,lstrlenW,CmMalloc,CmFree,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,27_2_00007FF768F84008
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EDBE0 FindFirstFileExW,27_2_00007FFC6E2EDBE0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE96678 memset,StrStrIW,GetLogicalDriveStringsW,QueryDosDeviceW,StrStrIW,30_2_00007FF7EAE96678
              Source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.drString found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio
              Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs

              E-Banking Fraud

              barindex
              Yara detected Dridex unpacked file
              Source: Yara matchFile source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              PE file contains section with special chars
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exeJump to behavior
              Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DB1200_2_00007FFC682DB120
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C39400_2_00007FFC682C3940
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D89900_2_00007FFC682D8990
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B61900_2_00007FFC682B6190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C43100_2_00007FFC682C4310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682ECC900_2_00007FFC682ECC90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F66100_2_00007FFC682F6610
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D7EA00_2_00007FFC682D7EA0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FBF200_2_00007FFC682FBF20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E1FE00_2_00007FFC682E1FE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B58F00_2_00007FFC682B58F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FA0E00_2_00007FFC682FA0E0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BD0E00_2_00007FFC682BD0E0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682918D00_2_00007FFC682918D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F59100_2_00007FFC682F5910
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B31100_2_00007FFC682B3110
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829B1000_2_00007FFC6829B100
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F99700_2_00007FFC682F9970
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B39600_2_00007FFC682B3960
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BA9600_2_00007FFC682BA960
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BE9500_2_00007FFC682BE950
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682CE1900_2_00007FFC682CE190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EE1900_2_00007FFC682EE190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FB1800_2_00007FFC682FB180
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682929800_2_00007FFC68292980
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F19C00_2_00007FFC682F19C0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B22100_2_00007FFC682B2210
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F32700_2_00007FFC682F3270
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F72600_2_00007FFC682F7260
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E3A500_2_00007FFC682E3A50
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B2A500_2_00007FFC682B2A50
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68297A400_2_00007FFC68297A40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C82B00_2_00007FFC682C82B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F6AB00_2_00007FFC682F6AB0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AFAB00_2_00007FFC682AFAB0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C0AF00_2_00007FFC682C0AF0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B52D00_2_00007FFC682B52D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BD2D00_2_00007FFC682BD2D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829BB200_2_00007FFC6829BB20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BDB200_2_00007FFC682BDB20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F4B100_2_00007FFC682F4B10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C7B100_2_00007FFC682C7B10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C73100_2_00007FFC682C7310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C9B700_2_00007FFC682C9B70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F93600_2_00007FFC682F9360
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682953500_2_00007FFC68295350
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A23B00_2_00007FFC682A23B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C93900_2_00007FFC682C9390
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F1B800_2_00007FFC682F1B80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B6BF00_2_00007FFC682B6BF0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B7BE00_2_00007FFC682B7BE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A83D00_2_00007FFC682A83D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BC3D00_2_00007FFC682BC3D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BEC300_2_00007FFC682BEC30
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68295C200_2_00007FFC68295C20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682CA4000_2_00007FFC682CA400
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C04500_2_00007FFC682C0450
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B1C400_2_00007FFC682B1C40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B8C400_2_00007FFC682B8C40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A54B00_2_00007FFC682A54B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A74A00_2_00007FFC682A74A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C2C800_2_00007FFC682C2C80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F84D00_2_00007FFC682F84D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DED200_2_00007FFC682DED20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A3D600_2_00007FFC682A3D60
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B95B00_2_00007FFC682B95B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829C5A00_2_00007FFC6829C5A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F95800_2_00007FFC682F9580
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C45F00_2_00007FFC682C45F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829DDE00_2_00007FFC6829DDE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6830D6500_2_00007FFC6830D650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682916200_2_00007FFC68291620
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EFE100_2_00007FFC682EFE10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C26100_2_00007FFC682C2610
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68309E700_2_00007FFC68309E70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE000_2_00007FFC682FCE00
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A66700_2_00007FFC682A6670
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A96600_2_00007FFC682A9660
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EF6500_2_00007FFC682EF650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B26500_2_00007FFC682B2650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C06500_2_00007FFC682C0650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F46400_2_00007FFC682F4640
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BF6400_2_00007FFC682BF640
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEB60_2_00007FFC682FCEB6
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEAD0_2_00007FFC682FCEAD
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEA60_2_00007FFC682FCEA6
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE9D0_2_00007FFC682FCE9D
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE940_2_00007FFC682FCE94
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68296E900_2_00007FFC68296E90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE8B0_2_00007FFC682FCE8B
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F6E800_2_00007FFC682F6E80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68297E800_2_00007FFC68297E80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BBE800_2_00007FFC682BBE80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C0EE00_2_00007FFC682C0EE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E46D00_2_00007FFC682E46D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC683036C00_2_00007FFC683036C0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682ACF300_2_00007FFC682ACF30
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C17300_2_00007FFC682C1730
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B1F100_2_00007FFC682B1F10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A87000_2_00007FFC682A8700
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AC7000_2_00007FFC682AC700
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DDF400_2_00007FFC682DDF40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682967900_2_00007FFC68296790
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AD7800_2_00007FFC682AD780
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BDFE00_2_00007FFC682BDFE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BEFD00_2_00007FFC682BEFD0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682910100_2_00007FFC68291010
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A08700_2_00007FFC682A0870
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B18500_2_00007FFC682B1850
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A90500_2_00007FFC682A9050
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F910D013_2_00007FF679F910D0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9394013_2_00007FF679F93940
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9D57413_2_00007FF679F9D574
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F92C6013_2_00007FF679F92C60
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9207013_2_00007FF679F92070
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9F29013_2_00007FF679F9F290
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9C6CC13_2_00007FF679F9C6CC
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9ED3013_2_00007FF679F9ED30
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FF67A42142415_2_00007FF67A421424
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E31FE015_2_00007FFC67E31FE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4BF2015_2_00007FFC67E4BF20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E27EA015_2_00007FFC67E27EA0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4661015_2_00007FFC67E46610
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E145F015_2_00007FFC67E145F0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3CC9015_2_00007FFC67E3CC90
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1A40015_2_00007FFC67E1A400
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1939015_2_00007FFC67E19390
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1431015_2_00007FFC67E14310
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2899015_2_00007FFC67E28990
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0619015_2_00007FFC67E06190
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1394015_2_00007FFC67E13940
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2B12015_2_00007FFC67E2B120
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF087015_2_00007FFC67DF0870
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0185015_2_00007FFC67E01850
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF905015_2_00007FFC67DF9050
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE101015_2_00007FFC67DE1010
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0DFE015_2_00007FFC67E0DFE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0EFD015_2_00007FFC67E0EFD0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5A7BB15_2_00007FFC67E5A7BB
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFD78015_2_00007FFC67DFD780
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5AF8115_2_00007FFC67E5AF81
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE679015_2_00007FFC67DE6790
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2DF4015_2_00007FFC67E2DF40
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1173015_2_00007FFC67E11730
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFCF3015_2_00007FFC67DFCF30
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF870015_2_00007FFC67DF8700
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFC70015_2_00007FFC67DFC700
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E01F1015_2_00007FFC67E01F10
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5EEF015_2_00007FFC67E5EEF0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E10EE015_2_00007FFC67E10EE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E346D015_2_00007FFC67E346D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E536C015_2_00007FFC67E536C0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CEAD15_2_00007FFC67E4CEAD
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CEB615_2_00007FFC67E4CEB6
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CE9D15_2_00007FFC67E4CE9D
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CEA615_2_00007FFC67E4CEA6
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE7E8015_2_00007FFC67DE7E80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CE9415_2_00007FFC67E4CE94
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0BE8015_2_00007FFC67E0BE80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E46E8015_2_00007FFC67E46E80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE6E9015_2_00007FFC67DE6E90
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CE8B15_2_00007FFC67E4CE8B
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E59E7015_2_00007FFC67E59E70
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF966015_2_00007FFC67DF9660
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF667015_2_00007FFC67DF6670
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5D65015_2_00007FFC67E5D650
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1065015_2_00007FFC67E10650
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3F65015_2_00007FFC67E3F650
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0F64015_2_00007FFC67E0F640
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5A63F15_2_00007FFC67E5A63F
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4464015_2_00007FFC67E44640
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0265015_2_00007FFC67E02650
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE162015_2_00007FFC67DE1620
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1261015_2_00007FFC67E12610
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3FE1015_2_00007FFC67E3FE10
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4CE0015_2_00007FFC67E4CE00
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DEDDE015_2_00007FFC67DEDDE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E095B015_2_00007FFC67E095B0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DEC5A015_2_00007FFC67DEC5A0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4958015_2_00007FFC67E49580
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF3D6015_2_00007FFC67DF3D60
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2ED2015_2_00007FFC67E2ED20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E484D015_2_00007FFC67E484D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF74A015_2_00007FFC67DF74A0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF54B015_2_00007FFC67DF54B0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E12C8015_2_00007FFC67E12C80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5AC6015_2_00007FFC67E5AC60
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1045015_2_00007FFC67E10450
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E01C4015_2_00007FFC67E01C40
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E08C4015_2_00007FFC67E08C40
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0EC3015_2_00007FFC67E0EC30
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE5C2015_2_00007FFC67DE5C20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E07BE015_2_00007FFC67E07BE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E06BF015_2_00007FFC67E06BF0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0C3D015_2_00007FFC67E0C3D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF83D015_2_00007FFC67DF83D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E37BB015_2_00007FFC67E37BB0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF23B015_2_00007FFC67DF23B0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E41B8015_2_00007FFC67E41B80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E19B7015_2_00007FFC67E19B70
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4936015_2_00007FFC67E49360
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE535015_2_00007FFC67DE5350
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DEBB2015_2_00007FFC67DEBB20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0DB2015_2_00007FFC67E0DB20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E17B1015_2_00007FFC67E17B10
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1731015_2_00007FFC67E17310
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E44B1015_2_00007FFC67E44B10
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E10AF015_2_00007FFC67E10AF0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5E2D015_2_00007FFC67E5E2D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0D2D015_2_00007FFC67E0D2D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E052D015_2_00007FFC67E052D0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E182B015_2_00007FFC67E182B0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E46AB015_2_00007FFC67E46AB0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFFAB015_2_00007FFC67DFFAB0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4327015_2_00007FFC67E43270
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4726015_2_00007FFC67E47260
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E33A5015_2_00007FFC67E33A50
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE7A4015_2_00007FFC67DE7A40
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E02A5015_2_00007FFC67E02A50
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0221015_2_00007FFC67E02210
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E419C015_2_00007FFC67E419C0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1E19015_2_00007FFC67E1E190
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3099015_2_00007FFC67E30990
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3E19015_2_00007FFC67E3E190
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE298015_2_00007FFC67DE2980
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4B18015_2_00007FFC67E4B180
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4997015_2_00007FFC67E49970
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0396015_2_00007FFC67E03960
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0A96015_2_00007FFC67E0A960
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0E95015_2_00007FFC67E0E950
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4591015_2_00007FFC67E45910
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DEB10015_2_00007FFC67DEB100
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0311015_2_00007FFC67E03110
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4A0E015_2_00007FFC67E4A0E0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0D0E015_2_00007FFC67E0D0E0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E058F015_2_00007FFC67E058F0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE18D015_2_00007FFC67DE18D0
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D1210D023_2_00007FF60D1210D0
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D122C6023_2_00007FF60D122C60
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12207023_2_00007FF60D122070
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12F29023_2_00007FF60D12F290
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12C6CC23_2_00007FF60D12C6CC
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12ED3023_2_00007FF60D12ED30
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12D57423_2_00007FF60D12D574
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12394023_2_00007FF60D123940
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8591C27_2_00007FF768F8591C
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F82F1C27_2_00007FF768F82F1C
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8125427_2_00007FF768F81254
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8916027_2_00007FF768F89160
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8637C27_2_00007FF768F8637C
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8748027_2_00007FF768F87480
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8479427_2_00007FF768F84794
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F82CB827_2_00007FF768F82CB8
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F899BC27_2_00007FF768F899BC
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8AAD427_2_00007FF768F8AAD4
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F896D827_2_00007FF768F896D8
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F871E027_2_00007FF768F871E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F84AFC27_2_00007FF768F84AFC
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F89E1027_2_00007FF768F89E10
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8400827_2_00007FF768F84008
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2D7EA027_2_00007FFC6E2D7EA0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FBF2027_2_00007FFC6E2FBF20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2E1FE027_2_00007FFC6E2E1FE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2ECC9027_2_00007FFC6E2ECC90
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C45F027_2_00007FFC6E2C45F0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F661027_2_00007FFC6E2F6610
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C431027_2_00007FFC6E2C4310
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C939027_2_00007FFC6E2C9390
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2CA40027_2_00007FFC6E2CA400
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2DB12027_2_00007FFC6E2DB120
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C394027_2_00007FFC6E2C3940
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2D899027_2_00007FFC6E2D8990
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B619027_2_00007FFC6E2B6190
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCEB627_2_00007FFC6E2FCEB6
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCEAD27_2_00007FFC6E2FCEAD
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCEA627_2_00007FFC6E2FCEA6
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCE9D27_2_00007FFC6E2FCE9D
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCE9427_2_00007FFC6E2FCE94
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E296E9027_2_00007FFC6E296E90
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCE8B27_2_00007FFC6E2FCE8B
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30EEF027_2_00007FFC6E30EEF0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F6E8027_2_00007FFC6E2F6E80
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E297E8027_2_00007FFC6E297E80
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BBE8027_2_00007FFC6E2BBE80
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C0EE027_2_00007FFC6E2C0EE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2E46D027_2_00007FFC6E2E46D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E3036C027_2_00007FFC6E3036C0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2ACF3027_2_00007FFC6E2ACF30
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C173027_2_00007FFC6E2C1730
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B1F1027_2_00007FFC6E2B1F10
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A870027_2_00007FFC6E2A8700
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2AC70027_2_00007FFC6E2AC700
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2DDF4027_2_00007FFC6E2DDF40
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29679027_2_00007FFC6E296790
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2AD78027_2_00007FFC6E2AD780
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30AF8127_2_00007FFC6E30AF81
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BDFE027_2_00007FFC6E2BDFE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BEFD027_2_00007FFC6E2BEFD0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30A7BB27_2_00007FFC6E30A7BB
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29101027_2_00007FFC6E291010
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A087027_2_00007FFC6E2A0870
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B185027_2_00007FFC6E2B1850
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A905027_2_00007FFC6E2A9050
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A54B027_2_00007FFC6E2A54B0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A74A027_2_00007FFC6E2A74A0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C2C8027_2_00007FFC6E2C2C80
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F84D027_2_00007FFC6E2F84D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2DED2027_2_00007FFC6E2DED20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A3D6027_2_00007FFC6E2A3D60
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B95B027_2_00007FFC6E2B95B0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29C5A027_2_00007FFC6E29C5A0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F958027_2_00007FFC6E2F9580
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29DDE027_2_00007FFC6E29DDE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30A63F27_2_00007FFC6E30A63F
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30D65027_2_00007FFC6E30D650
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29162027_2_00007FFC6E291620
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EFE1027_2_00007FFC6E2EFE10
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C261027_2_00007FFC6E2C2610
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E309E7027_2_00007FFC6E309E70
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FCE0027_2_00007FFC6E2FCE00
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A667027_2_00007FFC6E2A6670
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A966027_2_00007FFC6E2A9660
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EF65027_2_00007FFC6E2EF650
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B265027_2_00007FFC6E2B2650
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C065027_2_00007FFC6E2C0650
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F464027_2_00007FFC6E2F4640
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BF64027_2_00007FFC6E2BF640
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C82B027_2_00007FFC6E2C82B0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F6AB027_2_00007FFC6E2F6AB0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2AFAB027_2_00007FFC6E2AFAB0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30E2D027_2_00007FFC6E30E2D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C0AF027_2_00007FFC6E2C0AF0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B52D027_2_00007FFC6E2B52D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BD2D027_2_00007FFC6E2BD2D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29BB2027_2_00007FFC6E29BB20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BDB2027_2_00007FFC6E2BDB20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F4B1027_2_00007FFC6E2F4B10
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C7B1027_2_00007FFC6E2C7B10
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C731027_2_00007FFC6E2C7310
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C9B7027_2_00007FFC6E2C9B70
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F936027_2_00007FFC6E2F9360
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29535027_2_00007FFC6E295350
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2E7BB027_2_00007FFC6E2E7BB0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A23B027_2_00007FFC6E2A23B0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F1B8027_2_00007FFC6E2F1B80
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B6BF027_2_00007FFC6E2B6BF0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B7BE027_2_00007FFC6E2B7BE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2A83D027_2_00007FFC6E2A83D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BC3D027_2_00007FFC6E2BC3D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BEC3027_2_00007FFC6E2BEC30
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E295C2027_2_00007FFC6E295C20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E30AC6027_2_00007FFC6E30AC60
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C045027_2_00007FFC6E2C0450
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B1C4027_2_00007FFC6E2B1C40
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B8C4027_2_00007FFC6E2B8C40
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B58F027_2_00007FFC6E2B58F0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FA0E027_2_00007FFC6E2FA0E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BD0E027_2_00007FFC6E2BD0E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2918D027_2_00007FFC6E2918D0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F591027_2_00007FFC6E2F5910
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B311027_2_00007FFC6E2B3110
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29B10027_2_00007FFC6E29B100
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F997027_2_00007FFC6E2F9970
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B396027_2_00007FFC6E2B3960
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BA96027_2_00007FFC6E2BA960
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2BE95027_2_00007FFC6E2BE950
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2CE19027_2_00007FFC6E2CE190
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2E099027_2_00007FFC6E2E0990
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EE19027_2_00007FFC6E2EE190
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FB18027_2_00007FFC6E2FB180
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E29298027_2_00007FFC6E292980
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F19C027_2_00007FFC6E2F19C0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B221027_2_00007FFC6E2B2210
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F327027_2_00007FFC6E2F3270
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2F726027_2_00007FFC6E2F7260
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2E3A5027_2_00007FFC6E2E3A50
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B2A5027_2_00007FFC6E2B2A50
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E297A4027_2_00007FFC6E297A40
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9D3E430_2_00007FF7EAE9D3E4
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9CF6C30_2_00007FF7EAE9CF6C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA285830_2_00007FF7EAEA2858
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9B9FC30_2_00007FF7EAE9B9FC
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE911A030_2_00007FF7EAE911A0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE99D8030_2_00007FF7EAE99D80
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9156830_2_00007FF7EAE91568
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE8C56830_2_00007FF7EAE8C568
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9D15C30_2_00007FF7EAE9D15C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9026C30_2_00007FF7EAE9026C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE98E5030_2_00007FF7EAE98E50
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE8DA3430_2_00007FF7EAE8DA34
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: String function: 00007FF768F8BA24 appears 90 times
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: String function: 00007FF7EAEA4DB2 appears 36 times
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FBF20 NtQuerySystemInformation,0_2_00007FFC682FBF20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D6070 NtClose,0_2_00007FFC682D6070
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F910D0 EtwRegisterTraceGuidsW,HeapSetInformation,EventRegister,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,memset,WinStationQueryInformationW,GetCommandLineW,swscanf_s,swscanf_s,swscanf_s,GlobalFree,NtOpenProcess,ImpersonateLoggedOnUser,GetUserPreferredUILanguages,RevertToSelf,SetProcessPreferredUILanguages,CoInitializeEx,ConvertStringSecurityDescriptorToSecurityDescriptorW,MakeAbsoluteSD,GetLastError,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,MakeAbsoluteSD,CoInitializeSecurity,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,memset,GetSidLengthRequired,LocalAlloc,InitializeSid,GetTokenInformation,GetSidSubAuthority,LocalFree,EtwEventWrite,EtwEventWrite,NtQueryVolumeInformationFile,EtwEventWrite,LocalAlloc,EtwSendNotification,LocalFree,NtQueryInformationToken,NtQueryInformationToken,NtClose,EtwEventWrite,EtwEventWrite,NtDuplicateObject,CloseHandle,NtWriteVirtualMemory,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,DestroyIcon,RtlNtStatusToDosError,RegGetValueW,RtlNtStatusToDosError,RtlNtStatusToDosError,RtlNtStatusToDosError,#2574,GetLastError,GetLastError,GetLastError,GetCurrentProcess,SetPriorityClass,GetLastError,EtwEventWrite,EtwEventWrite,RtlNtStatusToDosErrorNoTeb,NtClose,RtlNtStatusToDosError,RtlNtStatusToDosError,NtClose,TerminateThread,WaitForSingleObject,EtwEventWrite,EtwEventWrite,UninitLocalMsCtfMonitor,WaitForSingleObject,GetLastError,CloseHandle,13_2_00007FF679F910D0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F91F60 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,ImpersonateLoggedOnUser,RevertToSelf,13_2_00007FF679F91F60
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F93380 HeapAlloc,NtReadVirtualMemory,NtDuplicateObject,NtDuplicateObject,EtwEventWrite,NtDuplicateObject,NtClose,NtClose,HeapFree,13_2_00007FF679F93380
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F959B4 RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,13_2_00007FF679F959B4
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9AFD0 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,13_2_00007FF679F9AFD0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess,13_2_00007FF679F9A808
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9B020 NtQueryInformationToken,RtlNtStatusToDosError,LocalAlloc,NtQueryInformationToken,LocalFree,RtlSubAuthoritySid,RtlSubAuthoritySid,13_2_00007FF679F9B020
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9AAB0 LocalAlloc,memset,memcpy,SeciAllocateAndSetCallFlags,RtlInitString,LsaRegisterLogonProcess,RtlNtStatusToDosError,NtAllocateLocallyUniqueId,LsaLogonUser,GetTokenInformation,GetTokenInformation,RtlEqualSid,GetLastError,LsaFreeReturnBuffer,CloseHandle,LsaDeregisterLogonProcess,CoTaskMemFree,LocalFree,13_2_00007FF679F9AAB0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E26070 NtClose,15_2_00007FFC67E26070
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E04850 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,15_2_00007FFC67E04850
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4BF20 NtQuerySystemInformation,15_2_00007FFC67E4BF20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E145F0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,15_2_00007FFC67E145F0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1ADF0 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,15_2_00007FFC67E1ADF0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1A400 NtReadVirtualMemory,15_2_00007FFC67E1A400
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E19390 NtDuplicateObject,RtlQueueApcWow64Thread,15_2_00007FFC67E19390
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D1210D0 EtwRegisterTraceGuidsW,HeapSetInformation,EventRegister,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,memset,WinStationQueryInformationW,GetCommandLineW,swscanf_s,swscanf_s,swscanf_s,GlobalFree,NtOpenProcess,ImpersonateLoggedOnUser,GetUserPreferredUILanguages,RevertToSelf,SetProcessPreferredUILanguages,CoInitializeEx,ConvertStringSecurityDescriptorToSecurityDescriptorW,MakeAbsoluteSD,GetLastError,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,MakeAbsoluteSD,CoInitializeSecurity,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,memset,GetSidLengthRequired,LocalAlloc,InitializeSid,GetTokenInformation,GetSidSubAuthority,LocalFree,EtwEventWrite,EtwEventWrite,NtQueryVolumeInformationFile,EtwEventWrite,LocalAlloc,EtwSendNotification,LocalFree,NtQueryInformationToken,NtQueryInformationToken,NtClose,EtwEventWrite,EtwEventWrite,NtDuplicateObject,CloseHandle,NtWriteVirtualMemory,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,DestroyIcon,RtlNtStatusToDosError,RegGetValueW,RtlNtStatusToDosError,RtlNtStatusToDosError,RtlNtStatusToDosError,#2574,GetLastError,GetLastError,GetLastError,GetCurrentProcess,SetPriorityClass,GetLastError,EtwEventWrite,EtwEventWrite,RtlNtStatusToDosErrorNoTeb,NtClose,RtlNtStatusToDosError,RtlNtStatusToDosError,NtClose,TerminateThread,WaitForSingleObject,EtwEventWrite,EtwEventWrite,UninitLocalMsCtfMonitor,WaitForSingleObject,GetLastError,CloseHandle,23_2_00007FF60D1210D0
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12AAB0 LocalAlloc,memset,memcpy,SeciAllocateAndSetCallFlags,RtlInitString,LsaRegisterLogonProcess,RtlNtStatusToDosError,NtAllocateLocallyUniqueId,LsaLogonUser,GetTokenInformation,GetTokenInformation,RtlEqualSid,GetLastError,LsaFreeReturnBuffer,CloseHandle,LsaDeregisterLogonProcess,CoTaskMemFree,LocalFree,23_2_00007FF60D12AAB0
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D121F60 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,ImpersonateLoggedOnUser,RevertToSelf,23_2_00007FF60D121F60
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D1259B4 RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,23_2_00007FF60D1259B4
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D123380 HeapAlloc,NtReadVirtualMemory,NtDuplicateObject,NtDuplicateObject,EtwEventWrite,NtDuplicateObject,NtClose,NtClose,HeapFree,23_2_00007FF60D123380
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12AFD0 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,23_2_00007FF60D12AFD0
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12B020 NtQueryInformationToken,RtlNtStatusToDosError,LocalAlloc,NtQueryInformationToken,LocalFree,RtlSubAuthoritySid,RtlSubAuthoritySid,23_2_00007FF60D12B020
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D12A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess,23_2_00007FF60D12A808
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2FBF20 NtQuerySystemInformation,27_2_00007FFC6E2FBF20
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2D6070 NtClose,27_2_00007FFC6E2D6070
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2B4850 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,27_2_00007FFC6E2B4850
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2CADF0 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,27_2_00007FFC6E2CADF0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C45F0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,27_2_00007FFC6E2C45F0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2C9390 NtDuplicateObject,RtlQueueApcWow64Thread,27_2_00007FFC6E2C9390
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2CA400 NtReadVirtualMemory,27_2_00007FFC6E2CA400
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE90BF8 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,30_2_00007FF7EAE90BF8
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA2388 NtQueryLicenseValue,30_2_00007FF7EAEA2388
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE90F60 memset,NtQueryInformationProcess,DbgPrintEx,NtOpenKey,RtlInitUnicodeStringEx,NtQueryValueKey,DbgPrintEx,CloseHandle,30_2_00007FF7EAE90F60
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA20F0 NtAllocateVirtualMemory,NtClose,memmove,NtDeviceIoControlFile,NtFreeVirtualMemory,NtClose,30_2_00007FF7EAEA20F0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA207C NtCreateFile,30_2_00007FF7EAEA207C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA2858 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,30_2_00007FF7EAEA2858
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9F450 memset,RtlInitUnicodeString,NtSetSystemInformation,30_2_00007FF7EAE9F450
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9F1BC memset,RtlAdjustPrivilege,NtSetSystemInformation,NtSetSystemInformation,RtlInitUnicodeString,NtSetSystemInformation,RtlAdjustPrivilege,30_2_00007FF7EAE9F1BC
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE911A0 memset,memset,VirtualAlloc,NtOpenKey,memset,NtQueryValueKey,DbgPrintEx,memset,NtQueryValueKey,memset,NtQueryValueKey,memset,NtQueryValueKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,DbgPrintEx,DbgPrintEx,NtClose,VirtualFree,30_2_00007FF7EAE911A0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE83598 memset,NtSuspendProcess,WerReportCreate,WerpGetReportFlags,WerpSetCallBack,WerReportSubmit,WerReportCloseHandle,NtResumeProcess,30_2_00007FF7EAE83598
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA3990 NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlAllocateHeap,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,30_2_00007FF7EAEA3990
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE89990 memset,ZwQueryInformationThread,ReadProcessMemory,GetLastError,30_2_00007FF7EAE89990
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9E980 IsWindow,_wcsicmp,memset,NtQuerySystemInformation,30_2_00007FF7EAE9E980
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE91568 memset,GetProcessId,GetLastError,VirtualAlloc,GetCurrentProcess,DuplicateHandle,CreateEventW,NtQuerySystemInformation,GetThreadId,VirtualAllocEx,WriteProcessMemory,RtlDetermineDosPathNameType_U,RtlGetNtSystemRoot,DbgPrintEx,DbgPrintEx,RtlGetCurrentTransaction,RtlSetCurrentTransaction,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,DbgPrintEx,InitializeProcThreadAttributeList,GetLastError,GetLastError,VirtualAlloc,InitializeProcThreadAttributeList,GetLastError,UpdateProcThreadAttribute,GetLastError,CreateProcessW,GetLastError,NtWaitForMultipleObjects,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,VirtualFree,RtlSetCurrentTransaction,CloseHandle,VirtualFree,30_2_00007FF7EAE91568
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE95140 NtQueryInformationProcess,30_2_00007FF7EAE95140
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE92920 ZwQueryInformationThread,GetProcessId,I_QueryTagInformation,LocalFree,wcschr,RegOpenKeyExW,RegCloseKey,30_2_00007FF7EAE92920
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE90EE8 memset,NtQueryInformationProcess,DbgPrintEx,30_2_00007FF7EAE90EE8
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE90AE0 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,30_2_00007FF7EAE90AE0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE89AD8 memset,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memset,ReadProcessMemory,30_2_00007FF7EAE89AD8
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA2268 NtDeviceIoControlFile,NtClose,30_2_00007FF7EAEA2268
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE8DA34 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,30_2_00007FF7EAE8DA34
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA20F0: NtAllocateVirtualMemory,NtClose,memmove,NtDeviceIoControlFile,NtFreeVirtualMemory,NtClose,30_2_00007FF7EAEA20F0
              Source: dry.dllBinary or memory string: OriginalFilenamestreams.exeJ vs dry.dll
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SndVol.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: consent.exe0.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: DUI70.dll.5.drStatic PE information: Number of sections : 12 > 10
              Source: WINSTA.dll.5.drStatic PE information: Number of sections : 12 > 10
              Source: UxTheme.dll.5.drStatic PE information: Number of sections : 12 > 10
              Source: WMsgAPI.dll.5.drStatic PE information: Number of sections : 11 > 10
              Source: VERSION.dll.5.drStatic PE information: Number of sections : 12 > 10
              Source: VERSION.dll0.5.drStatic PE information: Number of sections : 12 > 10
              Source: dry.dllStatic PE information: Number of sections : 11 > 10
              Source: XmlLite.dll.5.drStatic PE information: Number of sections : 12 > 10
              Source: dry.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: XmlLite.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: UxTheme.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: WMsgAPI.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: WINSTA.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: VERSION.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: dry.dllVirustotal: Detection: 70%
              Source: dry.dllMetadefender: Detection: 55%
              Source: dry.dllReversingLabs: Detection: 82%
              Source: dry.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\dry.dll"
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\DLKXiO\consent.exe C:\Users\user\AppData\Local\DLKXiO\consent.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpshell.exe C:\Windows\system32\rdpshell.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\GsjW\sppsvc.exe C:\Users\user\AppData\Local\GsjW\sppsvc.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe C:\Users\user\AppData\Local\0rPbJb\SndVol.exe
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePageJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingNameJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\DLKXiO\consent.exe C:\Users\user\AppData\Local\DLKXiO\consent.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpshell.exe C:\Windows\system32\rdpshell.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXEJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE C:\Users\user\AppData\Local\oudoiG\DWWIN.EXEJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\GsjW\sppsvc.exe C:\Users\user\AppData\Local\GsjW\sppsvc.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F84794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,27_2_00007FF768F84794
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
              Source: DWWIN.EXE.5.drBinary string: S\Device\IPTOptInLevelNtQuerySecurityPolicySoftware\Microsoft\Windows\CurrentVersion\Policies\DataCollection\UsersSoftware\Microsoft\Windows\CurrentVersion\Policies\DataCollectionAllowTelemetrypolicymanager.dllPolicyManager_GetPolicyPolicyManager_FreeGetPolicyDataSystemLimitEnhancedDiagnosticDataWindowsAnalyticsConfigureTelemetryOptInChangeNotificationDisableTelemetryOptInChangeNotificationConfigureTelemetryOptInSettingsUxDisableTelemetryOptInSettingsUxSoftware\Policies\Microsoft\Windows\DataCollectiononecore\base\telemetry\permission\product\telemetrypermission.cppTelemetryPermission-AllowDisableTelemetryPermission-DefaultLevelKernel-ProductInfoAllowTelemetry_PolicyManagerReserved.PlatformSignedCodeIntegrity.Telemetry
              Source: DWWIN.EXE.5.drBinary string: %X%sInPageCoFireInPageError%s\system32\cofire.exe"%s" "%s" "%s"\Device\LanmanRedirector\%s :psapi.dllGetMappedFileNameWsfc_os.dllSfcIsFileProtectedFindFirstFileNameWFindNextFileNameWwdi.dll;D
              Source: classification engineClassification label: mal100.troj.evad.winDLL@45/15@5/0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F92C60 memset,ImpersonateLoggedOnUser,RevertToSelf,CoTaskMemFree,GetSystemMetrics,CoCreateInstance,GetDriveTypeW,memset,GetLastError,13_2_00007FF679F92C60
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9E55C OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,RtlInitUnicodeString,30_2_00007FF7EAE9E55C
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1B420 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,15_2_00007FFC67E1B420
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader
              Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exeMutant created: \Sessions\1\BaseNamedObjects\{b1a0966b-ebe1-a316-4592-063e04716434}
              Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exeMutant created: \Sessions\1\BaseNamedObjects\{a32f501c-157b-d61c-09ee-04263fde8dbb}
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679FA0E88 FindResourceExW,LoadResource,LockResource,13_2_00007FF679FA0E88
              Source: cmstp.exeString found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"
              Source: DWWIN.EXEString found in binary or memory: %s /stop
              Source: DWWIN.EXEString found in binary or memory: %s /stop
              Source: dry.dllStatic PE information: Image base 0x140000000 > 0x60000000
              Source: dry.dllStatic file information: File size 1372160 > 1048576
              Source: dry.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: dry.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: consent.pdb source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: FFgnji|RgnjiR.pdb source: SysResetErr.exe, 0000000F.00000002.410461412.00000204E63D7000.00000004.00000020.00020000.00000000.sdmp, SysResetErr.exe, 0000000F.00000002.410154109.00000204E622E000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448408637.0000016FCD5A2000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448269347.0000016FCD449000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.476969443.0000025594C81000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.477066927.0000025594DE1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513393199.0000029561289000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513278214.0000029561127000.00000004.00000020.00020000.00000000.sdmp, dry.dll, VERSION.dll.5.dr, VERSION.dll0.5.dr, UxTheme.dll.5.dr, WINSTA.dll.5.dr, DUI70.dll.5.dr, XmlLite.dll.5.dr, WMsgAPI.dll.5.dr
              Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: Binary string: dwwin.pdbGCTL source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: cmstp.pdb source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: dwwin.pdb source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: consent.pdbUGP source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdb source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E7E4C push rax; iretd 0_2_00007FFC682E7E4D
              Source: dry.dllStatic PE information: section name: .cwkw
              Source: dry.dllStatic PE information: section name: .pbpwn
              Source: dry.dllStatic PE information: section name: .pem
              Source: dry.dllStatic PE information: section name: .vpd
              Source: dry.dllStatic PE information: section name: .ianurq
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: SndVol.exe.5.drStatic PE information: section name: .imrsiv
              Source: SndVol.exe.5.drStatic PE information: section name: .didat
              Source: consent.exe.5.drStatic PE information: section name: .didat
              Source: consent.exe.5.drStatic PE information: section name: consent
              Source: SysResetErr.exe.5.drStatic PE information: section name: .imrsiv
              Source: consent.exe0.5.drStatic PE information: section name: .didat
              Source: consent.exe0.5.drStatic PE information: section name: consent
              Source: XmlLite.dll.5.drStatic PE information: section name: .cwkw
              Source: XmlLite.dll.5.drStatic PE information: section name: .pbpwn
              Source: XmlLite.dll.5.drStatic PE information: section name: .pem
              Source: XmlLite.dll.5.drStatic PE information: section name: .vpd
              Source: XmlLite.dll.5.drStatic PE information: section name: .ianurq
              Source: XmlLite.dll.5.drStatic PE information: section name: .lvil
              Source: UxTheme.dll.5.drStatic PE information: section name: .cwkw
              Source: UxTheme.dll.5.drStatic PE information: section name: .pbpwn
              Source: UxTheme.dll.5.drStatic PE information: section name: .pem
              Source: UxTheme.dll.5.drStatic PE information: section name: .vpd
              Source: UxTheme.dll.5.drStatic PE information: section name: .ianurq
              Source: UxTheme.dll.5.drStatic PE information: section name: .ilyvtg
              Source: WMsgAPI.dll.5.drStatic PE information: section name: .cwkw
              Source: WMsgAPI.dll.5.drStatic PE information: section name: .pbpwn
              Source: WMsgAPI.dll.5.drStatic PE information: section name: .pem
              Source: WMsgAPI.dll.5.drStatic PE information: section name: .vpd
              Source: WMsgAPI.dll.5.drStatic PE information: section name: .ianurq
              Source: DUI70.dll.5.drStatic PE information: section name: .cwkw
              Source: DUI70.dll.5.drStatic PE information: section name: .pbpwn
              Source: DUI70.dll.5.drStatic PE information: section name: .pem
              Source: DUI70.dll.5.drStatic PE information: section name: .vpd
              Source: DUI70.dll.5.drStatic PE information: section name: .ianurq
              Source: DUI70.dll.5.drStatic PE information: section name: .dqihw
              Source: WINSTA.dll.5.drStatic PE information: section name: .cwkw
              Source: WINSTA.dll.5.drStatic PE information: section name: .pbpwn
              Source: WINSTA.dll.5.drStatic PE information: section name: .pem
              Source: WINSTA.dll.5.drStatic PE information: section name: .vpd
              Source: WINSTA.dll.5.drStatic PE information: section name: .ianurq
              Source: WINSTA.dll.5.drStatic PE information: section name: .kfs
              Source: VERSION.dll.5.drStatic PE information: section name: .cwkw
              Source: VERSION.dll.5.drStatic PE information: section name: .pbpwn
              Source: VERSION.dll.5.drStatic PE information: section name: .pem
              Source: VERSION.dll.5.drStatic PE information: section name: .vpd
              Source: VERSION.dll.5.drStatic PE information: section name: .ianurq
              Source: VERSION.dll.5.drStatic PE information: section name: .fez
              Source: VERSION.dll0.5.drStatic PE information: section name: .cwkw
              Source: VERSION.dll0.5.drStatic PE information: section name: .pbpwn
              Source: VERSION.dll0.5.drStatic PE information: section name: .pem
              Source: VERSION.dll0.5.drStatic PE information: section name: .vpd
              Source: VERSION.dll0.5.drStatic PE information: section name: .ianurq
              Source: VERSION.dll0.5.drStatic PE information: section name: .jksgp
              Source: DWWIN.EXE.5.drStatic PE information: section name: .didat
              Source: SndVol.exe.5.drStatic PE information: 0x6E534A77 [Sun Aug 27 01:25:11 2028 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: initial sampleStatic PE information: section name: .text entropy: 7.76153125253
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\GsjW\sppsvc.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0rPbJb\SndVol.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\y1c6p\cmstp.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\y1c6p\VERSION.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\GsjW\XmlLite.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oudoiG\VERSION.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXEJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\DLKXiO\consent.exeJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dllJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8591C memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,CmMalloc,GetPrivateProfileStringW,CmRealloc,CmMalloc,GetPrivateProfileStringW,CmRealloc,GetPrivateProfileStringW,GetPrivateProfileStringW,WritePrivateProfileStringW,lstrlenW,lstrlenW,WritePrivateProfileStringW,CmFree,CmFree,GetSystemDirectoryW,27_2_00007FF768F8591C
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F89160 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,CmFree,27_2_00007FF768F89160
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F86068 RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,27_2_00007FF768F86068
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8637C GetSystemDirectoryW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,LoadStringW,MessageBoxW,27_2_00007FF768F8637C
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F87480 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,LoadStringW,MessageBoxW,CmFree,GetPrivateProfileIntW,CmFree,lstrlenW,CmFree,CmFree,LoadStringW,MessageBoxW,WritePrivateProfileStringW,WritePrivateProfileStringW,CmFree,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,CmMalloc,GetPrivateProfileStringW,CmRealloc,CmMalloc,GetPrivateProfileStringW,CmRealloc,GetPrivateProfileStringW,GetPrivateProfileStringW,WritePrivateProfileStringW,lstrlenW,lstrlenW,WritePrivateProfileStringW,CmFree,CmFree,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,GetOSVersion,GetOSMajorVersion,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,GetOSVersion,GetOSMajorVersion,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,ReleaseMutex,CloseHandle,CmMalloc,memset,CmFree,CmMalloc,memset,ShellExecuteExW,GetLastError,SHGetMalloc,CoUninitialize,LoadStringW,MessageBoxW,CmFree,CmFree,27_2_00007FF768F87480
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8AAD4 memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,lstrlenW,RegSetValueExW,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,GetOSVersion,GetOSMajorVersion,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,CmFree,GetPrivateProfileIntW,SetFileAttributesW,memset,SHFileOperationW,RegCloseKey,RegCloseKey,27_2_00007FF768F8AAD4
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F81000 GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadLibraryExW,GetProcAddress,GetProcAddress,FreeLibrary,27_2_00007FF768F81000
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F89E10 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,27_2_00007FF768F89E10
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9E55C OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,RtlInitUnicodeString,30_2_00007FF7EAE9E55C
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXELast function: Thread delayed
              Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-66733
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeAPI coverage: 2.0 %
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeAPI coverage: 2.0 %
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeAPI coverage: 6.5 %
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXEAPI coverage: 0.4 %
              Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682ECC90 GetSystemInfo,0_2_00007FFC682ECC90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EDBE0 FindFirstFileExW,0_2_00007FFC682EDBE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3DBE0 FindFirstFileExW,15_2_00007FFC67E3DBE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F871E0 memset,GetPrivateProfileStringW,FindFirstFileW,wcscmp,memset,FindNextFileW,27_2_00007FF768F871E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F84008 memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,lstrlenW,CmMalloc,CmFree,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,27_2_00007FF768F84008
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EDBE0 FindFirstFileExW,27_2_00007FFC6E2EDBE0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE96678 memset,StrStrIW,GetLogicalDriveStringsW,QueryDosDeviceW,StrStrIW,30_2_00007FF7EAE96678
              Source: explorer.exe, 00000005.00000000.300736348.000000000EE50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000005.00000000.300001860.0000000008957000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000005.00000000.299785013.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
              Source: explorer.exe, 00000005.00000000.309086880.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
              Source: explorer.exe, 00000005.00000000.309086880.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
              Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F95014 IsDebuggerPresent,13_2_00007FF679F95014
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FF67A422940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW,15_2_00007FF67A422940
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F97944 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_00007FF679F97944
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D7EA0 LdrLoadDll,FindClose,0_2_00007FFC682D7EA0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F94940 SetUnhandledExceptionFilter,13_2_00007FF679F94940
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F94630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FF679F94630
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FF67A423C80 SetUnhandledExceptionFilter,15_2_00007FF67A423C80
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FF67A423F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF67A423F04
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D124940 SetUnhandledExceptionFilter,23_2_00007FF60D124940
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: 23_2_00007FF60D124630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF60D124630
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8EC00 SetUnhandledExceptionFilter,27_2_00007FF768F8EC00
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8E910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF768F8E910
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA4060 SetUnhandledExceptionFilter,30_2_00007FF7EAEA4060
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAEA466C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_00007FF7EAEA466C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Benign windows process drops PE files
              Source: C:\Windows\explorer.exeFile created: XmlLite.dll.5.drJump to dropped file
              Changes memory attributes in foreign processes to executable or writable
              Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute readJump to behavior
              Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE91568 memset,GetProcessId,GetLastError,VirtualAlloc,GetCurrentProcess,DuplicateHandle,CreateEventW,NtQuerySystemInformation,GetThreadId,VirtualAllocEx,WriteProcessMemory,RtlDetermineDosPathNameType_U,RtlGetNtSystemRoot,DbgPrintEx,DbgPrintEx,RtlGetCurrentTransaction,RtlSetCurrentTransaction,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,DbgPrintEx,InitializeProcThreadAttributeList,GetLastError,GetLastError,VirtualAlloc,InitializeProcThreadAttributeList,GetLastError,UpdateProcThreadAttribute,GetLastError,CreateProcessW,GetLastError,NtWaitForMultipleObjects,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,VirtualFree,RtlSetCurrentTransaction,CloseHandle,VirtualFree,30_2_00007FF7EAE91568
              Uses Atom Bombing / ProGate to inject into other processes
              Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess,13_2_00007FF679F9A808
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1Jump to behavior
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F845D0 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary,27_2_00007FF768F845D0
              Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: explorer.exe, 00000005.00000000.291163470.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.335495634.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.305244854.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Pr
              Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.295269189.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.drBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
              Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000005.00000000.312590871.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.329692189.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.299785013.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndh
              Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXEQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXEQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exeQueries volume information: unknown VolumeInformation
              Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exeQueries volume information: unknown VolumeInformation
              Source: C:\Users\user\AppData\Local\0rPbJb\SndVol.exeQueries volume information: unknown VolumeInformation
              Source: C:\Users\user\AppData\Local\0rPbJb\SndVol.exeQueries volume information: unknown VolumeInformation
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: _wtoi,GetLocaleInfoW,CoTaskMemAlloc,GetLocaleInfoW,CoTaskMemFree,CoTaskMemAlloc,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,13_2_00007FF679F9C0CC
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exeCode function: _wtoi,GetLocaleInfoW,CoTaskMemAlloc,GetLocaleInfoW,CoTaskMemFree,CoTaskMemAlloc,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,23_2_00007FF60D12C0CC
              Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
              Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F94AD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,13_2_00007FF679F94AD0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F8CB20 memset,GetSystemInfo,GetVersionExW,27_2_00007FF768F8CB20
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F93940 LocalAlloc,ImpersonateLoggedOnUser,GetLastError,GetUserNameExW,GetLastError,RevertToSelf,wcschr,LoadUserProfileW,GetLastError,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,SetEvent,SetEvent,CloseHandle,CloseHandle,memset,ImpersonateLoggedOnUser,GetLastError,CreateFileW,GetLastError,wcsrchr,RevertToSelf,CloseHandle,CloseHandle,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,SetEvent,SetEvent,CloseHandle,CloseHandle,UnloadUserProfile,LocalFree,CloseHandle,13_2_00007FF679F93940

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              1
              Valid Accounts              		2
              Command and Scripting Interpreter              		1
              Valid Accounts              		1
              Valid Accounts              		1
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium2
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Service Execution              		1
              Windows Service              		11
              Access Token Manipulation              		1
              Valid Accounts              		LSASS Memory31
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Non-Application Layer Protocol              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Native API              		Logon Script (Windows)1
              Windows Service              		11
              Access Token Manipulation              		Security Account Manager3
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local Accounts1
              Exploitation for Client Execution              		Logon Script (Mac)412
              Process Injection              		412
              Process Injection              		NTDS1
              Account Discovery              		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              System Owner/User Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common3
              Obfuscated Files or Information              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Rundll32              		DCSync35
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
              Software Packing              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Timestomp              		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575240 Sample: dry.dll Startdate: 20/02/2022 Architecture: WINDOWS Score: 100 43 canonicalizer.ucsuri.tcs 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures6 57 Changes memory attributes in foreign processes to executable or writable 11->57 59 Uses Atom Bombing / ProGate to inject into other processes 11->59 61 Queues an APC in another process (thread injection) 11->61 20 explorer.exe 2 52 11->20 injected 24 rundll32.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\DUI70.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\DWWIN.EXE, PE32+ 20->39 dropped 41 11 other files (4 malicious) 20->41 dropped 53 Benign windows process drops PE files 20->53 26 DWWIN.EXE 20->26         started        29 cmstp.exe 20->29         started        31 SysResetErr.exe 20->31         started        33 14 other processes 20->33 signatures9 process10 signatures11 55 Contains functionality to inject code into remote processes 26->55

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              dry.dll71%VirustotalBrowse
              dry.dll56%MetadefenderBrowse
              dry.dll82%ReversingLabsWin64.Infostealer.Dridex
              dry.dll100%AviraTR/Crypt.XPACK.Gen7
              dry.dll100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\oudoiG\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
              C:\Users\user\AppData\Local\oudoiG\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
              C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
              C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
              C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
              C:\Users\user\AppData\Local\GsjW\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
              C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll100%AviraTR/Crypt.XPACK.Gen7
              C:\Users\user\AppData\Local\oudoiG\VERSION.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\oudoiG\VERSION.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\GsjW\XmlLite.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\0rPbJb\SndVol.exe0%VirustotalBrowse
              C:\Users\user\AppData\Local\0rPbJb\SndVol.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\0rPbJb\SndVol.exe0%ReversingLabs
              C:\Users\user\AppData\Local\DLKXiO\consent.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\DLKXiO\consent.exe0%ReversingLabs
              C:\Users\user\AppData\Local\GsjW\sppsvc.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\GsjW\sppsvc.exe0%ReversingLabs
              C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe0%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              27.2.cmstp.exe.7ffc6e290000.3.unpack100%AviraHEUR/AGEN.1138339Download File
              8.2.rundll32.exe.7ffc68290000.2.unpack100%AviraHEUR/AGEN.1138339Download File
              0.2.loaddll64.exe.1d745960000.0.unpack100%AviraHEUR/AGEN.1202768Download File
              8.2.rundll32.exe.1bde0fe0000.1.unpack100%AviraHEUR/AGEN.1202768Download File
              4.2.rundll32.exe.7ffc68290000.2.unpack100%AviraHEUR/AGEN.1138339Download File
              3.2.rundll32.exe.7ffc68290000.2.unpack100%AviraHEUR/AGEN.1138339Download File
              4.2.rundll32.exe.18772c80000.1.unpack100%AviraHEUR/AGEN.1202768Download File
              27.2.cmstp.exe.16fcb7b0000.0.unpack100%AviraHEUR/AGEN.1202768Download File
              6.2.rundll32.exe.14c9a260000.1.unpack100%AviraHEUR/AGEN.1202768Download File
              35.2.sppsvc.exe.7ffc6e290000.3.unpack100%AviraHEUR/AGEN.1138339Download File
              0.2.loaddll64.exe.7ffc68290000.2.unpack100%AviraHEUR/AGEN.1138339Download File
              6.2.rundll32.exe.7ffc68290000.2.unpack100%AviraHEUR/AGEN.1138339Download File
              15.2.SysResetErr.exe.7ffc67de0000.3.unpack100%AviraHEUR/AGEN.1138339Download File
              3.2.rundll32.exe.267f4940000.1.unpack100%AviraHEUR/AGEN.1202768Download File
              30.2.DWWIN.EXE.7ffc6e290000.3.unpack100%AviraHEUR/AGEN.1138339Download File
              30.2.DWWIN.EXE.25593050000.0.unpack100%AviraHEUR/AGEN.1202768Download File
              35.2.sppsvc.exe.2955f650000.0.unpack100%AviraHEUR/AGEN.1202768Download File
              15.2.SysResetErr.exe.204e44f0000.0.unpack100%AviraHEUR/AGEN.1202768Download File

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              canonicalizer.ucsuri.tcs
              		unknown
              		unknownfalse
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:575240
                Start date:20.02.2022
                Start time:08:19:09
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 13m 39s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:dry.dll
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:38
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Detection:MAL
                Classification:mal100.troj.evad.winDLL@45/15@5/0
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 26.3% (good quality ratio 21.1%)
                • Quality average: 55.4%
                • Quality standard deviation: 35.4%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 41
                • Number of non-executed functions: 158
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .dll

                Warnings

                • Connection to analysis system has been lost, crash info: Unknown
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\Local\0rPbJb\SndVol.exeAkpjUKjiAM.dllGet hashmaliciousBrowse
                  CSSmwdf3UF.dllGet hashmaliciousBrowse
                    24ac5jNpCI.dllGet hashmaliciousBrowse
                      lyQcmMduLy.dllGet hashmaliciousBrowse
                        msHfoFVqcF.dllGet hashmaliciousBrowse
                          7zwj6oFA8Q.dllGet hashmaliciousBrowse
                            wXUkNWM7P0.dllGet hashmaliciousBrowse
                              EcPDKIddT5.dllGet hashmaliciousBrowse
                                B9lqvI6lNP.dllGet hashmaliciousBrowse
                                  qFWVUQUdX0.dllGet hashmaliciousBrowse
                                    N34jiNSWAx.dllGet hashmaliciousBrowse
                                      tTu83mphhX.dllGet hashmaliciousBrowse
                                        ZZpllNXa3O.dllGet hashmaliciousBrowse
                                          zB14GfXeGv.dllGet hashmaliciousBrowse
                                            6GhwZJ6uY0.dllGet hashmaliciousBrowse
                                              Y4Gd7K2a8m.dllGet hashmaliciousBrowse
                                                N4sGYY5pSn.dllGet hashmaliciousBrowse
                                                  4aD3lTQ3ku.dllGet hashmaliciousBrowse
                                                    vVPS3LRIrm.dllGet hashmaliciousBrowse
                                                      C3AGWzJKYE.dllGet hashmaliciousBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\0rPbJb\SndVol.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):259904
                                                        Entropy (8bit):5.955701055747905
                                                        Encrypted:false
                                                        SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
                                                        MD5:CDD7C7DF2D0859AC3F4088423D11BD08
                                                        SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
                                                        SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
                                                        SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: AkpjUKjiAM.dll, Detection: malicious, Browse
                                                        • Filename: CSSmwdf3UF.dll, Detection: malicious, Browse
                                                        • Filename: 24ac5jNpCI.dll, Detection: malicious, Browse
                                                        • Filename: lyQcmMduLy.dll, Detection: malicious, Browse
                                                        • Filename: msHfoFVqcF.dll, Detection: malicious, Browse
                                                        • Filename: 7zwj6oFA8Q.dll, Detection: malicious, Browse
                                                        • Filename: wXUkNWM7P0.dll, Detection: malicious, Browse
                                                        • Filename: EcPDKIddT5.dll, Detection: malicious, Browse
                                                        • Filename: B9lqvI6lNP.dll, Detection: malicious, Browse
                                                        • Filename: qFWVUQUdX0.dll, Detection: malicious, Browse
                                                        • Filename: N34jiNSWAx.dll, Detection: malicious, Browse
                                                        • Filename: tTu83mphhX.dll, Detection: malicious, Browse
                                                        • Filename: ZZpllNXa3O.dll, Detection: malicious, Browse
                                                        • Filename: zB14GfXeGv.dll, Detection: malicious, Browse
                                                        • Filename: 6GhwZJ6uY0.dll, Detection: malicious, Browse
                                                        • Filename: Y4Gd7K2a8m.dll, Detection: malicious, Browse
                                                        • Filename: N4sGYY5pSn.dll, Detection: malicious, Browse
                                                        • Filename: 4aD3lTQ3ku.dll, Detection: malicious, Browse
                                                        • Filename: vVPS3LRIrm.dll, Detection: malicious, Browse
                                                        • Filename: C3AGWzJKYE.dll, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1376256
                                                        Entropy (8bit):5.014670719687533
                                                        Encrypted:false
                                                        SSDEEP:12288:slORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:gORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:119D43AEE03F7225BC2DCB9758976345
                                                        SHA1:D319D9BF1C114A6B348E524FE493D629051EA78B
                                                        SHA-256:B75A0694F4450FB2669A15039537A666D40FD592D75C0300F0A4262D86A86D8B
                                                        SHA-512:C1A72C43D0866B8508AE5D0F3ECDF5DFF184A6862BC93E8BCDD569A650086051C7918186CEFF816503EE2566BE336793F7190C9D698FB543CC04307B4068F39A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`.................................................x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1372160
                                                        Entropy (8bit):5.013506443062603
                                                        Encrypted:false
                                                        SSDEEP:12288:alORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:OORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:4E74BAB6EE3BFC6FA8A83FF4932E1B0B
                                                        SHA1:6DAEBBD85383F6ED11734BF342DE98051BC66985
                                                        SHA-256:10108D4E0584A0F4218094210008B0802CF79BF4325983A16E1E31CEA14A76AC
                                                        SHA-512:BFA2EDB51E5CE6A59FBD7BA2C55E6985F77B3A63DC00ABA2436F689F934CD571E17A6C9A895F0CEAB0C96ED379151605D98A6D9D21B0ED545F38A5685B83E248
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`................................................x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\DLKXiO\consent.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):157080
                                                        Entropy (8bit):5.924344092826888
                                                        Encrypted:false
                                                        SSDEEP:3072:4eana1Hze2vHL+u5F28BrciRXBis72z5B+o:Aa1TfD+u5F2wrTio2z2o
                                                        MD5:74D31E4F51873160D91B1F80E0C472D0
                                                        SHA1:35DEC0D1A12C6F1F7A460E3AE75E4D74D5BD815A
                                                        SHA-256:113813A699063EBF391D436A4EFE0B6F95F81E12AF773FABE5511B5CA08E189C
                                                        SHA-512:F026CBBDF3792A05091B3CC0A97F825D353BC5FF9AB7248F4544B81BA2F86FD28CEB04468D755715BB3BD220BB72781DC079423D912A56E3793AC1687AEE7E05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y_GE.>)..>)..>)..F..Y>).rZ*..>).rZ-..>).rZ,..>).rZ(..>)..>(.9?).rZ'..>).rZ...>).rZ+..>).Rich.>).................PE..d...i.7.........."..........H.......C.........@..................................................... ......................................PP..\...............h....D...!..........0%..T...........................................(...(...HL.......................text............................... ..`.rdata...c.......d..................@..@.data...l............h..............@....pdata..h............j..............@..@.didat...............x..............@...consent.b............z..............@....rsrc................|..............@..@.reloc...............B..............@..B................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\GsjW\XmlLite.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1376256
                                                        Entropy (8bit):5.00173504502067
                                                        Encrypted:false
                                                        SSDEEP:12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:AF59F0A6E12F5BAED3D43F9834F4D94B
                                                        SHA1:815BBF09917B4BBF81E82184227B5ECD0B8146BB
                                                        SHA-256:F4A6912D5E559E145C0DC0E33079F856886AD1165BD7773DA037E9E760202232
                                                        SHA-512:DDA08D082DF135515642046CCC337140AC9672296AE8882497E05C29481D41422DA46DA8513B8675320AF91AB33E46B4AAFC02B53EA60FD34A847130AEAFE6B8
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`.................................................x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\GsjW\sppsvc.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4527680
                                                        Entropy (8bit):7.180545050051135
                                                        Encrypted:false
                                                        SSDEEP:49152:hzB335WOshFXigiF5l5mpb0+bOnBmB8XEsDfA+uLCKls0did8Pf6ZJ6t3Ovenev1:8X5iFrEpdAkZ6W3xYBP149K
                                                        MD5:FEEC8055C5986182C717DD888000AEF6
                                                        SHA1:7749D1C531D85C69047576B3BB3525E0B01A2942
                                                        SHA-256:E09B7B1DE43A226842A4B8C591D712E51585BC7E8A39CFB8852CBF16D234C3A6
                                                        SHA-512:822869C750682453770C66D7C6665CECCCB0BB27ECEB8E0A9202FE5C194249235928005734504AED79D80583CED2A2F203D4133A11E7F4A8D6160F21F7F3919F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..C..C..C...@..C.......C...G...C...F..C...B...C..B...C...J...C...@..C.....C...A..C.Rich.C.........PE..d...A.Lc..........".......8.........P..........@................CS P..........D.....4.E.....................................................|.A.......D..+....B.4|...ZD.@....@D..n....?.T....................i:.(....h:.............8i:..............................text...L.7.......7................. ..`?g_Encry.-....7.......7............. ..`?g_Encry|-... 8.......8............. ..`?g_Encry.....P8..0...<8............. ..`?g_Encry.-....8......l8............. ..`.rdata........8.......8.............@..@.data.........A.......A.............@....pdata..4|....B..~...BB.............@..@.rsrc....+....D..,....C.............@..@.reloc...n...@D..n....C.............@..B................................................................................................

                                                        C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1380352
                                                        Entropy (8bit):5.021595856508205
                                                        Encrypted:false
                                                        SSDEEP:12288:plORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:vORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:1367EA1D2FB80856D934FC85D5BC1CA3
                                                        SHA1:D32840D9585DC3912CBCDA2ED5B2CD1749EA6F90
                                                        SHA-256:978D7EF5411593FD8A52C4E7139E13BB6F514AFE59D1CE3A51067E8D65959FB4
                                                        SHA-512:B366F6120651CBC4E0F3AC585825D74710C01D3D7EE58F641201383DC2CA6FB6C68B9D06A3880F2FBF2170DD0B07CA8BFF860FC8283629A7B329DC077F2B2F1C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`.............................................m...x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):157080
                                                        Entropy (8bit):5.924344092826888
                                                        Encrypted:false
                                                        SSDEEP:3072:4eana1Hze2vHL+u5F28BrciRXBis72z5B+o:Aa1TfD+u5F2wrTio2z2o
                                                        MD5:74D31E4F51873160D91B1F80E0C472D0
                                                        SHA1:35DEC0D1A12C6F1F7A460E3AE75E4D74D5BD815A
                                                        SHA-256:113813A699063EBF391D436A4EFE0B6F95F81E12AF773FABE5511B5CA08E189C
                                                        SHA-512:F026CBBDF3792A05091B3CC0A97F825D353BC5FF9AB7248F4544B81BA2F86FD28CEB04468D755715BB3BD220BB72781DC079423D912A56E3793AC1687AEE7E05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y_GE.>)..>)..>)..F..Y>).rZ*..>).rZ-..>).rZ,..>).rZ(..>)..>(.9?).rZ'..>).rZ...>).rZ+..>).Rich.>).................PE..d...i.7.........."..........H.......C.........@..................................................... ......................................PP..\...............h....D...!..........0%..T...........................................(...(...HL.......................text............................... ..`.rdata...c.......d..................@..@.data...l............h..............@....pdata..h............j..............@..@.didat...............x..............@...consent.b............z..............@....rsrc................|..............@..@.reloc...............B..............@..B................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):210944
                                                        Entropy (8bit):6.120150246944804
                                                        Encrypted:false
                                                        SSDEEP:6144:JXatPVkbIwsNIUwrMWzp3jRiVbsBwnNCm:KacJNmYWzri9I8Y
                                                        MD5:3C21F944D5FF44E45BC753919F6AE445
                                                        SHA1:47D86DB63905203837FEDFF006C20E0717716160
                                                        SHA-256:2952F67C8882C9B1FAF0425C2047613EA147EBE6BE610B174A627B760B5C59F3
                                                        SHA-512:03965F1952AC90D43E579A9ACEC01290134949438C1525B3A3170DC998336C7F20F5650AE27BB428E6ED77810756438CB35D9CDD6B4FB4AF26A332EB8DC23972
                                                        Malicious:true
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I.%.(.v.(.v.(.v.PDv.(.v.L.w.(.v.L.w.(.v.(.v.).v.L.w.(.v.L.w.(.v.L.w.(.v.L(v.(.v.L.w.(.vRich.(.v........PE..d... -.=.........."......F...........@.........@.....................................R....`.......... ...............................................p.......@..................(...0...T...................Ph..(...Pg..............xh..`...D........................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data........ ......................@....pdata.......@......................@..@.didat..@....`.......&..............@....rsrc........p.......(..............@..@.reloc..(............4..............@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\oudoiG\VERSION.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1376256
                                                        Entropy (8bit):5.002940406932
                                                        Encrypted:false
                                                        SSDEEP:12288:+lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:CORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:6A433E0692F93D6EA886128CA048DC76
                                                        SHA1:C2583C249530B63023F3BFD1014B2E21FBFD210B
                                                        SHA-256:7071CEB809E1259B9B7A9EE26059CFFB695597C2554A933DFF933571331CF22E
                                                        SHA-512:520B41951D6E2459B34D69C1C81CFE420EF0D856A34A83573CE54C9F3F208D9AC9D941719C6DD1825E558601FFB8E497B532C79FFB37B118689C34AEC5D4C90F
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`.............................................+...x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1658880
                                                        Entropy (8bit):5.4487843616720495
                                                        Encrypted:false
                                                        SSDEEP:12288:llORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx7BK:bORVEVNmaDznMlqVNE27dJ8J2inNx7
                                                        MD5:90CAFAE897080913A8CC42EDD70F1EDD
                                                        SHA1:2CB8E96190567E28223890A7D64D00CEE9DCC202
                                                        SHA-256:3050C8CB5530EF03B66A8D89CC9BE9B83060290FC7B1ADC266AA38E036C566EC
                                                        SHA-512:3665BCE424F86F8CC3AB7E8E1C07A8CC65F5C78C445BB0CB89997A2C3B9190F57CD1489679EDCB312CF992D847D01E0208587A15E1DF9278EFA8E22B82677F96
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ... .......*.........@.............................P............`.............................................dQ..x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):42392
                                                        Entropy (8bit):5.943178981884173
                                                        Encrypted:false
                                                        SSDEEP:768:zYVfzVTBuXwMHhrdXbsxoXF8Q0no8pV1Pxo:CfuXXrdrXXD0no8xPxo
                                                        MD5:6A3F2F3C36FE45A87E3BFA80B6D92E07
                                                        SHA1:8C211767AD8393F9F184FC926FE3B8913F414289
                                                        SHA-256:069608FF0FF5918681A80CF7603275DC6CD7D416A73D033D19962B0F0F1E1EAC
                                                        SHA-512:A75669E0481901FC7CFCA55FBC7BD7FC0E8636767537017A41B1C720F34B5AD45AC75555D0AD246AC0DF670FDC31CBA1BEFD21D63E112AD427472DE3EA59CAA6
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%7..aV..aV..aV..h.S.cV...2..cV...2..vV...2..kV...2..tV..aV...V...2..oV...2?.`V...2..`V..RichaV..................PE..d...v.+J.........."......6...X.......9.........@.....................................l............... ...................................................................!......,...0t..T...................`d..(...`c...............d..`............................text...{4.......6.................. ..`.imrsiv......P...........................rdata.......`...0...:..............@..@.data...h............j..............@....pdata...............n..............@..@.rsrc................t..............@..@.reloc..,...........................@..B........................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\y1c6p\VERSION.dll

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1376256
                                                        Entropy (8bit):5.00289604284856
                                                        Encrypted:false
                                                        SSDEEP:12288:glORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:UORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        MD5:9491BB6F5E9F7443CD95617BA713E9AF
                                                        SHA1:E322CBCD1F7789DFF816E1398FCE97925AF34937
                                                        SHA-256:23FA64118E9250A0F0D225A813E5895D0A2260B0D0E8188A54F0EC487BA28C9F
                                                        SHA-512:9DB6159FF7F4834570F7E6CB5F5F25150C3C1834C859220C9ABA13D53499EDFEA9593DF0EAFA9C2D72D56EB24F62AFB4584F8491D2E1A5ECA654C103070CDEC2
                                                        Malicious:false
                                                        Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d...z.v^.........." ..... ...........*.........@..........................................`.............................................+...x...x....................................0..8............................................0...............................text............ .................. ..`.rdata..._...0...`...0..............@..@.data....*.......0..................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B.cwkw...............................@..@.pbpwn..tQ.......`..................@..@.pem....

                                                        C:\Users\user\AppData\Local\y1c6p\cmstp.exe

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):92672
                                                        Entropy (8bit):5.749238064237604
                                                        Encrypted:false
                                                        SSDEEP:1536:7oIXq0f2yF9sDb/RjxgnvkmVUqAVnKUMjbWg+I/87BM/Z4j8Qi1Yv9V:0Izw/RooolWIk7BM/ZNQi1EV
                                                        MD5:2A9828E0C405422D166E0141054A04B3
                                                        SHA1:84AA48946D4F9A9DFE4C1AF6F96C44B643229A73
                                                        SHA-256:94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
                                                        SHA-512:B9B0472706C11D3AECDAB055D4CF319EDD50E8C97B7099D1DC7B768812E804975392E327A1E62301077AB92C1CA97E706628B07172892AB09753FBDD9A07277D
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....X...X...X...Y...X...Y...X...Y...X...Y...X...XQ..X...Y...X...X...X...Y...XRich...X................PE..d....mg..........."............................@..........................................`.......... .......................................M...............p..................X....B..T...............................................H............................text............................... ..`.rdata.."l.......n..................@..@.data........`.......R..............@....pdata.......p.......T..............@..@.rsrc................Z..............@..@.reloc..X............h..............@..B........................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1450
                                                        Entropy (8bit):7.3483724297376805
                                                        Encrypted:false
                                                        SSDEEP:24:U+zDBW7TtU5LZ0Ezzo0VOb2T82x+wgNK5tb9H9aV4++kKI77oZBZtxUxsw:UADgTtU70E7L82xZHH2z+kKI7qUxN
                                                        MD5:86C68B8FD1449527DE2236FF9203D1A8
                                                        SHA1:5678A470E16DE0815D29B463CD32B31FEEB97013
                                                        SHA-256:A6F04F4EEFBE8055640DF7FD0EFCA410663F76AA9D746EC32A9BAF1A24F76BC0
                                                        SHA-512:97DCBAA0FFF2F31CC55095891F6B02FDA48E2F8E50B4BFD79E0F60715BD6689F45AC48025BA4512F396ECBD4E3D816169C07E8E9364158135D17548E0BDB938B
                                                        Malicious:false
                                                        Preview:........................................user.....................RSA1................m.......#....x.<K.6..Wt.KJ...{@{\.!....?...#..(Z.`.OPD":.A.`%./I....QI.p....?.|<A"$F8....v~.B.A....f.q....1...8..,K6..(O.......................z..O.............C.^*.........,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...da...|.y....[..nh.R...8.... E............... ...w.tC..()........'x..>... ........^..F.....\.E.Q.g......"..m.B.q.<|...p..<..9....2X.j.u.0i...y.r.../...?O....J...w....p-P{.Y.au...`..._-f...d.n3BY...TS^....g.1.....N...c....W........'......B...g...IS......9F........O...z.m....(;^...|....U.....;."..)..r%..".i....V...._.p.........=e..._.b.H.W.VN..D.9....S.....n.......=O}.N..).S..6.Wj.U..d.0...T^ fGy....n..R........Z....z.Y$....Y(X..|.>..+dK,F.k..%4..@...E.~....(....v.A...9.......a..[...{Y...&.....:...wH._.3.3.3$YR-n.$aA.3............G;..uT",d.........z...7mz............ru.y...>....X.K..y.R.*^...>....u|&~Y8..*.x..bP......I...........5.'.

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Entropy (8bit):5.013513255725167
                                                        TrID:
                                                        • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                        • Win64 Executable (generic) (12005/4) 10.17%
                                                        • Generic Win/DOS Executable (2004/3) 1.70%
                                                        • DOS Executable Generic (2002/1) 1.70%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                        File name:dry.dll
                                                        File size:1372160
                                                        MD5:4bec705de3584b911018c84f31659a17
                                                        SHA1:b29ff37578ef950b702ec5db59161294c2e1a7b3
                                                        SHA256:13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635
                                                        SHA512:5841f5d288fa4496391fa008326d15ac9abc644c07bf970b20fd1ed2719d5ce01c457d84d17fc8025ff801d7aaec371ee2b6504cabab853d02fb6c1ad49ec423
                                                        SSDEEP:12288:6lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:uORVEVNmaDznMlqVNE27dJ8J2inNx
                                                        File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                                                        File Icon

                                                        Icon Hash:74f0e4ecccdce0e4

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x140042ad0
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x140000000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                        Time Stamp:0x5E76817A [Sat Mar 21 21:04:58 2020 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:0
                                                        File Version Major:5
                                                        File Version Minor:0
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:0
                                                        Import Hash:a272733471032e2064bf69c66a9c775a

                                                        Entrypoint Preview

                                                        Instruction
                                                        dec eax
                                                        mov dword ptr [0006E699h], ecx
                                                        dec eax
                                                        lea ecx, dword ptr [FFFFEA62h]
                                                        dec esp
                                                        mov dword ptr [0006E6ABh], eax
                                                        dec esp
                                                        mov dword ptr [0006E6B4h], edi
                                                        dec esp
                                                        mov eax, esi
                                                        dec eax
                                                        mov dword ptr [0006E6B2h], eax
                                                        dec eax
                                                        mov eax, 00001204h
                                                        dec eax
                                                        add ecx, eax
                                                        dec esp
                                                        mov dword ptr [0006E6B1h], esp
                                                        dec eax
                                                        sub ecx, 00001204h
                                                        dec eax
                                                        mov dword ptr [0006E6ABh], esi
                                                        dec eax
                                                        test eax, eax
                                                        je 00007F28489BF6D0h
                                                        dec eax
                                                        mov eax, ecx
                                                        dec eax
                                                        mov dword ptr [0006E664h], esp
                                                        dec eax
                                                        mov dword ptr [0006E655h], ebp
                                                        dec eax
                                                        mov dword ptr [0006E69Eh], ebx
                                                        dec eax
                                                        mov dword ptr [0006E68Fh], edi
                                                        dec eax
                                                        test eax, eax
                                                        je 00007F28489BF6ACh
                                                        dec esp
                                                        mov dword ptr [0006E653h], ecx
                                                        dec esp
                                                        mov dword ptr [0006E664h], ebp
                                                        dec eax
                                                        mov dword ptr [0006E625h], edx
                                                        jmp eax
                                                        dec eax
                                                        add edi, ecx
                                                        retn 0008h
                                                        ud2
                                                        int3
                                                        int3
                                                        int3
                                                        push esi
                                                        dec eax
                                                        sub esp, 70h
                                                        dec eax
                                                        lea eax, dword ptr [FFFF9F34h]
                                                        dec eax
                                                        mov edx, dword ptr [esp+60h]
                                                        dec ecx
                                                        mov eax, edx
                                                        dec ecx
                                                        and eax, 7C240CB9h
                                                        dec esp
                                                        mov dword ptr [esp+60h], eax
                                                        dec eax
                                                        mov dword ptr [esp+50h], 0B39C477h
                                                        dec ecx
                                                        mov eax, edx
                                                        dec ecx
                                                        xor eax, FFFFFFFFh
                                                        dec esp
                                                        mov dword ptr [esp+60h], eax
                                                        mov word ptr [eax+eax+00h], 0000h

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xa8dd70x12e.rdata
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa85780x78.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xbd0000x3d8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xdfc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x430b00x38.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x430000xa8.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x41ebf0x42000False0.781523733428data7.76153125253IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x430000x65f050x66000False0.697476256127data7.85586414334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa90000x12a180x13000False0.0770841899671data2.46325796792IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .pdata0xbc0000x1440x1000False0.062744140625data0.615463451963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .rsrc0xbd0000x7af0x1000False0.117919921875data1.08794585954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xbe0000xdfc0x1000False0.39990234375data5.20528905542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .cwkw0xbf0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .pbpwn0xc00000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .pem0x1060000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .vpd0x1070000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .ianurq0x1090000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xbd0a00x2dcdataEnglishUnited States
                                                        RT_MANIFEST0xbd3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        SHLWAPI.dllChrCmpIW, UrlIsOpaqueW
                                                        GDI32.dllGetPolyFillMode, CreateBitmapIndirect
                                                        USER32.dllWaitForInputIdle, GetFocus, GetParent, LookupIconIdFromDirectoryEx
                                                        ADVAPI32.dllGetServiceDisplayNameW
                                                        KERNEL32.dllHeapUnlock, TerminateJobObject, DeleteTimerQueue, GetNamedPipeServerProcessId, GetConsoleFontSize, GetFileInformationByHandle, GetThreadLocale

                                                        Exports

                                                        NameOrdinalAddress
                                                        CreateXmlReader10x140034b28
                                                        CreateXmlReaderInputWithEncodingCodePage20x140005f28
                                                        CreateXmlReaderInputWithEncodingName30x1400203d0
                                                        CreateXmlWriter40x140037b74
                                                        CreateXmlWriterOutputWithEncodingCodePage50x140015b64
                                                        CreateXmlWriterOutputWithEncodingName60x14001f778

                                                        Version Infos

                                                        DescriptionData
                                                        LegalCopyrightCopyright 2005-2007 Mark Russinovich
                                                        InternalNamestreams
                                                        FileVersion1.56
                                                        CompanyNameSysinternals
                                                        ProductNameSysinternals Streams
                                                        ProductVersion1.56
                                                        FileDescriptionstreams
                                                        OriginalFilenamestreams.exe
                                                        Translation0x0409 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        02/20/22-08:22:03.280642ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.3

                                                        Network Port Distribution

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 20, 2022 08:22:56.190840960 CET5617653192.168.2.38.8.8.8
                                                        Feb 20, 2022 08:22:57.182591915 CET5617653192.168.2.38.8.8.8
                                                        Feb 20, 2022 08:22:58.182760000 CET5617653192.168.2.38.8.8.8
                                                        Feb 20, 2022 08:23:00.198551893 CET5617653192.168.2.38.8.8.8
                                                        Feb 20, 2022 08:23:04.214570999 CET5617653192.168.2.38.8.8.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Feb 20, 2022 08:22:56.190840960 CET192.168.2.38.8.8.80x95f5Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                        Feb 20, 2022 08:22:57.182591915 CET192.168.2.38.8.8.80x95f5Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                        Feb 20, 2022 08:22:58.182760000 CET192.168.2.38.8.8.80x95f5Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                        Feb 20, 2022 08:23:00.198551893 CET192.168.2.38.8.8.80x95f5Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                                                        Feb 20, 2022 08:23:04.214570999 CET192.168.2.38.8.8.80x95f5Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:20:05
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\loaddll64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:loaddll64.exe "C:\Users\user\Desktop\dry.dll"
                                                        Imagebase:0x7ff7d9bf0000
                                                        File size:140288 bytes
                                                        MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: @VK_Intel
                                                        Reputation:moderate

                                                        General

                                                        Target ID:1
                                                        Start time:08:20:05
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
                                                        Imagebase:0x7ff6b94e0000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:3
                                                        Start time:08:20:05
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader
                                                        Imagebase:0x7ff694030000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: @VK_Intel
                                                        Reputation:high

                                                        General

                                                        Target ID:4
                                                        Start time:08:20:06
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
                                                        Imagebase:0x7ff694030000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: @VK_Intel
                                                        Reputation:high

                                                        General

                                                        Target ID:5
                                                        Start time:08:20:07
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff720ea0000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:6
                                                        Start time:08:20:09
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage
                                                        Imagebase:0x7ff694030000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: @VK_Intel
                                                        Reputation:high

                                                        General

                                                        Target ID:8
                                                        Start time:08:20:12
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName
                                                        Imagebase:0x7ff694030000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Author: @VK_Intel
                                                        Reputation:high

                                                        General

                                                        Target ID:12
                                                        Start time:08:20:45
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\consent.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\consent.exe
                                                        Imagebase:0x7ff6b4af0000
                                                        File size:157080 bytes
                                                        MD5 hash:74D31E4F51873160D91B1F80E0C472D0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:13
                                                        Start time:08:20:46
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\DLKXiO\consent.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\DLKXiO\consent.exe
                                                        Imagebase:0x7ff679f90000
                                                        File size:157080 bytes
                                                        MD5 hash:74D31E4F51873160D91B1F80E0C472D0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, Metadefender, Browse
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:moderate

                                                        General

                                                        Target ID:14
                                                        Start time:08:20:47
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\SysResetErr.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\SysResetErr.exe
                                                        Imagebase:0x7ff67d350000
                                                        File size:42392 bytes
                                                        MD5 hash:6A3F2F3C36FE45A87E3BFA80B6D92E07
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:15
                                                        Start time:08:20:52
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe
                                                        Imagebase:0x7ff67a420000
                                                        File size:42392 bytes
                                                        MD5 hash:6A3F2F3C36FE45A87E3BFA80B6D92E07
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, Author: @VK_Intel
                                                        Reputation:moderate

                                                        General

                                                        Target ID:19
                                                        Start time:08:21:04
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\consent.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\consent.exe
                                                        Imagebase:0x7ff6b4af0000
                                                        File size:157080 bytes
                                                        MD5 hash:74D31E4F51873160D91B1F80E0C472D0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:23
                                                        Start time:08:21:06
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe
                                                        Imagebase:0x7ff60d120000
                                                        File size:157080 bytes
                                                        MD5 hash:74D31E4F51873160D91B1F80E0C472D0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, Metadefender, Browse
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:moderate

                                                        General

                                                        Target ID:24
                                                        Start time:08:21:07
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\rdpshell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\rdpshell.exe
                                                        Imagebase:0x7ff7f9220000
                                                        File size:463872 bytes
                                                        MD5 hash:4994A0ADA359924026FE631E54FC7A5D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:25
                                                        Start time:08:21:07
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\cmstp.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmstp.exe
                                                        Imagebase:0x7ff67f360000
                                                        File size:92672 bytes
                                                        MD5 hash:2A9828E0C405422D166E0141054A04B3
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:27
                                                        Start time:08:21:10
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\y1c6p\cmstp.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\y1c6p\cmstp.exe
                                                        Imagebase:0x7ff768f80000
                                                        File size:92672 bytes
                                                        MD5 hash:2A9828E0C405422D166E0141054A04B3
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, Author: @VK_Intel

                                                        General

                                                        Target ID:28
                                                        Start time:08:21:21
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\SystemPropertiesComputerName.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\SystemPropertiesComputerName.exe
                                                        Imagebase:0x7ff649f80000
                                                        File size:83968 bytes
                                                        MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:29
                                                        Start time:08:21:22
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\DWWIN.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\DWWIN.EXE
                                                        Imagebase:0x7ff7bd670000
                                                        File size:210944 bytes
                                                        MD5 hash:3C21F944D5FF44E45BC753919F6AE445
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:30
                                                        Start time:08:21:23
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE
                                                        Imagebase:0x7ff7eae80000
                                                        File size:210944 bytes
                                                        MD5 hash:3C21F944D5FF44E45BC753919F6AE445
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, Author: @VK_Intel

                                                        General

                                                        Target ID:32
                                                        Start time:08:21:35
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
                                                        Imagebase:0x7ff74d1b0000
                                                        File size:83968 bytes
                                                        MD5 hash:1A34577AEDE83993615D7F2E37024D4D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:33
                                                        Start time:08:21:36
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\sppsvc.exe
                                                        Wow64 process (32bit):
                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                        Imagebase:
                                                        File size:4527680 bytes
                                                        MD5 hash:FEEC8055C5986182C717DD888000AEF6
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:35
                                                        Start time:08:21:39
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\GsjW\sppsvc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\GsjW\sppsvc.exe
                                                        Imagebase:0x7ff6a21c0000
                                                        File size:4527680 bytes
                                                        MD5 hash:FEEC8055C5986182C717DD888000AEF6
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                        • Rule: crime_win64_dridex_bot_hook, Description: Detects latest Dridex bot hook, Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, Author: @VK_Intel
                                                        Antivirus matches:
                                                        • Detection: 0%, Metadefender, Browse
                                                        • Detection: 0%, ReversingLabs

                                                        General

                                                        Target ID:36
                                                        Start time:08:21:52
                                                        Start date:20/02/2022
                                                        Path:C:\Windows\System32\SndVol.exe
                                                        Wow64 process (32bit):
                                                        Commandline:C:\Windows\system32\SndVol.exe
                                                        Imagebase:
                                                        File size:259904 bytes
                                                        MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:37
                                                        Start time:08:21:53
                                                        Start date:20/02/2022
                                                        Path:C:\Users\user\AppData\Local\0rPbJb\SndVol.exe
                                                        Wow64 process (32bit):
                                                        Commandline:C:\Users\user\AppData\Local\0rPbJb\SndVol.exe
                                                        Imagebase:
                                                        File size:259904 bytes
                                                        MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, Virustotal, Browse
                                                        • Detection: 0%, Metadefender, Browse
                                                        • Detection: 0%, ReversingLabs

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.7%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:41.8%
                                                          Total number of Nodes:419
                                                          Total number of Limit Nodes:46
                                                          execution_graph 67082 7ffc68296e90 17 API calls _RunAllParam 66946 7ffc682a6490 5 API calls _RunAllParam 66949 7ffc682ee4f9 LdrLoadDll FindNextFileW CreateFileW SetFileTime _RunAllParam 66953 7ffc682950f0 NtClose LdrLoadDll FindNextFileW _RunAllParam 66954 7ffc682b58f0 18 API calls _RunAllParam 66960 7ffc682a3291 20 API calls _RunAllParam 66968 7ffc682918d0 21 API calls _RunAllParam 66612 7ffc682d5b00 66613 7ffc682d5b15 66612->66613 66614 7ffc682d5b5f 66612->66614 66615 7ffc682d81a0 _RunAllParam 2 API calls 66613->66615 66617 7ffc682d5b29 66613->66617 66615->66617 66618 7ffc682d5b52 66617->66618 66619 7ffc682d5a90 66617->66619 66620 7ffc682d5a95 66619->66620 66621 7ffc682d5aee 66619->66621 66620->66621 66622 7ffc682d81a0 _RunAllParam 2 API calls 66620->66622 66621->66618 66623 7ffc682d5ab5 66622->66623 66623->66621 66624 7ffc682d81a0 _RunAllParam 2 API calls 66623->66624 66625 7ffc682d5adb 66624->66625 66625->66621 66626 7ffc682d5ae0 RtlDeleteBoundaryDescriptor 66625->66626 66626->66621 67112 7ffc682a8700 22 API calls _RunAllParam 67117 7ffc682bef70 19 API calls 66629 7ffc682d9740 NtClose LdrLoadDll GetTokenInformation FindNextFileW _RunAllParam 67019 7ffc682a51b0 18 API calls 67129 7ffc682a5fb0 7 API calls _RunAllParam 66488 1d74596297b 66489 1d745962989 66488->66489 66494 1d74596205a VirtualAlloc 66489->66494 66491 1d7459629a5 66496 1d745962254 66491->66496 66493 1d7459629bd 66495 1d7459620be 66494->66495 66495->66491 66497 1d74596237c VirtualProtect 66496->66497 66498 1d7459622ff 66496->66498 66499 1d7459623e6 66497->66499 66498->66497 66500 1d74596244b VirtualProtect 66499->66500 66501 1d745962505 VirtualProtect 66500->66501 66502 1d745962542 66500->66502 66501->66502 66504 1d7459625bf 66502->66504 66505 1d74596258a RtlAvlRemoveNode 66502->66505 66504->66493 66505->66504 67134 7ffc68291390 LdrLoadDll FindNextFileW _RunAllParam 67033 7ffc682b9590 20 API calls 66507 7ffc682e23f0 LdrLoadDll FindNextFileW _RunAllParam 66508 7ffc682d59f0 66509 7ffc682d5a46 66508->66509 66510 7ffc682d5a10 66508->66510 66512 7ffc682d81a0 _RunAllParam 2 API calls 66509->66512 66516 7ffc682d81a0 66510->66516 66514 7ffc682d5a55 66512->66514 66515 7ffc682d5a28 RtlCreateHeap 66515->66509 66518 7ffc682d81b5 _RunAllParam 66516->66518 66517 7ffc682d5a1f 66517->66509 66517->66515 66518->66517 66526 7ffc682d7020 66518->66526 66520 7ffc682d81d6 66521 7ffc682d81ed 66520->66521 66538 7ffc682d7ea0 66520->66538 66521->66517 66532 7ffc682d7390 66521->66532 66524 7ffc682d81e2 66524->66517 66525 7ffc682d7020 _RunAllParam 2 API calls 66524->66525 66525->66521 66528 7ffc682d7058 66526->66528 66529 7ffc682d71d3 _RunAllParam 66528->66529 66531 7ffc682d70c6 _RunAllParam 66528->66531 66556 7ffc682f4640 66528->66556 66530 7ffc682d81a0 _RunAllParam 2 API calls 66529->66530 66529->66531 66530->66531 66531->66520 66535 7ffc682d73a8 _RunAllParam 66532->66535 66533 7ffc682d74a2 _RunAllParam 66536 7ffc682d81a0 _RunAllParam 2 API calls 66533->66536 66537 7ffc682d73bb _RunAllParam 66533->66537 66534 7ffc682f4640 _RunAllParam 2 API calls 66534->66535 66535->66533 66535->66534 66535->66537 66536->66537 66537->66517 66539 7ffc682d7ec6 _RunAllParam 66538->66539 66560 7ffc682d7b60 66539->66560 66542 7ffc682edb10 _RunAllParam FindNextFileW 66555 7ffc682d8113 _RunAllParam 66542->66555 66544 7ffc682d7edc _RunAllParam 66545 7ffc682d7fe7 _RunAllParam 66544->66545 66552 7ffc682d7fe2 _RunAllParam 66544->66552 66564 7ffc682d4aa0 66544->66564 66569 7ffc682edb40 66544->66569 66575 7ffc682cea70 66545->66575 66547 7ffc682d8030 _RunAllParam 66548 7ffc682d81a0 _RunAllParam FindNextFileW 66547->66548 66549 7ffc682d8094 _RunAllParam 66548->66549 66550 7ffc682d80c2 66549->66550 66551 7ffc682d80b0 LdrLoadDll 66549->66551 66550->66552 66553 7ffc682d80d2 _RunAllParam 66550->66553 66551->66550 66552->66542 66552->66555 66553->66555 66578 7ffc682edb10 66553->66578 66555->66524 66557 7ffc682f46ec 66556->66557 66559 7ffc682f4672 66556->66559 66557->66528 66558 7ffc682d81a0 _RunAllParam 2 API calls 66558->66559 66559->66557 66559->66558 66561 7ffc682d7b6e _RunAllParam 66560->66561 66562 7ffc682d81a0 _RunAllParam 2 API calls 66561->66562 66563 7ffc682d7ba0 _RunAllParam 66561->66563 66562->66563 66563->66544 66581 7ffc682d3ed0 66564->66581 66566 7ffc682f4640 _RunAllParam 2 API calls 66568 7ffc682d4aea 66566->66568 66567 7ffc682d4aba 66567->66566 66568->66544 66571 7ffc682edb50 66569->66571 66570 7ffc682d81a0 _RunAllParam LdrLoadDll 66570->66571 66571->66570 66572 7ffc682edb64 FindNextFileW 66571->66572 66573 7ffc682edbb4 66571->66573 66587 7ffc682dbe00 66571->66587 66572->66571 66573->66544 66601 7ffc682ce9d0 66575->66601 66577 7ffc682cea90 66577->66547 66579 7ffc682d81a0 _RunAllParam 2 API calls 66578->66579 66580 7ffc682edb28 66579->66580 66580->66555 66582 7ffc682d3f8c _RunAllParam 66581->66582 66583 7ffc682d3efc 66581->66583 66582->66567 66583->66582 66584 7ffc682d81a0 _RunAllParam 2 API calls 66583->66584 66585 7ffc682d3f39 _RunAllParam 66584->66585 66586 7ffc682d81a0 _RunAllParam 2 API calls 66585->66586 66586->66582 66590 7ffc682dbe41 66587->66590 66588 7ffc682dc452 66588->66571 66589 7ffc682f4640 _RunAllParam 2 API calls 66589->66590 66590->66588 66590->66589 66593 7ffc682dbff8 _RunAllParam 66590->66593 66597 7ffc682dbfe7 _RunAllParam 66590->66597 66591 7ffc682d7390 _RunAllParam 2 API calls 66591->66588 66592 7ffc682d7ea0 _RunAllParam 2 API calls 66595 7ffc682dc18a 66592->66595 66596 7ffc682d81a0 _RunAllParam 2 API calls 66593->66596 66593->66597 66594 7ffc682f4640 _RunAllParam 2 API calls 66594->66595 66595->66588 66595->66594 66598 7ffc682dc2d5 _RunAllParam 66595->66598 66600 7ffc682dc2c4 _RunAllParam 66595->66600 66596->66597 66597->66592 66597->66600 66598->66588 66599 7ffc682d81a0 _RunAllParam 2 API calls 66598->66599 66598->66600 66599->66600 66600->66588 66600->66591 66602 7ffc682ce9ee 66601->66602 66604 7ffc682ce9fe 66601->66604 66607 7ffc682d56a0 LdrLoadDll FindNextFileW _RunAllParam 66602->66607 66606 7ffc682cea43 66604->66606 66608 7ffc682d5710 66604->66608 66606->66577 66607->66604 66609 7ffc682d572d 66608->66609 66611 7ffc682d5746 66608->66611 66610 7ffc682d81a0 _RunAllParam 2 API calls 66609->66610 66609->66611 66610->66611 66611->66606 66627 7ffc682db1f0 LdrLoadDll GetTokenInformation FindNextFileW _RunAllParam 66630 7ffc682edbe0 66644 7ffc682ecc90 66630->66644 66633 7ffc682d81a0 _RunAllParam 2 API calls 66634 7ffc682edc1e 66633->66634 66635 7ffc682edc23 FindFirstFileExW 66634->66635 66638 7ffc682edc74 66634->66638 66636 7ffc682edc48 66635->66636 66637 7ffc682edc65 66635->66637 66636->66637 66641 7ffc682d81a0 _RunAllParam 2 API calls 66636->66641 66640 7ffc682dbe00 _RunAllParam 2 API calls 66637->66640 66643 7ffc682edcba 66637->66643 66638->66637 66639 7ffc682d81a0 _RunAllParam 2 API calls 66638->66639 66639->66637 66642 7ffc682edd22 66640->66642 66641->66637 66645 7ffc682eccbb 66644->66645 66646 7ffc682eda53 66645->66646 66683 7ffc682d5630 66645->66683 66646->66633 66648 7ffc682ecd1c 66649 7ffc682f4640 _RunAllParam 2 API calls 66648->66649 66652 7ffc682ed34a 66648->66652 66662 7ffc682ecef7 _RunAllParam 66648->66662 66665 7ffc682ecee6 _RunAllParam 66648->66665 66649->66648 66650 7ffc682d7ea0 _RunAllParam 2 API calls 66659 7ffc682ed07b 66650->66659 66651 7ffc682d7390 _RunAllParam 2 API calls 66651->66652 66687 7ffc682d7c10 66652->66687 66654 7ffc682ed3b0 66729 7ffc682db120 66654->66729 66657 7ffc682ed3ef 66832 7ffc682e82a0 NtClose LdrLoadDll FindNextFileW _RunAllParam 66657->66832 66658 7ffc682ed41c 66757 7ffc682d8990 66658->66757 66659->66652 66660 7ffc682f4640 _RunAllParam 2 API calls 66659->66660 66668 7ffc682ed1c7 _RunAllParam 66659->66668 66674 7ffc682ed1b6 _RunAllParam 66659->66674 66660->66659 66664 7ffc682d81a0 _RunAllParam 2 API calls 66662->66664 66662->66665 66664->66665 66665->66650 66665->66674 66666 7ffc682eda4c GetSystemInfo 66666->66646 66667 7ffc682f4640 _RunAllParam 2 API calls 66670 7ffc682ed3f4 66667->66670 66669 7ffc682d81a0 _RunAllParam 2 API calls 66668->66669 66668->66674 66669->66674 66670->66666 66670->66667 66675 7ffc682ed5f7 _RunAllParam 66670->66675 66679 7ffc682ed5e6 _RunAllParam 66670->66679 66671 7ffc682d7390 _RunAllParam 2 API calls 66673 7ffc682eda40 66671->66673 66672 7ffc682d7ea0 _RunAllParam 2 API calls 66677 7ffc682ed77b 66672->66677 66673->66646 66673->66666 66674->66651 66674->66652 66678 7ffc682d81a0 _RunAllParam 2 API calls 66675->66678 66675->66679 66676 7ffc682f4640 _RunAllParam 2 API calls 66676->66677 66677->66646 66677->66676 66680 7ffc682ed8c4 _RunAllParam 66677->66680 66682 7ffc682ed8b3 _RunAllParam 66677->66682 66678->66679 66679->66672 66679->66682 66680->66646 66681 7ffc682d81a0 _RunAllParam 2 API calls 66680->66681 66680->66682 66681->66682 66682->66646 66682->66671 66684 7ffc682d564d 66683->66684 66686 7ffc682d5661 66683->66686 66685 7ffc682d81a0 _RunAllParam 2 API calls 66684->66685 66684->66686 66685->66686 66686->66648 66688 7ffc682ecc90 14 API calls 66687->66688 66689 7ffc682d7c23 66688->66689 66690 7ffc682d7c28 66689->66690 66691 7ffc682cea70 _RunAllParam 2 API calls 66689->66691 66690->66654 66693 7ffc682d7c73 _RunAllParam 66691->66693 66694 7ffc682d7cae 66693->66694 66833 7ffc682ceba0 66693->66833 66836 7ffc682f24b0 66694->66836 66696 7ffc682d7cc5 _RunAllParam 66840 7ffc682f1630 66696->66840 66698 7ffc682d7ce1 66843 7ffc682f1950 66698->66843 66700 7ffc682d7ced _RunAllParam 66701 7ffc682d7d34 66700->66701 66705 7ffc682d7cfc _RunAllParam 66700->66705 66702 7ffc682f1630 3 API calls 66701->66702 66703 7ffc682d7d4f 66702->66703 66704 7ffc682f1950 4 API calls 66703->66704 66707 7ffc682d7d5b _RunAllParam 66704->66707 66706 7ffc682d7d1e 66705->66706 66708 7ffc682bbd40 _RunAllParam 2 API calls 66705->66708 66706->66654 66709 7ffc682f1630 3 API calls 66707->66709 66708->66706 66710 7ffc682d7d79 66709->66710 66711 7ffc682f1950 4 API calls 66710->66711 66712 7ffc682d7d85 _RunAllParam 66711->66712 66713 7ffc682d7dc8 66712->66713 66714 7ffc682d7d94 66712->66714 66715 7ffc682d7e2c 66713->66715 66716 7ffc682d7dcd 66713->66716 66718 7ffc682d7d9c _RunAllParam 66714->66718 66720 7ffc682d7e60 _RunAllParam 66714->66720 66715->66720 66723 7ffc682d7e36 _RunAllParam 66715->66723 66717 7ffc682d7dfd 66716->66717 66721 7ffc682d7dd1 _RunAllParam 66716->66721 66717->66720 66722 7ffc682d7e02 _RunAllParam 66717->66722 66719 7ffc682d7dbe 66718->66719 66850 7ffc682bbd40 66718->66850 66719->66654 66720->66719 66725 7ffc682bbd40 _RunAllParam 2 API calls 66720->66725 66721->66719 66726 7ffc682bbd40 _RunAllParam 2 API calls 66721->66726 66722->66719 66728 7ffc682bbd40 _RunAllParam 2 API calls 66722->66728 66723->66719 66727 7ffc682bbd40 _RunAllParam 2 API calls 66723->66727 66725->66719 66726->66719 66727->66719 66728->66719 66731 7ffc682db180 66729->66731 66730 7ffc682f4640 _RunAllParam 2 API calls 66730->66731 66731->66730 66736 7ffc682db769 66731->66736 66738 7ffc682db307 _RunAllParam 66731->66738 66740 7ffc682db393 _RunAllParam 66731->66740 66732 7ffc682dbdd0 66732->66657 66732->66658 66733 7ffc682dbda6 GetTokenInformation 66733->66732 66734 7ffc682d7ea0 _RunAllParam 2 API calls 66741 7ffc682db48a 66734->66741 66735 7ffc682d7390 _RunAllParam 2 API calls 66735->66736 66736->66732 66736->66733 66737 7ffc682f4640 _RunAllParam 2 API calls 66736->66737 66746 7ffc682db947 _RunAllParam 66736->66746 66749 7ffc682db9d3 _RunAllParam 66736->66749 66737->66736 66739 7ffc682d81a0 _RunAllParam 2 API calls 66738->66739 66738->66740 66739->66740 66740->66734 66755 7ffc682db5c6 _RunAllParam 66740->66755 66741->66732 66742 7ffc682f4640 _RunAllParam 2 API calls 66741->66742 66751 7ffc682db5d7 _RunAllParam 66741->66751 66741->66755 66742->66741 66743 7ffc682d7390 _RunAllParam 2 API calls 66745 7ffc682dbda1 66743->66745 66744 7ffc682d7ea0 _RunAllParam 2 API calls 66748 7ffc682dbad3 66744->66748 66745->66732 66745->66733 66747 7ffc682d81a0 _RunAllParam 2 API calls 66746->66747 66746->66749 66747->66749 66748->66732 66750 7ffc682f4640 _RunAllParam 2 API calls 66748->66750 66753 7ffc682dbc14 _RunAllParam 66748->66753 66754 7ffc682dbc25 _RunAllParam 66748->66754 66749->66744 66749->66753 66750->66748 66752 7ffc682d81a0 _RunAllParam 2 API calls 66751->66752 66751->66755 66752->66755 66753->66732 66753->66743 66754->66732 66754->66753 66756 7ffc682d81a0 _RunAllParam 2 API calls 66754->66756 66755->66732 66755->66735 66756->66753 66760 7ffc682d89ee 66757->66760 66758 7ffc682d8fca 66919 7ffc682d5eb0 66758->66919 66759 7ffc682f4640 _RunAllParam 2 API calls 66759->66760 66760->66758 66760->66759 66767 7ffc682d8b77 _RunAllParam 66760->66767 66776 7ffc682d8c03 _RunAllParam 66760->66776 66762 7ffc682da9f6 _RunAllParam 66763 7ffc682d6070 _RunAllParam 3 API calls 66762->66763 66818 7ffc682da9f1 66762->66818 66763->66818 66764 7ffc682d7ea0 _RunAllParam 2 API calls 66773 7ffc682d8cfb 66764->66773 66765 7ffc682d7390 _RunAllParam 2 API calls 66765->66758 66766 7ffc682d91bb 66771 7ffc682d966c 66766->66771 66772 7ffc682d964f GetTokenInformation 66766->66772 66769 7ffc682d81a0 _RunAllParam 2 API calls 66767->66769 66767->66776 66768 7ffc682f4640 _RunAllParam 2 API calls 66770 7ffc682d8ffb 66768->66770 66769->66776 66770->66762 66770->66766 66770->66768 66780 7ffc682d91dd _RunAllParam 66770->66780 66788 7ffc682d91c6 _RunAllParam 66770->66788 66771->66762 66777 7ffc682cea70 _RunAllParam 2 API calls 66771->66777 66772->66771 66773->66758 66778 7ffc682f4640 _RunAllParam 2 API calls 66773->66778 66784 7ffc682d8e47 _RunAllParam 66773->66784 66789 7ffc682d8e36 _RunAllParam 66773->66789 66774 7ffc682d7ea0 _RunAllParam 2 API calls 66783 7ffc682d9373 66774->66783 66775 7ffc682d7390 _RunAllParam 2 API calls 66775->66766 66776->66764 66776->66789 66785 7ffc682d9689 _RunAllParam 66777->66785 66778->66773 66779 7ffc682f4640 _RunAllParam 2 API calls 66779->66783 66781 7ffc682d81a0 _RunAllParam 2 API calls 66780->66781 66780->66788 66781->66788 66782 7ffc682d9cd8 GetTokenInformation 66782->66762 66790 7ffc682d9d02 66782->66790 66783->66771 66783->66779 66793 7ffc682d94c7 _RunAllParam 66783->66793 66799 7ffc682d94b6 _RunAllParam 66783->66799 66787 7ffc682d81a0 _RunAllParam 2 API calls 66784->66787 66784->66789 66785->66782 66786 7ffc682f4640 _RunAllParam 2 API calls 66785->66786 66797 7ffc682d9867 _RunAllParam 66785->66797 66803 7ffc682d98f3 _RunAllParam 66785->66803 66786->66785 66787->66789 66788->66774 66788->66799 66789->66758 66789->66765 66794 7ffc682f4640 _RunAllParam 2 API calls 66790->66794 66806 7ffc682da30e 66790->66806 66808 7ffc682d9eb7 _RunAllParam 66790->66808 66813 7ffc682d9f43 _RunAllParam 66790->66813 66791 7ffc682d7390 _RunAllParam 2 API calls 66796 7ffc682d9cbe 66791->66796 66792 7ffc682d7ea0 _RunAllParam 2 API calls 66802 7ffc682d99eb 66792->66802 66795 7ffc682d81a0 _RunAllParam 2 API calls 66793->66795 66793->66799 66794->66790 66795->66799 66796->66762 66796->66782 66798 7ffc682d81a0 _RunAllParam 2 API calls 66797->66798 66797->66803 66798->66803 66799->66771 66799->66775 66800 7ffc682d7390 _RunAllParam 2 API calls 66800->66806 66801 7ffc682d7ea0 _RunAllParam 2 API calls 66812 7ffc682da03b 66801->66812 66802->66762 66805 7ffc682f4640 _RunAllParam 2 API calls 66802->66805 66816 7ffc682d9b37 _RunAllParam 66802->66816 66824 7ffc682d9b26 _RunAllParam 66802->66824 66803->66792 66803->66824 66804 7ffc682da94a 66804->66762 66817 7ffc682da96e _RunAllParam 66804->66817 66805->66802 66806->66762 66806->66804 66807 7ffc682f4640 _RunAllParam 2 API calls 66806->66807 66822 7ffc682da4f5 _RunAllParam 66806->66822 66825 7ffc682da4e4 _RunAllParam 66806->66825 66807->66806 66809 7ffc682d81a0 _RunAllParam 2 API calls 66808->66809 66808->66813 66809->66813 66810 7ffc682d7390 _RunAllParam 2 API calls 66810->66804 66811 7ffc682d7ea0 _RunAllParam 2 API calls 66815 7ffc682da67b 66811->66815 66812->66762 66814 7ffc682f4640 _RunAllParam 2 API calls 66812->66814 66826 7ffc682da187 _RunAllParam 66812->66826 66829 7ffc682da176 _RunAllParam 66812->66829 66813->66801 66813->66829 66814->66812 66815->66762 66819 7ffc682f4640 _RunAllParam 2 API calls 66815->66819 66828 7ffc682da7c7 _RunAllParam 66815->66828 66831 7ffc682da7b6 _RunAllParam 66815->66831 66820 7ffc682d81a0 _RunAllParam 2 API calls 66816->66820 66816->66824 66817->66818 66927 7ffc682d6070 66817->66927 66818->66670 66819->66815 66820->66824 66823 7ffc682d81a0 _RunAllParam 2 API calls 66822->66823 66822->66825 66823->66825 66824->66762 66824->66791 66825->66811 66825->66831 66827 7ffc682d81a0 _RunAllParam 2 API calls 66826->66827 66826->66829 66827->66829 66828->66762 66830 7ffc682d81a0 _RunAllParam 2 API calls 66828->66830 66828->66831 66829->66762 66829->66800 66830->66831 66831->66762 66831->66810 66832->66670 66834 7ffc682ce9d0 _RunAllParam 2 API calls 66833->66834 66835 7ffc682cebb4 66834->66835 66835->66693 66837 7ffc682f24e7 _RunAllParam 66836->66837 66853 7ffc682f1d40 66837->66853 66839 7ffc682f24f8 66839->66696 66891 7ffc682f1580 66840->66891 66842 7ffc682f165a _RunAllParam 66842->66698 66844 7ffc682cea70 _RunAllParam 2 API calls 66843->66844 66845 7ffc682f1974 66844->66845 66904 7ffc682f16f0 66845->66904 66847 7ffc682f1984 66848 7ffc682f199b _RunAllParam 66847->66848 66918 7ffc682cec50 LdrLoadDll FindNextFileW _RunAllParam 66847->66918 66848->66700 66851 7ffc682d81a0 _RunAllParam 2 API calls 66850->66851 66852 7ffc682bbd58 66851->66852 66852->66719 66854 7ffc682f1d6b _RunAllParam 66853->66854 66855 7ffc682d81a0 _RunAllParam 2 API calls 66854->66855 66858 7ffc682f1db7 66855->66858 66856 7ffc682f200e 66857 7ffc682dbe00 _RunAllParam 2 API calls 66856->66857 66859 7ffc682f2016 _RunAllParam 66857->66859 66858->66856 66881 7ffc682f1de0 _RunAllParam 66858->66881 66860 7ffc682d81a0 _RunAllParam 2 API calls 66859->66860 66870 7ffc682f2046 _RunAllParam 66859->66870 66872 7ffc682f2004 66860->66872 66861 7ffc682f2199 66861->66839 66862 7ffc682f1f90 66863 7ffc682d81a0 _RunAllParam 2 API calls 66862->66863 66866 7ffc682f1fc1 _RunAllParam 66862->66866 66863->66866 66864 7ffc682d81a0 LdrLoadDll FindNextFileW _RunAllParam 66864->66881 66865 7ffc682f2044 RegCloseKey 66865->66870 66868 7ffc682d81a0 _RunAllParam 2 API calls 66866->66868 66866->66870 66867 7ffc682f1e36 RegCloseKey 66867->66881 66868->66872 66869 7ffc682f1e84 RegEnumKeyW 66869->66862 66869->66881 66870->66861 66871 7ffc682ecc90 10 API calls 66870->66871 66873 7ffc682f20df 66871->66873 66872->66865 66872->66870 66873->66861 66885 7ffc682ceaa0 66873->66885 66874 7ffc682d4aa0 _RunAllParam 2 API calls 66874->66881 66876 7ffc682f20f6 66877 7ffc682ceba0 2 API calls 66876->66877 66880 7ffc682f210f _RunAllParam 66877->66880 66878 7ffc682f2148 _RunAllParam 66882 7ffc682f1d40 10 API calls 66878->66882 66879 7ffc682f1ef3 RegOpenKeyExW 66879->66881 66880->66878 66890 7ffc682d56a0 LdrLoadDll FindNextFileW _RunAllParam 66880->66890 66881->66862 66881->66864 66881->66867 66881->66869 66881->66874 66881->66879 66883 7ffc682f217f _RunAllParam 66882->66883 66883->66839 66886 7ffc682ce9d0 _RunAllParam 2 API calls 66885->66886 66887 7ffc682ceac3 66886->66887 66888 7ffc682d5710 _RunAllParam 2 API calls 66887->66888 66889 7ffc682cead7 66888->66889 66889->66876 66890->66878 66893 7ffc682f15b0 66891->66893 66892 7ffc682d81a0 _RunAllParam 2 API calls 66892->66893 66893->66892 66894 7ffc682f15cf RegEnumValueA 66893->66894 66897 7ffc682d2c30 66893->66897 66894->66893 66895 7ffc682f1610 66894->66895 66895->66842 66898 7ffc682d2c6b 66897->66898 66901 7ffc682d2ca5 66897->66901 66900 7ffc682d5710 _RunAllParam 2 API calls 66898->66900 66900->66901 66902 7ffc682d2cd9 _RunAllParam 66901->66902 66903 7ffc682d56a0 LdrLoadDll FindNextFileW _RunAllParam 66901->66903 66902->66893 66903->66902 66905 7ffc682f171a 66904->66905 66906 7ffc682f170a 66904->66906 66905->66847 66906->66905 66907 7ffc682d81a0 _RunAllParam 2 API calls 66906->66907 66908 7ffc682f1742 66907->66908 66909 7ffc682f1767 66908->66909 66910 7ffc682f1747 RegQueryValueExA 66908->66910 66911 7ffc682f176f 66909->66911 66912 7ffc682ceba0 2 API calls 66909->66912 66910->66909 66911->66847 66913 7ffc682f1786 66912->66913 66914 7ffc682d81a0 _RunAllParam 2 API calls 66913->66914 66915 7ffc682f1795 _RunAllParam 66914->66915 66916 7ffc682f17ca 66915->66916 66917 7ffc682f17ab RegQueryValueExA 66915->66917 66916->66847 66917->66916 66918->66848 66920 7ffc682d5ec1 66919->66920 66921 7ffc682d5f2c 66919->66921 66920->66921 66922 7ffc682d81a0 _RunAllParam 2 API calls 66920->66922 66921->66770 66924 7ffc682d5edb 66922->66924 66923 7ffc682d5ef0 66923->66770 66924->66923 66925 7ffc682dbe00 _RunAllParam 2 API calls 66924->66925 66926 7ffc682d5f07 66925->66926 66926->66770 66928 7ffc682d5eb0 _RunAllParam 2 API calls 66927->66928 66929 7ffc682d607e 66928->66929 66930 7ffc682d81a0 _RunAllParam 2 API calls 66929->66930 66932 7ffc682d609b 66929->66932 66931 7ffc682d6091 66930->66931 66931->66932 66933 7ffc682d6096 NtClose 66931->66933 66932->66818 66933->66932 67163 7ffc682963c0 16 API calls _RunAllParam 67053 7ffc682a5220 LdrLoadDll FindNextFileW RegEnumValueA 67167 7ffc682b8c20 NtClose LdrLoadDll FindNextFileW ConvertStringSecurityDescriptorToSecurityDescriptorW CreateMutexA 66628 7ffc682d8a60 5 API calls _RunAllParam 67064 7ffc682a9660 NtClose LdrLoadDll FindNextFileW ConvertStringSecurityDescriptorToSecurityDescriptorW _RunAllParam

                                                          Executed Functions

                                                          Function 00007FFC682E1FE0 Relevance: 7.1, Strings: 5, Instructions: 815COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: f+/)$f+/)$f+/)$f+/)$f+/)
                                                          • API String ID: 0-3376796891
                                                          • Opcode ID: 480604aad73d94ddbaf7b6e5243b48039f0893af9bdccec418bdc49616eae952
                                                          • Instruction ID: 319897a27af10340b8f527979a0e2fbfe070a4edcdc3fe7e04e6451d3175f51e
                                                          • Opcode Fuzzy Hash: 480604aad73d94ddbaf7b6e5243b48039f0893af9bdccec418bdc49616eae952
                                                          • Instruction Fuzzy Hash: AF72D0A2A0C7AAC5EA248B15D4483B927A1FF89F88F455035DA0E077D5DF3CD942C3B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D8990 Relevance: 5.0, APIs: 2, Instructions: 2011COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 394ae3f47238bbd20f0c386901f1ae5cf8dae6134b138aadd1da20cdb9795a07
                                                          • Instruction ID: 2ed130d357c7128fb3654e54f8a1c63a69bfc5a5f84e48e31e48acfb7d4ff161
                                                          • Opcode Fuzzy Hash: 394ae3f47238bbd20f0c386901f1ae5cf8dae6134b138aadd1da20cdb9795a07
                                                          • Instruction Fuzzy Hash: 1903C126A0C7A9C6EB649B1594502BA3BE1FF85B8CF884031DA0E077D6DF3CE555C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EDBE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1346 7ffc682edbe0-7ffc682edc07 call 7ffc682ecc90 1349 7ffc682edc09-7ffc682edc0c 1346->1349 1350 7ffc682edc0f-7ffc682edc21 call 7ffc682d81a0 1346->1350 1349->1350 1353 7ffc682edc74-7ffc682edc78 1350->1353 1354 7ffc682edc23-7ffc682edc46 FindFirstFileExW 1350->1354 1357 7ffc682edc7a-7ffc682edc80 1353->1357 1358 7ffc682edca1 1353->1358 1355 7ffc682edc48-7ffc682edc4e 1354->1355 1356 7ffc682edc6f-7ffc682edc72 1354->1356 1355->1356 1359 7ffc682edc50-7ffc682edc54 1355->1359 1360 7ffc682edca8-7ffc682edcb2 1356->1360 1357->1358 1361 7ffc682edc82-7ffc682edc86 1357->1361 1358->1360 1359->1356 1362 7ffc682edc56-7ffc682edc68 call 7ffc682d81a0 1359->1362 1363 7ffc682edcb4-7ffc682edcb8 1360->1363 1364 7ffc682edd1d-7ffc682edd28 call 7ffc682dbe00 1360->1364 1361->1358 1365 7ffc682edc88-7ffc682edc9a call 7ffc682d81a0 1361->1365 1362->1356 1378 7ffc682edc6a 1362->1378 1363->1364 1369 7ffc682edcba-7ffc682edcbf 1363->1369 1376 7ffc682edd2a 1364->1376 1377 7ffc682edd31-7ffc682edd42 1364->1377 1365->1358 1375 7ffc682edc9c 1365->1375 1373 7ffc682edcc1-7ffc682edcc8 1369->1373 1374 7ffc682edcee-7ffc682edcfc 1369->1374 1379 7ffc682edcca-7ffc682edcce 1373->1379 1380 7ffc682edcd7-7ffc682edce8 1373->1380 1381 7ffc682edd02-7ffc682edd05 1374->1381 1382 7ffc682edcfe-7ffc682edd00 1374->1382 1375->1358 1376->1377 1378->1356 1379->1374 1384 7ffc682edcd0-7ffc682edcd5 1379->1384 1380->1374 1381->1380 1383 7ffc682edd07-7ffc682edd09 1381->1383 1382->1381 1385 7ffc682edd0b-7ffc682edd1c 1382->1385 1383->1380 1383->1385 1384->1374 1384->1380
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID: .
                                                          • API String ID: 1974802433-248832578
                                                          • Opcode ID: af602f8658dc6b56f451c485c3cbb8058e6669dd281f78fd19427731c48b0698
                                                          • Instruction ID: 6d083f9d7ad469d3e25b8e9080bbf16e6145d5ec835b330c61a6c91035fcd670
                                                          • Opcode Fuzzy Hash: af602f8658dc6b56f451c485c3cbb8058e6669dd281f78fd19427731c48b0698
                                                          • Instruction Fuzzy Hash: F4416021A0C25A81FB145A28D10437963A19F84BECF585631CE6D072D9DFBCE882C778
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B6190 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1517 7ffc682b6190-7ffc682b61d5 1518 7ffc682b61d7-7ffc682b61da 1517->1518 1519 7ffc682b61df-7ffc682b621c call 7ffc682fc2a0 call 7ffc682e3a50 call 7ffc682fbda0 1517->1519 1520 7ffc682b62c2-7ffc682b62c5 1518->1520 1538 7ffc682b6223-7ffc682b622d 1519->1538 1522 7ffc682b62cb-7ffc682b6304 call 7ffc682d6710 call 7ffc682f0730 call 7ffc682cf740 call 7ffc682f09a0 1520->1522 1523 7ffc682b64f8-7ffc682b650a call 7ffc682f2a90 1520->1523 1552 7ffc682b630a-7ffc682b6315 call 7ffc682d5eb0 1522->1552 1553 7ffc682b6393-7ffc682b63a1 call 7ffc682f0b10 call 7ffc682f2a90 1522->1553 1531 7ffc682b651c-7ffc682b652d 1523->1531 1532 7ffc682b650c-7ffc682b6517 call 7ffc682f0b10 call 7ffc682d5bb0 1523->1532 1532->1531 1541 7ffc682b626e-7ffc682b6279 1538->1541 1542 7ffc682b622f 1538->1542 1541->1538 1546 7ffc682b627b-7ffc682b627f call 7ffc682f2a90 1541->1546 1545 7ffc682b6230-7ffc682b6249 call 7ffc682f29d0 call 7ffc682fbed0 1542->1545 1567 7ffc682b624b-7ffc682b624f 1545->1567 1568 7ffc682b6253-7ffc682b626a call 7ffc682f2b30 1545->1568 1551 7ffc682b6284-7ffc682b629b 1546->1551 1555 7ffc682b62ad-7ffc682b62bb 1551->1555 1556 7ffc682b629d-7ffc682b62a8 call 7ffc682f0b10 call 7ffc682d5bb0 1551->1556 1565 7ffc682b6317-7ffc682b631f call 7ffc682fb910 1552->1565 1566 7ffc682b6324-7ffc682b632f call 7ffc682d5eb0 1552->1566 1575 7ffc682b63a6-7ffc682b63ae 1553->1575 1555->1520 1556->1555 1565->1566 1582 7ffc682b6335-7ffc682b6375 call 7ffc6829d690 call 7ffc682d66e0 call 7ffc682f0fc0 call 7ffc682cf740 call 7ffc682d5eb0 1566->1582 1583 7ffc682b64ef-7ffc682b64f3 call 7ffc682f0b10 1566->1583 1567->1545 1573 7ffc682b6251 1567->1573 1568->1546 1577 7ffc682b626c 1568->1577 1573->1577 1579 7ffc682b63c0-7ffc682b63d1 1575->1579 1580 7ffc682b63b0-7ffc682b63bb call 7ffc682f0b10 call 7ffc682d5bb0 1575->1580 1577->1541 1580->1579 1597 7ffc682b6377-7ffc682b638e call 7ffc682f0690 call 7ffc682f12a0 call 7ffc682a3780 1582->1597 1598 7ffc682b63d2-7ffc682b63eb call 7ffc682ceaa0 call 7ffc682ce5f0 1582->1598 1583->1523 1597->1553 1608 7ffc682b6454-7ffc682b649e call 7ffc682cea70 * 3 call 7ffc682f0fc0 call 7ffc682b4850 1598->1608 1609 7ffc682b63ed-7ffc682b63f5 1598->1609 1635 7ffc682b64a4-7ffc682b64d2 call 7ffc682b47a0 call 7ffc682f12a0 call 7ffc682ce5c0 * 3 1608->1635 1636 7ffc682b652e-7ffc682b653b call 7ffc682fbd40 1608->1636 1609->1608 1611 7ffc682b63f7-7ffc682b6402 call 7ffc682fbd40 1609->1611 1617 7ffc682b6404-7ffc682b641c call 7ffc682ce5f0 1611->1617 1618 7ffc682b6435-7ffc682b644f call 7ffc682cebd0 1611->1618 1624 7ffc682b64d7-7ffc682b64ea call 7ffc682ce5c0 call 7ffc682f12a0 call 7ffc682a3780 1617->1624 1625 7ffc682b6422-7ffc682b6433 call 7ffc682ceb50 1617->1625 1618->1608 1624->1583 1625->1608 1635->1624 1644 7ffc682b6625-7ffc682b66fd call 7ffc682d5630 call 7ffc682ce5e0 call 7ffc682d79e0 call 7ffc682cf4e0 call 7ffc682cf740 call 7ffc682ceff0 call 7ffc682ceba0 call 7ffc682ce5d0 * 2 call 7ffc682c68cc call 7ffc682b44c0 call 7ffc682cebd0 call 7ffc682ca400 1636->1644 1645 7ffc682b6541-7ffc682b6620 call 7ffc682d5630 call 7ffc682ce5e0 call 7ffc682d79e0 call 7ffc682cf4e0 call 7ffc682cf740 call 7ffc682ceff0 call 7ffc682ceba0 call 7ffc682ce5d0 * 2 call 7ffc682c68cc call 7ffc682b4c10 call 7ffc682cebd0 call 7ffc682c82b0 1636->1645 1703 7ffc682b6702-7ffc682b6707 1644->1703 1645->1703 1705 7ffc682b672b-7ffc682b6791 call 7ffc682b47a0 call 7ffc682f12a0 call 7ffc682ce5c0 * 4 call 7ffc682f12a0 call 7ffc682a3780 call 7ffc682f0b10 call 7ffc682f2a90 1703->1705 1706 7ffc682b6709-7ffc682b6728 call 7ffc682f04b0 1703->1706 1729 7ffc682b67a3-7ffc682b67b5 1705->1729 1730 7ffc682b6793-7ffc682b679e call 7ffc682f0b10 call 7ffc682d5bb0 1705->1730 1706->1705 1730->1729
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )8GV$)8GV
                                                          • API String ID: 0-993736920
                                                          • Opcode ID: f05420cdb7c5b4e0dafb6db1fd65c81427849b2ccb0d5e4a363e901e39f8afe4
                                                          • Instruction ID: abe3d8384e219c83e2ac80c80700b84b615d678836f63b47c393522f999891aa
                                                          • Opcode Fuzzy Hash: f05420cdb7c5b4e0dafb6db1fd65c81427849b2ccb0d5e4a363e901e39f8afe4
                                                          • Instruction Fuzzy Hash: 99F18062B1C96AD4EB50EB61D8912FD2760EF9478CF800432EA4E879DAEF3CD545C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682ECC90 Relevance: 2.4, APIs: 1, Instructions: 886COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoSystem
                                                          • String ID:
                                                          • API String ID: 31276548-0
                                                          • Opcode ID: 23153f63af2b86541570a38ac166eb529bc1bd4c00964222bdc21895722ba318
                                                          • Instruction ID: 2a7ad0a268f2e6d96cfddc5ed2403025e6025293fd5dd26e87bb31c4dc348e8f
                                                          • Opcode Fuzzy Hash: 23153f63af2b86541570a38ac166eb529bc1bd4c00964222bdc21895722ba318
                                                          • Instruction Fuzzy Hash: DA82BD62A0C7A9C6EB608B19D4542B977E1FF85B88F884431CA4D077D6DF3CE942C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682DB120 Relevance: 2.3, APIs: 1, Instructions: 789COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c35e989a891b50527dcb3e3c96e6aa52ff6585637435a49d30dc3fcc12fc07c
                                                          • Instruction ID: 3e5ebca03cbcc09de3f7694710b618f1ee01f3b02ae55bdb0c0c1fb0e76d3aef
                                                          • Opcode Fuzzy Hash: 3c35e989a891b50527dcb3e3c96e6aa52ff6585637435a49d30dc3fcc12fc07c
                                                          • Instruction Fuzzy Hash: 9972AD22A0C7A9C6EB658B1594643B93BE1FF85B88F884035CA4D077D6DF3CE945C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FBF20 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2452 7ffc682fbf20-7ffc682fbf77 call 7ffc682f2d30 call 7ffc682f2a90 call 7ffc682cea70 2459 7ffc682fbf80-7ffc682fbf99 call 7ffc682d81a0 2452->2459 2462 7ffc682fbf9b-7ffc682fbfc7 call 7ffc682ce5e0 call 7ffc682ce5d0 NtQuerySystemInformation 2459->2462 2463 7ffc682fbff5-7ffc682fc021 call 7ffc682ecc90 call 7ffc682ce5d0 2459->2463 2474 7ffc682fbfc9-7ffc682fbfce 2462->2474 2475 7ffc682fbfd0-7ffc682fbfd9 2462->2475 2472 7ffc682fc1d7-7ffc682fc1da 2463->2472 2473 7ffc682fc027 2463->2473 2477 7ffc682fc23f-7ffc682fc282 call 7ffc682ce5c0 call 7ffc682f2a90 2472->2477 2478 7ffc682fc1dc-7ffc682fc1e4 2472->2478 2476 7ffc682fc030-7ffc682fc037 2473->2476 2474->2463 2474->2475 2479 7ffc682fbfdb call 7ffc682ceba0 2475->2479 2480 7ffc682fbfe2-7ffc682fbff3 call 7ffc682ce5e0 call 7ffc682ceba0 2475->2480 2482 7ffc682fc1c8-7ffc682fc1cc 2476->2482 2483 7ffc682fc03d-7ffc682fc041 2476->2483 2501 7ffc682fc294-7ffc682fc29d 2477->2501 2502 7ffc682fc284-7ffc682fc28f call 7ffc682f0b10 call 7ffc682d5bb0 2477->2502 2478->2477 2484 7ffc682fc1e6 2478->2484 2491 7ffc682fbfe0 2479->2491 2480->2459 2482->2472 2487 7ffc682fc1ce-7ffc682fc1d1 2482->2487 2483->2482 2489 7ffc682fc047-7ffc682fc070 call 7ffc682d5c60 2483->2489 2490 7ffc682fc1f0-7ffc682fc203 call 7ffc682f29d0 2484->2490 2487->2472 2487->2476 2503 7ffc682fc095-7ffc682fc09b 2489->2503 2504 7ffc682fc072-7ffc682fc084 call 7ffc682f29d0 2489->2504 2505 7ffc682fc237-7ffc682fc23d 2490->2505 2506 7ffc682fc205-7ffc682fc20e 2490->2506 2491->2459 2502->2501 2510 7ffc682fc0a9-7ffc682fc0bc call 7ffc682d5ba0 2503->2510 2511 7ffc682fc09d-7ffc682fc0a3 2503->2511 2519 7ffc682fc12a-7ffc682fc12d 2504->2519 2520 7ffc682fc08a-7ffc682fc08f 2504->2520 2505->2477 2505->2490 2506->2505 2509 7ffc682fc210-7ffc682fc220 call 7ffc682f29d0 2506->2509 2527 7ffc682fc22a-7ffc682fc231 2509->2527 2528 7ffc682fc222-7ffc682fc226 2509->2528 2522 7ffc682fc166 2510->2522 2523 7ffc682fc0c2-7ffc682fc128 call 7ffc682d03b0 call 7ffc682cff90 call 7ffc682cea70 2510->2523 2511->2510 2515 7ffc682fc1c5 2511->2515 2515->2482 2524 7ffc682fc147-7ffc682fc14a 2519->2524 2525 7ffc682fc12f-7ffc682fc133 2519->2525 2520->2504 2526 7ffc682fc091 2520->2526 2529 7ffc682fc169-7ffc682fc171 call 7ffc682d4160 2522->2529 2523->2529 2534 7ffc682fc14e-7ffc682fc164 call 7ffc682f2b30 2524->2534 2531 7ffc682fc135-7ffc682fc138 call 7ffc682fbbe0 2525->2531 2532 7ffc682fc13d-7ffc682fc141 2525->2532 2526->2503 2527->2505 2535 7ffc682fc233 2527->2535 2528->2509 2533 7ffc682fc228 2528->2533 2541 7ffc682fc176-7ffc682fc1c3 call 7ffc682d0920 call 7ffc682cf740 call 7ffc682d0c60 call 7ffc682cfe00 call 7ffc682cf740 2529->2541 2531->2532 2532->2524 2532->2526 2533->2505 2534->2482 2535->2505 2541->2534
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationQuerySystem
                                                          • String ID:
                                                          • API String ID: 3562636166-0
                                                          • Opcode ID: 8fbe0ac22dc4177ed469b18557b505728d9322c9645c83309d9e86941306a441
                                                          • Instruction ID: 9acb5aa2884e2cb8d98654685e1a67a0fe5f6f1a61a2f6a84d51f11e64193911
                                                          • Opcode Fuzzy Hash: 8fbe0ac22dc4177ed469b18557b505728d9322c9645c83309d9e86941306a441
                                                          • Instruction Fuzzy Hash: ADB18B36A4866ADAE750EB25D1402BE37A0FF48B8CF404435EA4E47BD5DF38E424C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C4310 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2556 7ffc682c4310-7ffc682c433a 2557 7ffc682c433c-7ffc682c436c call 7ffc682cff90 call 7ffc682f0450 call 7ffc682d6070 call 7ffc682f12a0 2556->2557 2558 7ffc682c4371-7ffc682c439a call 7ffc682d66e0 call 7ffc682eaa80 2556->2558 2557->2558 2567 7ffc682c43da 2558->2567 2568 7ffc682c439c-7ffc682c43ba call 7ffc682cfd30 call 7ffc682ac050 2558->2568 2571 7ffc682c43dc-7ffc682c43df 2567->2571 2580 7ffc682c43bf-7ffc682c43d2 call 7ffc682cf5d0 2568->2580 2574 7ffc682c43ea-7ffc682c441a call 7ffc682f0730 call 7ffc682d5eb0 2571->2574 2575 7ffc682c43e1-7ffc682c43e5 call 7ffc682cf740 2571->2575 2586 7ffc682c441c-7ffc682c442f call 7ffc682f09a0 2574->2586 2587 7ffc682c4432-7ffc682c4466 call 7ffc682f0b10 call 7ffc682d66e0 call 7ffc682f0fc0 call 7ffc682cf740 2574->2587 2575->2574 2580->2567 2588 7ffc682c43d4-7ffc682c43d8 2580->2588 2586->2587 2599 7ffc682c4479-7ffc682c4499 call 7ffc682d03b0 call 7ffc682d81a0 2587->2599 2600 7ffc682c4468-7ffc682c4473 call 7ffc682d5eb0 2587->2600 2588->2571 2611 7ffc682c449b-7ffc682c44aa 2599->2611 2612 7ffc682c44af-7ffc682c44ce call 7ffc682c0a90 call 7ffc682b67c0 2599->2612 2600->2599 2605 7ffc682c4500-7ffc682c4503 2600->2605 2608 7ffc682c459b-7ffc682c45ad call 7ffc682d81a0 2605->2608 2609 7ffc682c4509-7ffc682c4524 call 7ffc682f0730 call 7ffc682d5eb0 2605->2609 2617 7ffc682c45af-7ffc682c45b1 ExitProcess 2608->2617 2618 7ffc682c45b3-7ffc682c45ea call 7ffc682f12a0 call 7ffc682d28f0 call 7ffc682cf740 2608->2618 2626 7ffc682c4526 2609->2626 2627 7ffc682c4592-7ffc682c4596 call 7ffc682f0b10 2609->2627 2611->2612 2630 7ffc682c44ee-7ffc682c44f2 call 7ffc682ce5c0 2612->2630 2631 7ffc682c44d0-7ffc682c44ec call 7ffc682dd820 call 7ffc682b67c0 2612->2631 2632 7ffc682c4530-7ffc682c453d call 7ffc682f09a0 2626->2632 2627->2608 2637 7ffc682c44f7-7ffc682c44fb call 7ffc682cf740 2630->2637 2631->2630 2642 7ffc682c455b-7ffc682c458d call 7ffc682d66e0 call 7ffc682f0fc0 call 7ffc682f0690 call 7ffc682f12a0 call 7ffc682cf740 2632->2642 2643 7ffc682c453f-7ffc682c4557 call 7ffc682f0950 call 7ffc682dd820 2632->2643 2637->2605 2642->2627 2643->2632 2655 7ffc682c4559 2643->2655 2655->2627
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitProcess
                                                          • String ID:
                                                          • API String ID: 3487036407-0
                                                          • Opcode ID: 3fc01bab2dafcec1388d4a1be2fb1d8df57dcc2a7c6cc0993522a4f14ea4eead
                                                          • Instruction ID: 62315ca023885488dcd32d6fff280f35cec8fd68566902d05205b9980741b596
                                                          • Opcode Fuzzy Hash: 3fc01bab2dafcec1388d4a1be2fb1d8df57dcc2a7c6cc0993522a4f14ea4eead
                                                          • Instruction Fuzzy Hash: 64811D22F1CA66D5FB60EBA1D4512FE23A5AF9435CF814031EE0D979CADF28E505C3A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D7EA0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2661 7ffc682d7ea0-7ffc682d7f7d call 7ffc682d03b0 * 2 call 7ffc682d7b60 call 7ffc682d18c0 call 7ffc682cf740 call 7ffc682d03d0 call 7ffc682d0480 * 5 call 7ffc682d1870 call 7ffc682edd50 2688 7ffc682d7f83-7ffc682d7f89 2661->2688 2689 7ffc682d814d-7ffc682d815a call 7ffc682cf740 2661->2689 2690 7ffc682d7f90-7ffc682d7fc9 call 7ffc682d1870 call 7ffc682d1bc0 call 7ffc682d4aa0 call 7ffc682cf740 2688->2690 2695 7ffc682d8170-7ffc682d8188 call 7ffc682cf740 * 2 2689->2695 2696 7ffc682d815c-7ffc682d8163 2689->2696 2711 7ffc682d7fcb-7ffc682d7fd9 call 7ffc682cf740 call 7ffc682edb40 2690->2711 2712 7ffc682d7fe7-7ffc682d80a2 call 7ffc682d1890 call 7ffc682d03d0 call 7ffc682cfad0 call 7ffc682cea70 call 7ffc682ce5d0 * 2 call 7ffc682cfad0 call 7ffc682cfb00 call 7ffc682d81a0 2690->2712 2708 7ffc682d818a-7ffc682d819d 2695->2708 2696->2695 2698 7ffc682d8165-7ffc682d8169 2696->2698 2698->2695 2702 7ffc682d816b call 7ffc682edb10 2698->2702 2702->2695 2719 7ffc682d7fde-7ffc682d7fe0 2711->2719 2736 7ffc682d80a4-7ffc682d80c0 call 7ffc682ce5d0 LdrLoadDll 2712->2736 2737 7ffc682d80c2 2712->2737 2719->2690 2721 7ffc682d7fe2 2719->2721 2721->2689 2739 7ffc682d80c5-7ffc682d80cc 2736->2739 2737->2739 2741 7ffc682d812f-7ffc682d8148 call 7ffc682ce5c0 call 7ffc682cf740 * 2 2739->2741 2742 7ffc682d80ce-7ffc682d80d0 2739->2742 2741->2689 2742->2741 2744 7ffc682d80d2-7ffc682d80fd call 7ffc682ce5c0 call 7ffc682cf740 * 3 2742->2744 2757 7ffc682d8113-7ffc682d812d call 7ffc682cf740 * 2 2744->2757 2758 7ffc682d80ff-7ffc682d8106 2744->2758 2757->2708 2758->2757 2759 7ffc682d8108-7ffc682d810c 2758->2759 2759->2757 2761 7ffc682d810e call 7ffc682edb10 2759->2761 2761->2757
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFindLoadNext
                                                          • String ID:
                                                          • API String ID: 50669962-0
                                                          • Opcode ID: e5d8b990709b64687c2823f54e2e9fe3c05d54d7ad96fe5c4900ad0bee84abfd
                                                          • Instruction ID: e20c19ff0dc92c6aaa21565bc3642fbb9481e46a2ac1549614fafc37aaa8b56f
                                                          • Opcode Fuzzy Hash: e5d8b990709b64687c2823f54e2e9fe3c05d54d7ad96fe5c4900ad0bee84abfd
                                                          • Instruction Fuzzy Hash: 79819022A2C5AAD1FB50EB20D4512BE67A5FF8434CF805131EA4D479CAEE7CD509C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D6070 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 3109ecfdde74783f49d8cca167d899ddf147d6577d1b25538b452d016e429314
                                                          • Instruction ID: 33284e7cda2196c6f517e40e0bee2605e53be23a0621686006428c2b06f1c7f0
                                                          • Opcode Fuzzy Hash: 3109ecfdde74783f49d8cca167d899ddf147d6577d1b25538b452d016e429314
                                                          • Instruction Fuzzy Hash: EED02B60E1DA05C1FF102771A44137423C1DFA8349F080030CA0C0B3C2DE3DA4468334
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F6610 Relevance: .2, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6a1dfa248ccb54f18a45c945ff9312bd4c08851b9d9ada40c1ba5a4a16e371c
                                                          • Instruction ID: fc7991813fb5005006f18e85cb0c9105f572d34accc9304b39f48138a51d7eff
                                                          • Opcode Fuzzy Hash: a6a1dfa248ccb54f18a45c945ff9312bd4c08851b9d9ada40c1ba5a4a16e371c
                                                          • Instruction Fuzzy Hash: AA61E420A1C65AD1FAA4A722956057A5791EFC43A8F984334EF2D43BC6FF3CE805C634
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C3940 Relevance: .2, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 717d4ec3b735092e53a72d35c3ed561355d52b27779c6b4bb118a1ea043fe421
                                                          • Instruction ID: 4e7035f33e74af5a8f70a9a8be1039200212be35d4b67b0b9fec905ba147ad20
                                                          • Opcode Fuzzy Hash: 717d4ec3b735092e53a72d35c3ed561355d52b27779c6b4bb118a1ea043fe421
                                                          • Instruction Fuzzy Hash: 82718E22B1C66AC5FB50EB60E4842FE6BA1BF8434CF840435DA4D43ADADF78E445C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F1D40 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 269 7ffc682f1d40-7ffc682f1d69 270 7ffc682f1d6b-7ffc682f1d73 269->270 271 7ffc682f1d75 269->271 270->271 272 7ffc682f1d7a-7ffc682f1da3 call 7ffc682d03b0 270->272 271->272 275 7ffc682f1da8-7ffc682f1dba call 7ffc682d81a0 272->275 276 7ffc682f1da5 272->276 279 7ffc682f1dc0-7ffc682f1dd0 275->279 280 7ffc682f200e 275->280 276->275 281 7ffc682f2011-7ffc682f2025 call 7ffc682dbe00 call 7ffc682cf740 279->281 284 7ffc682f1dd6-7ffc682f1dda 279->284 280->281 291 7ffc682f2046-7ffc682f2055 281->291 292 7ffc682f2027-7ffc682f202b 281->292 284->281 286 7ffc682f1de0-7ffc682f1e01 call 7ffc682ce5e0 284->286 293 7ffc682f1e07-7ffc682f1e0c 286->293 294 7ffc682f1f95-7ffc682f1fa1 286->294 296 7ffc682f2057-7ffc682f205b 291->296 297 7ffc682f2061-7ffc682f2079 call 7ffc682ce5d0 291->297 292->291 295 7ffc682f202d-7ffc682f203f call 7ffc682d81a0 292->295 298 7ffc682f1e10-7ffc682f1e1a 293->298 302 7ffc682f1fd3-7ffc682f1fed call 7ffc682cf740 294->302 303 7ffc682f1fa3-7ffc682f1faa 294->303 295->291 311 7ffc682f2041 295->311 296->297 300 7ffc682f2199-7ffc682f21b0 296->300 297->300 314 7ffc682f207f-7ffc682f208d 297->314 304 7ffc682f1e3f-7ffc682f1e68 call 7ffc682ce5d0 298->304 305 7ffc682f1e1c-7ffc682f1e20 298->305 302->291 319 7ffc682f1fef-7ffc682f1ff3 302->319 303->302 309 7ffc682f1fac-7ffc682f1fb0 303->309 327 7ffc682f1e70-7ffc682f1e82 call 7ffc682d81a0 304->327 305->304 310 7ffc682f1e22-7ffc682f1e34 call 7ffc682d81a0 305->310 309->302 315 7ffc682f1fb2-7ffc682f1fc4 call 7ffc682d81a0 309->315 332 7ffc682f1e3b 310->332 333 7ffc682f1e36-7ffc682f1e39 RegCloseKey 310->333 318 7ffc682f2044 RegCloseKey 311->318 321 7ffc682f209b-7ffc682f20ac call 7ffc682ce5e0 314->321 322 7ffc682f208f-7ffc682f2095 314->322 329 7ffc682f1fcb 315->329 330 7ffc682f1fc6 315->330 318->291 319->291 326 7ffc682f1ff5-7ffc682f2007 call 7ffc682d81a0 319->326 336 7ffc682f20d8-7ffc682f20e3 call 7ffc682ecc90 321->336 337 7ffc682f20ae 321->337 322->300 322->321 326->291 343 7ffc682f2009-7ffc682f200c 326->343 339 7ffc682f1e84-7ffc682f1e9a RegEnumKeyW 327->339 340 7ffc682f1ea0-7ffc682f1eca call 7ffc682d1c20 call 7ffc682d4aa0 call 7ffc682cf740 327->340 329->302 330->329 332->304 333->332 336->300 350 7ffc682f20e9-7ffc682f2114 call 7ffc682ceaa0 call 7ffc682ce5e0 call 7ffc682ceba0 336->350 341 7ffc682f20b0-7ffc682f20c5 call 7ffc682ce5d0 337->341 339->340 344 7ffc682f1f92 339->344 363 7ffc682f1ed5-7ffc682f1ef1 call 7ffc682d81a0 340->363 364 7ffc682f1ecc-7ffc682f1ed3 340->364 352 7ffc682f20c7-7ffc682f20cb 341->352 353 7ffc682f20cf-7ffc682f20d2 341->353 343->318 344->294 367 7ffc682f2148-7ffc682f2198 call 7ffc682ce5d0 call 7ffc682f1d40 call 7ffc682ce5c0 350->367 368 7ffc682f2116-7ffc682f2143 call 7ffc682ce5d0 * 2 call 7ffc682d56a0 350->368 352->341 356 7ffc682f20cd 352->356 353->300 353->336 356->336 372 7ffc682f1ef3-7ffc682f1f1d RegOpenKeyExW 363->372 373 7ffc682f1f1f 363->373 364->327 368->367 374 7ffc682f1f21-7ffc682f1f39 call 7ffc682cfab0 372->374 373->374 383 7ffc682f1f3b-7ffc682f1f4c call 7ffc682d0480 374->383 384 7ffc682f1f51-7ffc682f1f6d call 7ffc682d03d0 374->384 383->384 384->294 391 7ffc682f1f6f-7ffc682f1f73 384->391 391->294 392 7ffc682f1f75-7ffc682f1f8a 391->392 392->298 393 7ffc682f1f90 392->393 393->294
                                                          APIs
                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC682F1E39
                                                          • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC682F1E94
                                                          • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC682F1F19
                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC682F2044
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$EnumOpen
                                                          • String ID:
                                                          • API String ID: 138425441-0
                                                          • Opcode ID: df4a5dbd81014694497352d8d20fa832390753a08ed0c24c30b36aa7ede405c4
                                                          • Instruction ID: 26402f22c94ff9fbb596e0b32ea0960430b2a378100fc3498dc99de9d41bca5d
                                                          • Opcode Fuzzy Hash: df4a5dbd81014694497352d8d20fa832390753a08ed0c24c30b36aa7ede405c4
                                                          • Instruction Fuzzy Hash: 02C12862A0C3AAC2EE609B15E45037A6790EFC57A4F844231EA6D437C6EF3CE845C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001D745962254 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.310933520.000001D745960000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D745960000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1d745960000_loaddll64.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$NodeRemove
                                                          • String ID:
                                                          • API String ID: 3879549435-0
                                                          • Opcode ID: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction ID: 0d0592a4fd77b06a4ea283a60010271c8402074ee16cbe54f2549851f6a9e447
                                                          • Opcode Fuzzy Hash: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction Fuzzy Hash: 7AB15376618BC586DB70CB1AE440BDEB7A1F7C9B80F108126EE8957F98DB79C8458F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C6000 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 415 7ffc682c6000-7ffc682c6023 call 7ffc682d6e10 418 7ffc682c6025-7ffc682c602a 415->418 419 7ffc682c6082-7ffc682c60b5 call 7ffc682d6e20 call 7ffc682c3cc0 call 7ffc682cff90 call 7ffc682d81a0 415->419 421 7ffc682c602c-7ffc682c602f 418->421 422 7ffc682c6073-7ffc682c6080 call 7ffc682d7020 418->422 440 7ffc682c60b7-7ffc682c60c1 419->440 441 7ffc682c60c5-7ffc682c60d5 call 7ffc682c3940 419->441 425 7ffc682c604d-7ffc682c6072 call 7ffc682c3470 call 7ffc682d6e20 421->425 426 7ffc682c6031-7ffc682c604c call 7ffc682d6e20 421->426 422->419 422->426 440->441 444 7ffc682c60d7-7ffc682c60ea call 7ffc682e33c0 441->444 445 7ffc682c6102-7ffc682c6114 441->445 444->445 455 7ffc682c60ec-7ffc682c60f6 444->455 447 7ffc682c6116-7ffc682c6119 445->447 448 7ffc682c616b-7ffc682c617d call 7ffc682d81a0 445->448 451 7ffc682c611b-7ffc682c612d call 7ffc682d81a0 447->451 452 7ffc682c6131-7ffc682c6134 447->452 461 7ffc682c617f-7ffc682c6184 448->461 462 7ffc682c618d-7ffc682c6197 call 7ffc682ecc90 448->462 451->452 467 7ffc682c612f FreeConsole 451->467 453 7ffc682c6136-7ffc682c6162 call 7ffc682c45f0 call 7ffc682cf740 452->453 454 7ffc682c6163-7ffc682c6165 call 7ffc682c4310 452->454 465 7ffc682c616a 454->465 455->445 460 7ffc682c60f8-7ffc682c60ff 455->460 460->445 461->462 470 7ffc682c61a6-7ffc682c61e8 call 7ffc682bfb90 call 7ffc682d5240 call 7ffc682cf740 call 7ffc682d81a0 462->470 471 7ffc682c6199-7ffc682c61a1 call 7ffc682c6000 462->471 465->448 467->452 482 7ffc682c61fb-7ffc682c6210 call 7ffc682d81a0 470->482 483 7ffc682c61ea-7ffc682c61f6 call 7ffc682cfd30 470->483 471->470 488 7ffc682c6226-7ffc682c623b call 7ffc682d81a0 482->488 489 7ffc682c6212-7ffc682c6221 call 7ffc682cfd30 482->489 483->482 494 7ffc682c623d-7ffc682c624c call 7ffc682cfd30 488->494 495 7ffc682c6251-7ffc682c6293 call 7ffc682d1380 call 7ffc682d0920 call 7ffc682cf740 call 7ffc682cf830 488->495 489->488 494->495 506 7ffc682c6295-7ffc682c629a 495->506 507 7ffc682c629e-7ffc682c62ec call 7ffc682cf860 call 7ffc682d0c60 call 7ffc682cfe00 call 7ffc682cf740 495->507 506->507 516 7ffc682c6407-7ffc682c6419 call 7ffc682d81a0 507->516 517 7ffc682c62f2-7ffc682c6303 507->517 520 7ffc682c641b-7ffc682c6420 516->520 521 7ffc682c6429-7ffc682c6453 call 7ffc682d28f0 call 7ffc682cf740 516->521 517->516 520->521
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ConsoleFree
                                                          • String ID: )8GV$d
                                                          • API String ID: 771614528-3589632123
                                                          • Opcode ID: ca8963787b58e29caee6cf2aba5209661e7e797118522b132cce36d1b824dca3
                                                          • Instruction ID: 33a771fb74d114fb32bcc40daf45d77be100c6603fa4017bf146bd02fdfde2dd
                                                          • Opcode Fuzzy Hash: ca8963787b58e29caee6cf2aba5209661e7e797118522b132cce36d1b824dca3
                                                          • Instruction Fuzzy Hash: B091F121B1C61AC2EA80AB60E0911BE6391FFC8758F944135EB5D877DADE7CE805C3B4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D6340 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 216COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 526 7ffc682d6340-7ffc682d63b4 call 7ffc682cea70 call 7ffc682cff90 call 7ffc682d81a0 533 7ffc682d63b6-7ffc682d63be GetComputerNameA 526->533 534 7ffc682d63c0-7ffc682d63e6 call 7ffc682cf830 call 7ffc682cebd0 526->534 533->534 539 7ffc682d63e8-7ffc682d6405 call 7ffc682cf830 call 7ffc682cebd0 534->539 540 7ffc682d6407-7ffc682d640b call 7ffc682eaa40 534->540 549 7ffc682d6439-7ffc682d645e call 7ffc682cebd0 call 7ffc682cea70 539->549 543 7ffc682d6410-7ffc682d6434 call 7ffc682cf830 call 7ffc682cebd0 call 7ffc682cf740 540->543 543->549 557 7ffc682d6460-7ffc682d6497 call 7ffc682ce5e0 call 7ffc682ceba0 call 7ffc682ce5e0 call 7ffc682ce5d0 549->557 566 7ffc682d6499-7ffc682d64ee call 7ffc682f24b0 call 7ffc682ce5c0 call 7ffc682f1630 call 7ffc682f1950 call 7ffc682cf740 557->566 577 7ffc682d64f0-7ffc682d6510 call 7ffc682cebd0 566->577 578 7ffc682d6512-7ffc682d6533 call 7ffc682cebd0 566->578 583 7ffc682d6537-7ffc682d65b1 call 7ffc682cebd0 * 2 call 7ffc682ce5e0 call 7ffc682ce5d0 call 7ffc682f6610 call 7ffc682cf080 call 7ffc682d0c60 call 7ffc682cf740 call 7ffc682ce5c0 577->583 578->583 602 7ffc682d65c1-7ffc682d65ec call 7ffc682d03b0 call 7ffc682d81a0 583->602 603 7ffc682d65b3-7ffc682d65bf call 7ffc682d08f0 583->603 612 7ffc682d65f8-7ffc682d663b call 7ffc682d4140 call 7ffc682d0050 call 7ffc682cffb0 call 7ffc682d08f0 call 7ffc682cf740 * 2 602->612 613 7ffc682d65ee-7ffc682d65f2 602->613 609 7ffc682d6640-7ffc682d6656 call 7ffc682cf740 * 2 603->609 619 7ffc682d6658-7ffc682d665f 609->619 620 7ffc682d666c-7ffc682d66a0 call 7ffc682cf740 call 7ffc682ce5c0 609->620 612->609 613->612 619->620 622 7ffc682d6661-7ffc682d6665 619->622 622->620 625 7ffc682d6667 call 7ffc682bbd40 622->625 625->620
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ComputerName
                                                          • String ID: th4K$19
                                                          • API String ID: 3545744682-895195625
                                                          • Opcode ID: 9d49f1fbe01acc43c6f690d39a16111ac260606b07324e3bc5968d82625daf26
                                                          • Instruction ID: 6893e6d4c16e4d430f5966f002cd959fb07ba107afd00faa13da35de7a91d2ba
                                                          • Opcode Fuzzy Hash: 9d49f1fbe01acc43c6f690d39a16111ac260606b07324e3bc5968d82625daf26
                                                          • Instruction Fuzzy Hash: 9AA1A162B1CA5AD9EB10EB70C0912FD2761BF8474CF801531EE0D57ADAEE78E509C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE420 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1386 7ffc682ee420-7ffc682ee455 call 7ffc682d1c80 1389 7ffc682ee479-7ffc682ee47b 1386->1389 1390 7ffc682ee457-7ffc682ee474 call 7ffc682d5510 call 7ffc682d18c0 call 7ffc682cf740 1386->1390 1392 7ffc682ee49c-7ffc682ee4ae call 7ffc682d81a0 1389->1392 1393 7ffc682ee47d-7ffc682ee482 1389->1393 1390->1389 1402 7ffc682ee4b0-7ffc682ee4be 1392->1402 1403 7ffc682ee4cf 1392->1403 1396 7ffc682ee497 1393->1396 1397 7ffc682ee484-7ffc682ee487 1393->1397 1396->1392 1398 7ffc682ee489-7ffc682ee48e 1397->1398 1399 7ffc682ee490-7ffc682ee495 1397->1399 1398->1392 1399->1392 1412 7ffc682ee4c9-7ffc682ee4cd 1402->1412 1413 7ffc682ee4c0-7ffc682ee4c7 call 7ffc682dbe00 1402->1413 1406 7ffc682ee4d2-7ffc682ee4e0 1403->1406 1408 7ffc682ee542-7ffc682ee54f 1406->1408 1409 7ffc682ee4e2-7ffc682ee4f4 1406->1409 1410 7ffc682ee561 1408->1410 1411 7ffc682ee551-7ffc682ee553 1408->1411 1409->1408 1416 7ffc682ee567-7ffc682ee57d call 7ffc682d81a0 1410->1416 1414 7ffc682ee559-7ffc682ee55f 1411->1414 1415 7ffc682ee555-7ffc682ee557 1411->1415 1412->1406 1413->1403 1413->1412 1414->1416 1415->1416 1421 7ffc682ee5a3 1416->1421 1422 7ffc682ee57f-7ffc682ee5a1 CreateFileW 1416->1422 1423 7ffc682ee5a5-7ffc682ee5bf call 7ffc682d60b0 call 7ffc682d5eb0 1421->1423 1422->1423 1428 7ffc682ee5cb-7ffc682ee5d2 1423->1428 1429 7ffc682ee5c1-7ffc682ee5c9 call 7ffc682dbe00 1423->1429 1431 7ffc682ee5d4-7ffc682ee5e6 call 7ffc682d81a0 1428->1431 1432 7ffc682ee5f5-7ffc682ee619 call 7ffc682d5630 call 7ffc682d81a0 1428->1432 1436 7ffc682ee62c-7ffc682ee64b 1429->1436 1431->1432 1440 7ffc682ee5e8-7ffc682ee5f1 1431->1440 1432->1436 1443 7ffc682ee61b-7ffc682ee62a SetFileTime 1432->1443 1440->1432 1443->1436
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea2794dbadae1738f632839e7e25b10b57cc5617e6805f9af43153bbc1487dd3
                                                          • Instruction ID: e17f40c17f7d6d8607a7a4e7423fe2a9d19289c605d1e3f998b8e383f32d1b35
                                                          • Opcode Fuzzy Hash: ea2794dbadae1738f632839e7e25b10b57cc5617e6805f9af43153bbc1487dd3
                                                          • Instruction Fuzzy Hash: 76510125B0C66BC2FA609B61A4443BA6791BF8478CF944435DA4D07BC1EE3DE806C37C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE670 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$PointerRead
                                                          • String ID:
                                                          • API String ID: 3154509469-0
                                                          • Opcode ID: 965852992de9e6e3044a28c083680b4a7b138a7b4c24391a0fca253c9c8c351e
                                                          • Instruction ID: 311b7eb41d3686738596bd6c14f8aa6e233cdc7988e184c37b6a6e1b6fffeabc
                                                          • Opcode Fuzzy Hash: 965852992de9e6e3044a28c083680b4a7b138a7b4c24391a0fca253c9c8c351e
                                                          • Instruction Fuzzy Hash: 3141DD29E1C6AAD2EA40EB25A04017E63D5EF84788F940135EA4E477D9DF3CE403CB68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F16F0 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC682D7CED), ref: 00007FFC682F1765
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC682D7CED), ref: 00007FFC682F17C8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 16b26d6c896f6fa4616d6a71bfc56c354d89df3ff3d6af8eb17e2b444903a025
                                                          • Instruction ID: 98ab85384a96b7255deed75dc7a30dc04072422bc8d4040e69a5019a83308824
                                                          • Opcode Fuzzy Hash: 16b26d6c896f6fa4616d6a71bfc56c354d89df3ff3d6af8eb17e2b444903a025
                                                          • Instruction Fuzzy Hash: 1321E462B5D69582EE55CB51E40013AA790EFC57E4F884231EE4C07BD8EF3CD482CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F0730 Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2766 7ffc682f0730-7ffc682f077e call 7ffc682f0590 call 7ffc682cf800 2771 7ffc682f0780 2766->2771 2772 7ffc682f07cc-7ffc682f07de call 7ffc682d81a0 2766->2772 2774 7ffc682f0788-7ffc682f078c 2771->2774 2780 7ffc682f07f0 2772->2780 2781 7ffc682f07e0-7ffc682f07ee 2772->2781 2776 7ffc682f0792-7ffc682f079d call 7ffc682cf800 2774->2776 2777 7ffc682f0911-7ffc682f0914 2774->2777 2789 7ffc682f07a3-7ffc682f07b5 call 7ffc682d81a0 2776->2789 2790 7ffc682f085c-7ffc682f0878 call 7ffc682f0370 call 7ffc682d81a0 2776->2790 2778 7ffc682f0916-7ffc682f091c call 7ffc682d60b0 2777->2778 2779 7ffc682f0921 2777->2779 2778->2779 2784 7ffc682f0924-7ffc682f0940 2779->2784 2785 7ffc682f07f3-7ffc682f07fd call 7ffc682dbe00 2780->2785 2781->2785 2785->2774 2795 7ffc682f07ff-7ffc682f0802 2785->2795 2789->2779 2799 7ffc682f07bb-7ffc682f07c7 2789->2799 2802 7ffc682f087a-7ffc682f0893 CreateMutexA 2790->2802 2803 7ffc682f0895 2790->2803 2795->2777 2798 7ffc682f0808 2795->2798 2801 7ffc682f0810-7ffc682f0829 call 7ffc682d81a0 2798->2801 2799->2777 2809 7ffc682f082b-7ffc682f083c 2801->2809 2810 7ffc682f0842-7ffc682f0852 call 7ffc682dbe00 2801->2810 2806 7ffc682f0898-7ffc682f08a2 call 7ffc682dbe00 2802->2806 2803->2806 2815 7ffc682f08a4-7ffc682f08af call 7ffc682cf800 2806->2815 2816 7ffc682f08ef-7ffc682f08f4 2806->2816 2809->2778 2809->2810 2810->2801 2818 7ffc682f0854-7ffc682f0857 2810->2818 2815->2816 2822 7ffc682f08b1-7ffc682f08c3 call 7ffc682d81a0 2815->2822 2816->2777 2819 7ffc682f08f6-7ffc682f0908 call 7ffc682d81a0 2816->2819 2818->2784 2819->2777 2825 7ffc682f090a 2819->2825 2827 7ffc682f08c5-7ffc682f08e2 2822->2827 2828 7ffc682f08ed 2822->2828 2825->2777 2829 7ffc682f08e9-7ffc682f08eb 2827->2829 2828->2816 2829->2816
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: 9538289f8185c155a084e6590f3687c4e82028a9d15f68e794a6645c430656ab
                                                          • Instruction ID: faf751508cc7db4a1ff454fdaa1a9492237a4d9be532fcf4ed91e07267762fdd
                                                          • Opcode Fuzzy Hash: 9538289f8185c155a084e6590f3687c4e82028a9d15f68e794a6645c430656ab
                                                          • Instruction Fuzzy Hash: 1551B832B4C62ACAFB54AB6194112BD67D1AF88B48F580435DE4D477C6EF38E801C7A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F0370 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC682F03CB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DescriptorSecurity$ConvertString
                                                          • String ID:
                                                          • API String ID: 3907675253-0
                                                          • Opcode ID: 862668677c52d1f3e921be35dc8d126f82c753b8d30067e3a20c2e66dcebf74c
                                                          • Instruction ID: 0643168d98e4ba76c2b854e83ac65e195dd5e94b19a6144204fec1ec249f288a
                                                          • Opcode Fuzzy Hash: 862668677c52d1f3e921be35dc8d126f82c753b8d30067e3a20c2e66dcebf74c
                                                          • Instruction Fuzzy Hash: 2D218E3260CB5AD2EA10EF65E1500AA77A0FF88788F944535DB8C07B85EF7CE525C798
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE4F9 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE59C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 43c89e2823faadb45905163f39a662362428de14ecf5d1551f9feaedd7c39631
                                                          • Instruction ID: 9a98527c68702a62d0f3aeb107aed7b3c9d5faab198414509ca84a688d9ff172
                                                          • Opcode Fuzzy Hash: 43c89e2823faadb45905163f39a662362428de14ecf5d1551f9feaedd7c39631
                                                          • Instruction Fuzzy Hash: A611B2A6A0C65EC6EA709B11A0453BA6391BF84788F940535DA5E077C1EF3CE406C7B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EDB40 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFindNext
                                                          • String ID:
                                                          • API String ID: 2029273394-0
                                                          • Opcode ID: fdce1fadeb3f45b2cde08bed8a1d21414a5687aa25c80ef2bc3efa72baa5b526
                                                          • Instruction ID: 7534670fa6fc365896ff5a3e104c8e951de466782a4194cea1111b6e57aeabad
                                                          • Opcode Fuzzy Hash: fdce1fadeb3f45b2cde08bed8a1d21414a5687aa25c80ef2bc3efa72baa5b526
                                                          • Instruction Fuzzy Hash: 5B1130A1E1C25A82FF649B2991552B913E2AF9478CF441038DE4C472C5EF6CE896C77C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE512 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE59C
                                                          • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE62A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateTime
                                                          • String ID:
                                                          • API String ID: 1043708186-0
                                                          • Opcode ID: 3304dbe52edba5308dda95b44dbd259358377a73301d273e701d5f6ab0c2530a
                                                          • Instruction ID: 05fe5cd70006ad0ccbe5e2705587d44b5e277a64122a34ad05408955eea999f4
                                                          • Opcode Fuzzy Hash: 3304dbe52edba5308dda95b44dbd259358377a73301d273e701d5f6ab0c2530a
                                                          • Instruction Fuzzy Hash: 2F11C6A6A0C65EC6E6609B11A0453BA63D1BF84788F580135DB8E077C1EF3CE406C77C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE528 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE59C
                                                          • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE62A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateTime
                                                          • String ID:
                                                          • API String ID: 1043708186-0
                                                          • Opcode ID: ca5d1eb978d7ec9a7d954c8b95fba2893bd821786bb6015228d7770952683646
                                                          • Instruction ID: ea3f4942e4d9e5cc49b641f92c5346c6b4ee86134dc615e4e03f8ef088af2e37
                                                          • Opcode Fuzzy Hash: ca5d1eb978d7ec9a7d954c8b95fba2893bd821786bb6015228d7770952683646
                                                          • Instruction Fuzzy Hash: 2211A0A6A0C66EC6E6709B1160457BA6391BF84788F581135DB8E037C1EF3CE406C2B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE538 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE59C
                                                          • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC682EE8B1), ref: 00007FFC682EE62A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateTime
                                                          • String ID:
                                                          • API String ID: 1043708186-0
                                                          • Opcode ID: 55f9995db818072b88c6077fddabbc06cfbed2c75455add3a066083054c07255
                                                          • Instruction ID: 3d643651b9425fdacd5708d5d490b73bbcf928756ab191a90cf6f3eda1fefc0a
                                                          • Opcode Fuzzy Hash: 55f9995db818072b88c6077fddabbc06cfbed2c75455add3a066083054c07255
                                                          • Instruction Fuzzy Hash: C2018EA6A1C65EC5EA609B11B0147BA6391BF84788F981135DB8E077C1EF3CE446C7B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F1580 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumValue
                                                          • String ID:
                                                          • API String ID: 2814608202-0
                                                          • Opcode ID: 9a5348946385674cb3b67b767ff83c8b37964fcb986c50957ca30d2b47ffed43
                                                          • Instruction ID: b5af4fa519b190cb5362a68cab6c529995850423a022b4c2c9142227c6411843
                                                          • Opcode Fuzzy Hash: 9a5348946385674cb3b67b767ff83c8b37964fcb986c50957ca30d2b47ffed43
                                                          • Instruction Fuzzy Hash: 94115172608B85C6D7208F02F40059AB7A4FB88B84FA84135EF8D03B48DF39E991CB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D59F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: 28e091359616bcc0756b8dbb98851b7a34b4384a0fe2660f877d6e9e217fdbd6
                                                          • Instruction ID: c604e15b7c9fcdae1d1bbee666bc9d2c2fced1049a88c16effb5c4e3f6c361ba
                                                          • Opcode Fuzzy Hash: 28e091359616bcc0756b8dbb98851b7a34b4384a0fe2660f877d6e9e217fdbd6
                                                          • Instruction Fuzzy Hash: A101F731A1CA65C2E6618750F9512357795EF883C4F588234DE4C077D9DE3CD416CB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682D5A90 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: ce8d07d80f22f244616ce11df2c88dd4e268c15b1145ceb92eaa2a040a8f6ce2
                                                          • Instruction ID: f6ab0f017c17b1d62eee6877320db8fd58c9452aa1aa9dd072090dd701be10fb
                                                          • Opcode Fuzzy Hash: ce8d07d80f22f244616ce11df2c88dd4e268c15b1145ceb92eaa2a040a8f6ce2
                                                          • Instruction Fuzzy Hash: 9BF05E00F5D22BC1FE6553A269A12320BC29FC5388E4D5534CC0C4A3D9ED6CE902C238
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001D74596205A Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001D7459629A5), ref: 000001D7459620AA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.310933520.000001D745960000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D745960000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1d745960000_loaddll64.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction ID: 9774237890375b4316b6cc467e354e32a2bbe8e0014f9ba24536b586d8f65619
                                                          • Opcode Fuzzy Hash: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction Fuzzy Hash: FF314B72615B8086D790DF1AE45479A7BB0F389BD4F209126EF8E97B58DF3AC446CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00007FFC682BA960 Relevance: 8.3, Strings: 6, Instructions: 762COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0020$0020$3050$3050$4040$GNOP
                                                          • API String ID: 0-829999343
                                                          • Opcode ID: d0bc01684baad9dc0070a379f341f88ebea3c880daaef9d8074e94af0fa9d77a
                                                          • Instruction ID: 460e80ab9cb99cd80af5b7cbe11eac69a8d0d69788d9eacb918e08ca8697f6f0
                                                          • Opcode Fuzzy Hash: d0bc01684baad9dc0070a379f341f88ebea3c880daaef9d8074e94af0fa9d77a
                                                          • Instruction Fuzzy Hash: 4D729066A1C5AAD5EB60EB20C4912FD2761FF9478CF804031EA4E879DAEF3CD645C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682AC700 Relevance: 8.0, Strings: 6, Instructions: 505COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: SaK$SaK$SaK$SaK$SaK$SaK
                                                          • API String ID: 0-493789
                                                          • Opcode ID: 38c3a94b9ab4f0c0e515bbc182763a0e6f3354787696474a66077581bd0ec7cb
                                                          • Instruction ID: 27d6005c1cc3122ee4deec746ab5364b840c3fca128b31f7b42055638e2ec5d4
                                                          • Opcode Fuzzy Hash: 38c3a94b9ab4f0c0e515bbc182763a0e6f3354787696474a66077581bd0ec7cb
                                                          • Instruction Fuzzy Hash: 3232A922B18AAAC5EB50DF61D8412FE63A1FF84B88F448035EA4E47BD9DF78D544C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC683036C0 Relevance: 5.7, Strings: 4, Instructions: 682COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ERCP$VUUU$VUUU$VUUU
                                                          • API String ID: 0-2165971703
                                                          • Opcode ID: 672c78143494dd39daea629657bbfe3320cb3f680577399df9aa3ec95ddd6509
                                                          • Instruction ID: 73d07e8c4698b7171b1958c9ba2444b10b85496b275babe66bd2f279a3762897
                                                          • Opcode Fuzzy Hash: 672c78143494dd39daea629657bbfe3320cb3f680577399df9aa3ec95ddd6509
                                                          • Instruction Fuzzy Hash: 2352A372A0CAAACAEB648F64D4407BD7BA1FF84748F184135DA4E57AC8DB7CE940C714
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B58F0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )8GV$)8GV$@
                                                          • API String ID: 0-2802744955
                                                          • Opcode ID: 8e5bb4a2171993d98cef1fad2204f817f166dab43f89da08c3bbdd28530923d8
                                                          • Instruction ID: bab46c87ca963f7de48750501ed18ed73a262966869a1715eb2ef450e4d64a2f
                                                          • Opcode Fuzzy Hash: 8e5bb4a2171993d98cef1fad2204f817f166dab43f89da08c3bbdd28530923d8
                                                          • Instruction Fuzzy Hash: 33326F62B1D6AAD5EB50EB61D8512FD2360EF8478CF840431EA0E476DAEF3CE505C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68296790 Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: */*$GET$POST
                                                          • API String ID: 0-3233530491
                                                          • Opcode ID: 61d561b99f8d481ae0cd7e11a1c284686ab0945e28463c0840ea7e72ed9f4625
                                                          • Instruction ID: c3bffe8a2121e16e1e410f754ad64ee6bcdda26d7cbada236989635fea55e3d7
                                                          • Opcode Fuzzy Hash: 61d561b99f8d481ae0cd7e11a1c284686ab0945e28463c0840ea7e72ed9f4625
                                                          • Instruction Fuzzy Hash: 32126E32A0CA9AD5EB50DB61E8902EE77A1FF8439CF804031EA4D47ADADF78D149C754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F9580 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: f+/)$f+/)
                                                          • API String ID: 0-981509904
                                                          • Opcode ID: 571aaf60be34797cc83d25ae5771d88604a7ee07681c47c9117cbab8caea9741
                                                          • Instruction ID: f9c18ac88388fa61ec92a8db0241e6f42695f64342c4f0b4c1f809ccbe0a5daa
                                                          • Opcode Fuzzy Hash: 571aaf60be34797cc83d25ae5771d88604a7ee07681c47c9117cbab8caea9741
                                                          • Instruction Fuzzy Hash: 50716B66B0CA2AD6EB10DF79D0602BD27A1EF88B48F544432DE0D477D5DE38E50AC724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C45F0 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2"M1$}LH1
                                                          • API String ID: 0-177019254
                                                          • Opcode ID: fd8166394a68ae6cb04bebbe41f95fd9f6410a78deff93f1d7542d7f2f3f8aaa
                                                          • Instruction ID: 602555f6f80a0cca422e09bb5124f52ec9caec5f34ff1952e8e1591599044961
                                                          • Opcode Fuzzy Hash: fd8166394a68ae6cb04bebbe41f95fd9f6410a78deff93f1d7542d7f2f3f8aaa
                                                          • Instruction Fuzzy Hash: 3851BF72719A55CAEB649F30A4803AE37A2EF89348F545539E64E0BBC8DF3CD406C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C82B0 Relevance: 2.1, Strings: 1, Instructions: 866COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D
                                                          • API String ID: 0-2746444292
                                                          • Opcode ID: 5dc9d16ba2194fec26aebdddd9b581b711ea68098e1161d901ff98bec3de5d67
                                                          • Instruction ID: 46aacc11014c63c8c46076af722a06384c0ff52868256fa492c2376adf3825a2
                                                          • Opcode Fuzzy Hash: 5dc9d16ba2194fec26aebdddd9b581b711ea68098e1161d901ff98bec3de5d67
                                                          • Instruction Fuzzy Hash: 5682D276A2C69AC5EB90EB20D4915FD6761FF84398F804531EA5E83ACAEF3CD504C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC6829C5A0 Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GET
                                                          • API String ID: 0-1805413626
                                                          • Opcode ID: 78d64084ef3653309f57744ebfb6c12b6495a33e9b5b91d2ff311640bbd03caa
                                                          • Instruction ID: efe82dfe1e6f72889a440773e469a8a30290ccab01d743f56856f6098ad659a8
                                                          • Opcode Fuzzy Hash: 78d64084ef3653309f57744ebfb6c12b6495a33e9b5b91d2ff311640bbd03caa
                                                          • Instruction Fuzzy Hash: 9C827B62E1C6AAD1EF50DB26D0953BE6760EF85B4CF801032EA4E476C6DE7CE445C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A3D60 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID: x
                                                          • API String ID: 1964310414-2363233923
                                                          • Opcode ID: 82f737a9c5b47702e318baeb9a7d5f2343c9576457ae7c7613f04ff19e50a328
                                                          • Instruction ID: 2b53e4897ca7494500520f34326b5d60b154d6833b201f4bfb2804d0407282ed
                                                          • Opcode Fuzzy Hash: 82f737a9c5b47702e318baeb9a7d5f2343c9576457ae7c7613f04ff19e50a328
                                                          • Instruction Fuzzy Hash: AB525832B18AA5E6E748EB70C5912EDA369FF84748F804032DB1D436C6DF78E125C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C2C80 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: U
                                                          • API String ID: 0-3372436214
                                                          • Opcode ID: 05ed2c5eb56b4a8982275aacafe35b4fa60914c3f87683d0f5662c9b8ece639f
                                                          • Instruction ID: 2f680e6df566d189a04fb8b1cc2fce690e4f0e7d995edf6a6c8adf7f6450d2cc
                                                          • Opcode Fuzzy Hash: 05ed2c5eb56b4a8982275aacafe35b4fa60914c3f87683d0f5662c9b8ece639f
                                                          • Instruction Fuzzy Hash: D2227E62A1C5AAD5FB90EB60D4553FD27A1EF8034CF804031EA4E87ADADF6CE505C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B2A50 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Content-Type
                                                          • API String ID: 0-2058190213
                                                          • Opcode ID: 67e7f7f3dfcaa937f0d0aa19b98904e0d32e95ce08c5db8fed52942231ac4b1e
                                                          • Instruction ID: c7896d3f3d7c72ff181972774be1df42d187c2ac837d4597aab6aceea3783f59
                                                          • Opcode Fuzzy Hash: 67e7f7f3dfcaa937f0d0aa19b98904e0d32e95ce08c5db8fed52942231ac4b1e
                                                          • Instruction Fuzzy Hash: 1B12A362A1D66BC6EB64DB60D0952FD63A4EF48B4CF804431DA4E476C6EF3CE509C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FA0E0 Relevance: 1.7, Strings: 1, Instructions: 415COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: f+/)
                                                          • API String ID: 0-1539276483
                                                          • Opcode ID: efcc0a7ca3692f434700fc3a4aa4321648ded9d4bc9a5aa5564d7bf2c512520b
                                                          • Instruction ID: 46f61260660e5b38ef5955b0af2ee27def84049059b74bb9a5e1945fc9dfdd4e
                                                          • Opcode Fuzzy Hash: efcc0a7ca3692f434700fc3a4aa4321648ded9d4bc9a5aa5564d7bf2c512520b
                                                          • Instruction Fuzzy Hash: 5B12C022B2CA6AD5EB40EB61C4911FD27A5FF9478CF804031EA0E57ADAEF78D504C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B52D0 Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: ebd5c323d760599bf8076e359c2b47c9c5a19224874a9db36b8889597ec1c031
                                                          • Instruction ID: 3f2036782f17035b4c0ef0cbcb4814c59893a3d9c3b8e01eede40e64e9baff04
                                                          • Opcode Fuzzy Hash: ebd5c323d760599bf8076e359c2b47c9c5a19224874a9db36b8889597ec1c031
                                                          • Instruction Fuzzy Hash: F6F1D022B0DB6AC2EB509B21E9502BA67A1FF84B8CF544035EA4D4BBD9DF3CD441C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C7B10 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: cdad4d127e5bf589c56a1c9c99302703fa87f2071cb4479af92bb59231720b0d
                                                          • Instruction ID: 757fa9c01d0ec01575a1c7c13ce113fffc485506b5b94cea17f23e3152a0f28f
                                                          • Opcode Fuzzy Hash: cdad4d127e5bf589c56a1c9c99302703fa87f2071cb4479af92bb59231720b0d
                                                          • Instruction Fuzzy Hash: C3D19021B1CA6AC5EB50EB61D4912FE67A5AF84388F804431EA4D87ADAEF3CD505C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682AFAB0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: b6f5e0980019810108aa0e85357ee965d256238aca77ddfde0ce7f3a4d6e401c
                                                          • Instruction ID: 5abb359f932451372d266e47021cebc002e3dd1640aed19ebb520e32de9837c2
                                                          • Opcode Fuzzy Hash: b6f5e0980019810108aa0e85357ee965d256238aca77ddfde0ce7f3a4d6e401c
                                                          • Instruction Fuzzy Hash: 91B1AD61B1C66A95EB54EB61C0112FE2761AF8874CF804435EE0D4BBCAEE7CE506C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BDFE0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 52df6e19e7cae1431068b8d62d79e6cb7b810852275933e53e5f465ebbe4b69d
                                                          • Instruction ID: 4fabb92c7b0428bd965aadc6e1c51e6bdab1694049fef099bf45726b3d136a5f
                                                          • Opcode Fuzzy Hash: 52df6e19e7cae1431068b8d62d79e6cb7b810852275933e53e5f465ebbe4b69d
                                                          • Instruction Fuzzy Hash: 9A81F525B2E6ABC2E954A762A41027E67C1AFC9B8CF844834DD0D477C6EE3CE805C775
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68309E70 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ERCP
                                                          • API String ID: 0-1384759551
                                                          • Opcode ID: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                                                          • Instruction ID: cbb69098a7825083dcb68ac542ffebd4f82c6f5a1050bfe3274d0d4bbc4bd15f
                                                          • Opcode Fuzzy Hash: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                                                          • Instruction Fuzzy Hash: 8341D367B244568BE3189E2598212BA2791F7E87817008838FBC7C3B89ED7CDE51C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682DED20 Relevance: .9, Instructions: 873COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6705ea4ac6d937d5fca6e16973586edd9b7d2b0c7410800d1f4efa84ce198d70
                                                          • Instruction ID: 31c167726817e4457d5597503ee2ef4c3dc83d3c040c78fd4414cc9b27ed3266
                                                          • Opcode Fuzzy Hash: 6705ea4ac6d937d5fca6e16973586edd9b7d2b0c7410800d1f4efa84ce198d70
                                                          • Instruction Fuzzy Hash: ED82B022A0C7A9C6FA618B15D4403BA6BE1FF88B88F894032DA4D477D5DF7CD945C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682E3A50 Relevance: .8, Instructions: 808COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6fe547d0c6f062210ff932aa52a53fc7b9c6d506ca11c60dde234e47b562c94
                                                          • Instruction ID: 5a85b16045d9aa0fad3a0d99cfbf2d0fcd6f0c9095cb74b20de0f3b430193b07
                                                          • Opcode Fuzzy Hash: c6fe547d0c6f062210ff932aa52a53fc7b9c6d506ca11c60dde234e47b562c94
                                                          • Instruction Fuzzy Hash: DA72F221A0CBAAC1EA658F15D4582B967E1FF85B88F894032CA4D477D5DF3CE942C378
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682E46D0 Relevance: .8, Instructions: 797COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92821b4b18829550fa617425749079edd389337da919e038fed9fc772702193b
                                                          • Instruction ID: f7ea6a0bc828ab0663282c7708e2f01390686cc6530b7bdd0dd2fd238d959d56
                                                          • Opcode Fuzzy Hash: 92821b4b18829550fa617425749079edd389337da919e038fed9fc772702193b
                                                          • Instruction Fuzzy Hash: 7572D221A0CBA9C6EA618B15E4582B967D1FF85B88F894036CA4D077D5DF3CE942C37C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A74A0 Relevance: .7, Instructions: 747COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 7cf683b3b019cad2e535638ec3e080818eed914acf8215f36eb962fc6082708e
                                                          • Instruction ID: beb3292b0bc1daeff7b73e626e7696515b4d9c8d0d6d028c7d3cce2c03fbb5c2
                                                          • Opcode Fuzzy Hash: 7cf683b3b019cad2e535638ec3e080818eed914acf8215f36eb962fc6082708e
                                                          • Instruction Fuzzy Hash: 89725F66B2CA5AD4EB40EB30D4921FD6765EF94388FC04431E64E879DAEF2CD609C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682DDF40 Relevance: .7, Instructions: 687COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0a71512511f15b4ad09e3f91569836df7a5c6ed4ba26708585b9ff0adab5981
                                                          • Instruction ID: 1c97c5ef783b394a95142b25653f98264022745465bc7b52b9b098c89c0e8628
                                                          • Opcode Fuzzy Hash: a0a71512511f15b4ad09e3f91569836df7a5c6ed4ba26708585b9ff0adab5981
                                                          • Instruction Fuzzy Hash: CF52BE66A0DBAAC1EB649B15D4543B9ABE1FF84B88F895031CA4D077D5DF3CE840C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A54B0 Relevance: .7, Instructions: 680COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: f03383b55ebd8909f4e176ee8f4819d6ac8b7b0b73b3ea6719d69f8eacb4b44f
                                                          • Instruction ID: ecca811bc5e7ad4ea99661681cc443da0c2a712b9f09477ac2dbbf868bb53e06
                                                          • Opcode Fuzzy Hash: f03383b55ebd8909f4e176ee8f4819d6ac8b7b0b73b3ea6719d69f8eacb4b44f
                                                          • Instruction Fuzzy Hash: C9626D62B1C66AD5FB50EB70D4911FE27A1AF8434CF804431EA0E47ADAEE7CE505C768
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC6830D650 Relevance: .7, Instructions: 677COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53ea70c433d6e077cc155179e021f7d1f5e268d1d1e17f800cf3cd0a254cb069
                                                          • Instruction ID: 2dbc47cc604f3168286032427f9c566c1a1715a28213d741a1247a8470143a84
                                                          • Opcode Fuzzy Hash: 53ea70c433d6e077cc155179e021f7d1f5e268d1d1e17f800cf3cd0a254cb069
                                                          • Instruction Fuzzy Hash: 73625E76A18B69CBD7648F25C08052C37B1FB98F58B295236CF0D47789CB38E891CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68296E90 Relevance: .7, Instructions: 651COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b49250fb8378f6fdf4c9df4d9cfc3dc556a3be00db62fe77831ae0fcf7a2b0d
                                                          • Instruction ID: 28a2bb53ddc1bea55b051ea484d8a73d8ae9c6e0e9d458c49d1231cbb2096527
                                                          • Opcode Fuzzy Hash: 6b49250fb8378f6fdf4c9df4d9cfc3dc556a3be00db62fe77831ae0fcf7a2b0d
                                                          • Instruction Fuzzy Hash: C252D022A2C66AD5FE50EB61E4511FE67A5FF84788F804032EA4E476D6DF3CE405C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682CA400 Relevance: .6, Instructions: 645COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e314e53dab64861600fc064069ee9026523d66f9b4773eb6d5cda00390b528d4
                                                          • Instruction ID: e0cf7963f6261f481bd0b82ef459e87f884c54e25fe07e37600dba226110964f
                                                          • Opcode Fuzzy Hash: e314e53dab64861600fc064069ee9026523d66f9b4773eb6d5cda00390b528d4
                                                          • Instruction Fuzzy Hash: C342F561B1CA6AC1FB90D761D8512BE6791AF843ACF404631E91E97BCAEF3CD506C324
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B3960 Relevance: .6, Instructions: 566COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65cfbd9806a3a936966669ad939b25ac256810bd9db693759b3f062a8cf604ce
                                                          • Instruction ID: e71216ded49b8995030483ed0ad9241a0c9285aa702991b52acdf6efb3a05230
                                                          • Opcode Fuzzy Hash: 65cfbd9806a3a936966669ad939b25ac256810bd9db693759b3f062a8cf604ce
                                                          • Instruction Fuzzy Hash: 0A428032A0D59BC2EA64EB20D0952FE67A0FF9474CF804032D69E822D6DF7CE549C765
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A8700 Relevance: .6, Instructions: 558COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a85a2c87978537ef9631fc355dddc4c36f3fffba29f94c6d668061522aee41f3
                                                          • Instruction ID: 15efc63929dcf06f01fa223c9460110802b22b4ec641d48a53f54e7b11446d74
                                                          • Opcode Fuzzy Hash: a85a2c87978537ef9631fc355dddc4c36f3fffba29f94c6d668061522aee41f3
                                                          • Instruction Fuzzy Hash: FB42AF62A1C6AAD5EB50EB70C4922FD2765EF8435CF804431EA0D87ADAEF7CE505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B3110 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1ae456bcd06b3f425d5c91ff8de33501f7f45515cded1faa7343b05604a98e0
                                                          • Instruction ID: bc03b747bbd3826dcf7fb04bde40d0aa5b87f244be4e64ea07675afa81ab2a62
                                                          • Opcode Fuzzy Hash: f1ae456bcd06b3f425d5c91ff8de33501f7f45515cded1faa7343b05604a98e0
                                                          • Instruction Fuzzy Hash: B632CC66B18666C5EB50EB31C4522FD2BA1EF88B9CF441035EE0E877CAEE78D141C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A23B0 Relevance: .5, Instructions: 542COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cb6f5f461b1d4ca306bb4234fb9d7b2676992c0438ec6e2da5c2cd87f9ed5ae
                                                          • Instruction ID: 6924717b5b9c99be4528f6d136c9ffa84a82a0ad8e4080bba290b17d4143b6c8
                                                          • Opcode Fuzzy Hash: 8cb6f5f461b1d4ca306bb4234fb9d7b2676992c0438ec6e2da5c2cd87f9ed5ae
                                                          • Instruction Fuzzy Hash: 0332A062A1C56AD5EB50EB21D4911FD27A1FF8438CF804131EA4E87ADAEF7CE205C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC6829B100 Relevance: .5, Instructions: 531COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8862e0fed2ff57bd489ba815e8bcc4f237e38119388730476f0b0a0724343e22
                                                          • Instruction ID: 887066411124e3f900065c4563f5cf3363c642f7fc47e87796b687371fd1d434
                                                          • Opcode Fuzzy Hash: 8862e0fed2ff57bd489ba815e8bcc4f237e38119388730476f0b0a0724343e22
                                                          • Instruction Fuzzy Hash: 1E42A162A1CA6AD5FB40EB21C4956FE6764FF8434CF804032EA0D876DADF78E549C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C7310 Relevance: .5, Instructions: 525COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a138ed060d7680e7d78a18bda9a5c5d47bf234489dcc847df638679577738155
                                                          • Instruction ID: 525044ef64ecc56e5e86e25eddc5cfaca71d62e5bf6639b2f02f24c59966ea41
                                                          • Opcode Fuzzy Hash: a138ed060d7680e7d78a18bda9a5c5d47bf234489dcc847df638679577738155
                                                          • Instruction Fuzzy Hash: F022F265B0C65AC6EA90EB25C4922BD27A5FF847C8F804535EA0E877C6FE3CE505C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C9390 Relevance: .5, Instructions: 521COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 312f6ea925f60dbbaa3643ba3de431dac70b511dbb8f3fb241a0123b0b17fd16
                                                          • Instruction ID: 31cd45583726166b1de72a775c46f7ea4a03add3dc64cec7c897ec03ca9469c6
                                                          • Opcode Fuzzy Hash: 312f6ea925f60dbbaa3643ba3de431dac70b511dbb8f3fb241a0123b0b17fd16
                                                          • Instruction Fuzzy Hash: D922D366B1C55AC2EA60EB21D4922BD6391FF8478CF504535DA0E87BD6FE3CE506C328
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B8C40 Relevance: .5, Instructions: 488COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumValue
                                                          • String ID:
                                                          • API String ID: 858281747-0
                                                          • Opcode ID: a5e2da7d6f9400e07925bd5b9f8f65ab9e4ae4340de07049174a6041d880ddeb
                                                          • Instruction ID: c1a09a9f33f3eb3571bc7e5b6e676ab3d11fc764d72cdc79bab83d9e4f30f079
                                                          • Opcode Fuzzy Hash: a5e2da7d6f9400e07925bd5b9f8f65ab9e4ae4340de07049174a6041d880ddeb
                                                          • Instruction Fuzzy Hash: 9E22CD22F1D5ABD5EA60EB60D0912FD2761AF9478CF804531EA0E476DAEE3CE505C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCE00 Relevance: .5, Instructions: 458COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f20197787250662c09fe8e9e97e9303525dcf2ffb8622c72aab126edc68b70b0
                                                          • Instruction ID: 536aa1e97940c682008cab388e94f7233ac84687075cb46fa466b90d6cf5b1f0
                                                          • Opcode Fuzzy Hash: f20197787250662c09fe8e9e97e9303525dcf2ffb8622c72aab126edc68b70b0
                                                          • Instruction Fuzzy Hash: 4F02346298C2BAC5F7758B24814037A7BE1EF1270CF554136DA8E422E6CB3CE945DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC6829DDE0 Relevance: .5, Instructions: 456COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54d9a74a2a40b33baac804c102d1d40859fb7644379661121cf789c5970111cb
                                                          • Instruction ID: aa6c19d0947af18c7d692762c650591bde5572d19519496a0e6caaac1c47eee5
                                                          • Opcode Fuzzy Hash: 54d9a74a2a40b33baac804c102d1d40859fb7644379661121cf789c5970111cb
                                                          • Instruction Fuzzy Hash: D8227D65B1CA9AD1EB50EB21C0921FD6765FF84788F804431EA4E87ADAEF7CD205C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68295C20 Relevance: .4, Instructions: 450COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6337d68db6f9604866de643f3ee19e0e114db88cdf9cc99c76e459ba937c797f
                                                          • Instruction ID: 067bbc6b852e0c3959a4f3167e8a720ef7ff301d0c114f259015ad8d5db1d6e9
                                                          • Opcode Fuzzy Hash: 6337d68db6f9604866de643f3ee19e0e114db88cdf9cc99c76e459ba937c797f
                                                          • Instruction Fuzzy Hash: 3B229122A1CA6AD1EB50EB21D4551FE27A4FF9578CF804032EA4D476DAEF3CD509C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F7260 Relevance: .4, Instructions: 448COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c554c9cbf76f6bd5e517f645ce28a9c31c71997994adb23cbf64d0c8de72ad7
                                                          • Instruction ID: 724cd85c4bace2f8272d68cbb452b32db532f1397c777830a2d7c4cec29e7d84
                                                          • Opcode Fuzzy Hash: 8c554c9cbf76f6bd5e517f645ce28a9c31c71997994adb23cbf64d0c8de72ad7
                                                          • Instruction Fuzzy Hash: 34028B21B4C65ADAFB60AB61D4512F927E1AF8438CF844535EA0D87BCAFE38E505C374
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F84D0 Relevance: .4, Instructions: 440COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0996fc87cfd22f885cce3042e7289c7cd874aa05387ff9fe1a4aceec301b4dd
                                                          • Instruction ID: 68f3702d8665af4c7f3091e0585d3ad3db097ebd1396c2acf90dcbee50aec0f4
                                                          • Opcode Fuzzy Hash: b0996fc87cfd22f885cce3042e7289c7cd874aa05387ff9fe1a4aceec301b4dd
                                                          • Instruction Fuzzy Hash: 94029E76B4C66ACAEB50DB22C0911BE73A1FF84788F504035DA0E877C6EE38E805C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC6829BB20 Relevance: .4, Instructions: 438COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce0afb76e5d8deec59172f91c3b6509fd61606e4818d5eeeea13430d5a2128ed
                                                          • Instruction ID: 86e5992fc8cae5b68f0768b1c0a06794ab72eddce65c3da3fc227f20a8552102
                                                          • Opcode Fuzzy Hash: ce0afb76e5d8deec59172f91c3b6509fd61606e4818d5eeeea13430d5a2128ed
                                                          • Instruction Fuzzy Hash: 3D12A322A1CAAAD5EF50EB21D4912FE6765FF8474CF800032EA4D87ADADE7CD505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682AD780 Relevance: .4, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 5f5938f53c5b3538d7588dc6a118b8cfa6568dd1af582bfee192ebca1636af31
                                                          • Instruction ID: d490836060e3b82b1e4fdecf7e4ec0b3649815e668e3ccb3a80b3b22529964ce
                                                          • Opcode Fuzzy Hash: 5f5938f53c5b3538d7588dc6a118b8cfa6568dd1af582bfee192ebca1636af31
                                                          • Instruction Fuzzy Hash: 5C024E66B1C96AD2EB80EB61D4911FE67A1FF94348F804032EA0D47ADADF7CE505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BEFD0 Relevance: .4, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9a54140925e95c7cfaf995847638abe2d2e059218b81c089810baa6ae90814d
                                                          • Instruction ID: 335261ecd2f0efc408e1a38a934fea1e0e16ed91f3a5be51ba49b4c84eeb6550
                                                          • Opcode Fuzzy Hash: d9a54140925e95c7cfaf995847638abe2d2e059218b81c089810baa6ae90814d
                                                          • Instruction Fuzzy Hash: 16028266A2CA6AD5EB40EB20D4911FD6764FF8478CF804432EA4D83ADAEF3CD505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68292980 Relevance: .4, Instructions: 387COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb6a6b2bb90f26008fbc8736e614b521e3107096103992de97bbdc7ea8701d34
                                                          • Instruction ID: 50c0ac61df76e1e1f6d0edb11795e9ccfc111aeaacbef9d75a5990fc708f74eb
                                                          • Opcode Fuzzy Hash: fb6a6b2bb90f26008fbc8736e614b521e3107096103992de97bbdc7ea8701d34
                                                          • Instruction Fuzzy Hash: F2026F62A2C9AAD5EB50EB21C4512FE2765EF9434CFC04031EA4D87ADADF78E509C734
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C9B70 Relevance: .4, Instructions: 387COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 3721fcf454b37b8eaafbc8b45fe43ec95c40d2506e45688a6a4d8302cc7d535a
                                                          • Instruction ID: 1be55b9a83d5a929ca18e148cf10936286b1565f34b39f2d2db889564473a00d
                                                          • Opcode Fuzzy Hash: 3721fcf454b37b8eaafbc8b45fe43ec95c40d2506e45688a6a4d8302cc7d535a
                                                          • Instruction Fuzzy Hash: 28F16062B1C956D5FB90EB70D4911FD23A5AF9438CF804431EA0E97ADAEE3CD509C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A0870 Relevance: .4, Instructions: 377COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 151b17eb124ab8ee78c36bdae5a0f3e1e8f49f4c48ca1d345b58e20fdeb6ba74
                                                          • Instruction ID: d70f85f45acfb839d666ab51aef10d828e4e8ad4ba143aff04091c60b9df5fad
                                                          • Opcode Fuzzy Hash: 151b17eb124ab8ee78c36bdae5a0f3e1e8f49f4c48ca1d345b58e20fdeb6ba74
                                                          • Instruction Fuzzy Hash: 76025D66B18A6AD9EB00DF31C0512FD2725FF5074CF804475EE0E97ACAEE69E609C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A9050 Relevance: .4, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bdfb081fa59f2d5c7030995037a18f51135a41c5da658dd92cbc0c6c38a2482d
                                                          • Instruction ID: f1aa53f2e343fd59baa9cada32aca0973a3099267b6b15f3dadda629d4189dcd
                                                          • Opcode Fuzzy Hash: bdfb081fa59f2d5c7030995037a18f51135a41c5da658dd92cbc0c6c38a2482d
                                                          • Instruction Fuzzy Hash: A2F1BF22A1C66AC5FB50EB71D8512FD2764EF8434CF800531EA1E87ADAEE7DE504C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682ACF30 Relevance: .4, Instructions: 370COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65c01e724edb53882ca99af93fddb11d90eaf6570b67cfbaaa3c25d323057a62
                                                          • Instruction ID: c1fb4bd1c2f169b679bb578c44b25e93cd7163799c83d9c3b08eb7e71c190eaa
                                                          • Opcode Fuzzy Hash: 65c01e724edb53882ca99af93fddb11d90eaf6570b67cfbaaa3c25d323057a62
                                                          • Instruction Fuzzy Hash: 07027122B1C966D5FB50EB60D4512FD27A4EF9478CF804032EA0D87ADAEF6CD509C768
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C2610 Relevance: .4, Instructions: 364COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fae273b66de7f5f80531fc293775c5f56af709758f9e335efb0c9d9ae13d318
                                                          • Instruction ID: 25e414fd44c378634e9881b2f52af1a83fb223f735bd409da98d206686719db9
                                                          • Opcode Fuzzy Hash: 0fae273b66de7f5f80531fc293775c5f56af709758f9e335efb0c9d9ae13d318
                                                          • Instruction Fuzzy Hash: 4F02C062A1CAAAD5EB90EB20D4911FD6765FF8434CF804032E64E87ADADF7CE505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FB180 Relevance: .4, Instructions: 359COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f661e04366838e4ce4ba5aebd1dc93168e9e41b499943add9dd9d6d7fef4196
                                                          • Instruction ID: abeae86862815fe6f720396f0fd3713958ed00faa34efd2976b25654394d02de
                                                          • Opcode Fuzzy Hash: 8f661e04366838e4ce4ba5aebd1dc93168e9e41b499943add9dd9d6d7fef4196
                                                          • Instruction Fuzzy Hash: 1DF17022A2C99AD5FB50EB31D8951FE2765EF9434CF804031EA0E879DAEF78D509C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A9660 Relevance: .3, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90c85cb65d38bad6ee87958564d5bb6e54eddf6d496b0914b1e63d609f926690
                                                          • Instruction ID: 4a05ee1b3b7e587f865a5a8a806dfdebd397cf111a4704e8732c7accca93eb11
                                                          • Opcode Fuzzy Hash: 90c85cb65d38bad6ee87958564d5bb6e54eddf6d496b0914b1e63d609f926690
                                                          • Instruction Fuzzy Hash: 84E18D22B1C6AAD5FB50EB61D4512FD27A4EF8434CF804031EA1E47ADAEE7CE505C768
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BBE80 Relevance: .3, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4793626beca4eb920313b5b4abf8812a4177065f169b5b16d98632f4f1ce2078
                                                          • Instruction ID: 2051dc04fc267f4b2cefd98efe002066261e2708c3dafbcd46f9aa7d73a4cd9a
                                                          • Opcode Fuzzy Hash: 4793626beca4eb920313b5b4abf8812a4177065f169b5b16d98632f4f1ce2078
                                                          • Instruction Fuzzy Hash: B6E19366B1CA6AD4EA40EB61D4520FE6764FF8478CF800431EA4E87ADAEF3CD505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682918D0 Relevance: .3, Instructions: 320COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfcd8345e0527295787ed532cf0b76d993265f1e625a5e117e0a9f941a2b0157
                                                          • Instruction ID: 6f419a925896466921abed722d73456f70787792f5bb7d4e8d7e29decce17f52
                                                          • Opcode Fuzzy Hash: bfcd8345e0527295787ed532cf0b76d993265f1e625a5e117e0a9f941a2b0157
                                                          • Instruction Fuzzy Hash: 60F16022A2C9AAD5EB50EB61C8911FD2769FF9034CF804032E64D479DAEF2CE605C774
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F4B10 Relevance: .3, Instructions: 304COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a1ec2f76909503f5e5f280d8b1d36be997d868925ad19848859c1f5d0e5c577
                                                          • Instruction ID: 7432ceb2062e6dc73d567c21989c3ab5ddd47c7eedac634c93d98e852c98d426
                                                          • Opcode Fuzzy Hash: 7a1ec2f76909503f5e5f280d8b1d36be997d868925ad19848859c1f5d0e5c577
                                                          • Instruction Fuzzy Hash: 1BC13A1352C1E08BD7658B36A0512BEAF90EF953CCF580675EECD96ADBD62CC214CB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BC3D0 Relevance: .3, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d555b941f5300850b9518b7182a859395d49d98e2d5b539dc6be0b4fcff300a
                                                          • Instruction ID: 292d8531a7729097c4ae5ca93aea38b9c53df9dec2f2a01974ad22adff8a3fbd
                                                          • Opcode Fuzzy Hash: 2d555b941f5300850b9518b7182a859395d49d98e2d5b539dc6be0b4fcff300a
                                                          • Instruction Fuzzy Hash: 07D1BF66B1C956D1EB40EB70D4921FE6765FF84388F800432EA4D83ADAEE3CD505C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BF640 Relevance: .3, Instructions: 295COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea235d4e0d1414fab4af90868f9b86f5d171ea6d1b4f832b5d38792101ff4594
                                                          • Instruction ID: d57f8da125fd208013d7b3ebe04defb79b82d1f45190ef2433870d224835c7b5
                                                          • Opcode Fuzzy Hash: ea235d4e0d1414fab4af90868f9b86f5d171ea6d1b4f832b5d38792101ff4594
                                                          • Instruction Fuzzy Hash: 43C1A22AF0DA6AD9FB10EB75D0502BE27A1AF8474CF844431DE0D976DADE78E505C324
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B95B0 Relevance: .3, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFindNext
                                                          • String ID:
                                                          • API String ID: 2029273394-0
                                                          • Opcode ID: a47b1571769b71061f7386e70a296463ad06a0d77e6d86b84660bcac130057ab
                                                          • Instruction ID: aaa3ee9a17416024b224f099fd1dff868af0e81204f5ee19397697de12035c91
                                                          • Opcode Fuzzy Hash: a47b1571769b71061f7386e70a296463ad06a0d77e6d86b84660bcac130057ab
                                                          • Instruction Fuzzy Hash: 79D1B322A1CAA6D5EB40EB20D4512FE2764FF9474CF804031EA4D876CAEF7CE515C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EF650 Relevance: .3, Instructions: 287COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a78213419fa403d19e8ba573a5bb0c82199ede7bbd4b0919e3d741805d4ca7da
                                                          • Instruction ID: 4b524c4df6ec562bbee7cecacd2698e9e7d92756f9e40100da37a3c598597673
                                                          • Opcode Fuzzy Hash: a78213419fa403d19e8ba573a5bb0c82199ede7bbd4b0919e3d741805d4ca7da
                                                          • Instruction Fuzzy Hash: 03C1B122B0CA5AD5FB50EBA1D0592FE27A1AF5438CF804071DE0D876D6EE78E506C378
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B2210 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c70620dd640cb9417e6f539abca38ce7f2bd38855fbbf3272b3bde5521d98ab9
                                                          • Instruction ID: cff832d84889d55e8f3bb527924351f69b5394d2b1942aa9d96b4c57bce724df
                                                          • Opcode Fuzzy Hash: c70620dd640cb9417e6f539abca38ce7f2bd38855fbbf3272b3bde5521d98ab9
                                                          • Instruction Fuzzy Hash: D5B15D26F1863AD4EA40EBA1D4551FE2765AF89B8CF805031EE0D47BDADE7CD405C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EFE10 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 888eea97ffef24a192abb0a354466538007223d93a06cbaa9e987cb9b68a8cc4
                                                          • Instruction ID: 73c98db3da05509066c484ced505022a45b0404427d59ba539f2bc8bc3f9d197
                                                          • Opcode Fuzzy Hash: 888eea97ffef24a192abb0a354466538007223d93a06cbaa9e987cb9b68a8cc4
                                                          • Instruction Fuzzy Hash: 7FC1D122B0C65AD6EB60DB71D4402BD37A0AF9536CF480235EE1D4BAD6DF78E519C328
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C0650 Relevance: .3, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8efb57f33e91665b454b318c20399fb8b75e3b0d5c8074a2f1ede7ff882a8e07
                                                          • Instruction ID: 2ec50c4099efc4aa3980ec47c59817151dc9a3a899c99cc9b86a96dd20a0d9e0
                                                          • Opcode Fuzzy Hash: 8efb57f33e91665b454b318c20399fb8b75e3b0d5c8074a2f1ede7ff882a8e07
                                                          • Instruction Fuzzy Hash: BAC18062F0C95AD9FB90EBA1D0512FD27A5AF9434CF804531DE0DA7ACADE38D509C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F3270 Relevance: .3, Instructions: 270COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1346c67a4001e8ec71b2ecf12ee69e9ccdcfdb209907d1eb0c7892ed0958e83
                                                          • Instruction ID: 1cf0659086a0b103468d034449751fa8a4d3974cd38f440282582e6b439ab5fa
                                                          • Opcode Fuzzy Hash: e1346c67a4001e8ec71b2ecf12ee69e9ccdcfdb209907d1eb0c7892ed0958e83
                                                          • Instruction Fuzzy Hash: ECA12422A5C6ABC1FB61CB2594283BE6791BFC838CF545435ED0D866C8EE3CE905C365
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C0EE0 Relevance: .3, Instructions: 270COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d0bfd8c7c0170523a9bada214f78ba6b12f0df9ce1156bc7c150526159cc8e3
                                                          • Instruction ID: 84bcc9fe024ab7d50bb341a01aa18090ae87fc19c4339995932365fe3c4d0c94
                                                          • Opcode Fuzzy Hash: 3d0bfd8c7c0170523a9bada214f78ba6b12f0df9ce1156bc7c150526159cc8e3
                                                          • Instruction Fuzzy Hash: 92B1C366B1C5AAD2EA54EB21D4512FE63A1FF9478CF844031EA4D837CAEE7CD504C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCE8B Relevance: .3, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: babea76ce2edd719bef7d57a5204983a6c99abdbdd04f4edc2f976bcb4b82cce
                                                          • Instruction ID: e58d59ac6aa18286910a557d230fb2549a5c4bd0a528d1969211150394addd17
                                                          • Opcode Fuzzy Hash: babea76ce2edd719bef7d57a5204983a6c99abdbdd04f4edc2f976bcb4b82cce
                                                          • Instruction Fuzzy Hash: C4A1346388C2BAC5F7758A25814037A7FF1EF1170DF454136EA8E425E6CA2CE941DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68297A40 Relevance: .3, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69aaede3648a4eed74b6a8f3897f7f82868b66c790a08888e25870a1acf979ee
                                                          • Instruction ID: 57a4a3281b7fab60532e0885e14a802cdf257ef12a498929d60f7ee542c706ee
                                                          • Opcode Fuzzy Hash: 69aaede3648a4eed74b6a8f3897f7f82868b66c790a08888e25870a1acf979ee
                                                          • Instruction Fuzzy Hash: 21B1C421B2C69AD5EB50EB21E4551FE6761FF84788F805031EA4E47ADAEF3CE109C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F6AB0 Relevance: .3, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bd6df93af20696ce61b65c84b114c71a244eb935c631d72c6eb88f0af816f05
                                                          • Instruction ID: 9e097af1d299485b1e4b1474ccb86b59f4a420c272e0a04cc96aefc8dbcc3edb
                                                          • Opcode Fuzzy Hash: 7bd6df93af20696ce61b65c84b114c71a244eb935c631d72c6eb88f0af816f05
                                                          • Instruction Fuzzy Hash: C7A1C022B0C65AC5EB50DB61D4916BE27E5EF88788F840535DE4C83BC6EF38D906C324
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCEAD Relevance: .2, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                          • Instruction ID: 2f24db24ae3f69403fbb317dcbf8d543571bf802a74a59d6ed8d0aa2d1b4bc20
                                                          • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                          • Instruction Fuzzy Hash: BDA1546389C2BAC5FB758A25814037A7FF1EF1170CF054136EA8E425E6CA2CE941DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCEB6 Relevance: .2, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                          • Instruction ID: 1babe033792c23c09acd584b48840fa0f5636aa22349613c0c4f221e6e2361b1
                                                          • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                          • Instruction Fuzzy Hash: 02A1556389C2BAC5FB758A25814037A7FF1EF1170CF054032EA8E425E6CA2CE945DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCEA6 Relevance: .2, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                          • Instruction ID: 5c137365242597c12f31d88fee2a5c2e9be045b9ce1adf456656e2d9aa27fa09
                                                          • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                          • Instruction Fuzzy Hash: 08A1436389C2BAC5FB758A25814137A7FF1EF1170DF054136EA8E425E6CA2CE941DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCE9D Relevance: .2, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                          • Instruction ID: f8e6a137fe847a0e6fb4012585285ccfddcbede5635fed4178a91c8546bb7c69
                                                          • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                          • Instruction Fuzzy Hash: CAA1446389C2BAC5FB758A25814137A7FF1EF1170DF054136EA8E425E6CA2CE941DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682FCE94 Relevance: .2, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                          • Instruction ID: 93a2353b9a9cb40824d09027c6b4e3641964624b62f7a64357f251f195307321
                                                          • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                          • Instruction Fuzzy Hash: 83A1446389C2BAC5FB758A25814137A7FF1EF1170DF054136EA8E425E6CA2CE941DB38
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68291010 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24255c3cc6885df0694e04e102483c5fb854aa2d24f2341e9b609023f1e4310b
                                                          • Instruction ID: f338af3bf9ef6b14acec8b0b4a6439f02828e2053d9984f18b074aaea6bedf42
                                                          • Opcode Fuzzy Hash: 24255c3cc6885df0694e04e102483c5fb854aa2d24f2341e9b609023f1e4310b
                                                          • Instruction Fuzzy Hash: EE919236B0D66AC5EB50EB62D4916BD23A5EF84788F844431DA0E87BC5FE3CE445C328
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BDB20 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41037363fcbf5a997614a73f458997344bb30861732d6414f9575e8062d31a91
                                                          • Instruction ID: b993e55ef628828ff5ea7da6ee9cb2fc0a99d2c15641e0b615f94c487ca3e681
                                                          • Opcode Fuzzy Hash: 41037363fcbf5a997614a73f458997344bb30861732d6414f9575e8062d31a91
                                                          • Instruction Fuzzy Hash: C9A19022B1CA6AD5FA50EB21D4511FE27A4EF9478CF840431EA4D47ADAEF3CE505C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A6670 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3bbe2ee97f1875a8f5854ab4fdaf395d8735d8f6ea0ad60b3098026786c1b63
                                                          • Instruction ID: cf17c7f1b5cb079be8c992eaaaaf6df5b5f53f8f88ffae88fdd7363e38333ea7
                                                          • Opcode Fuzzy Hash: f3bbe2ee97f1875a8f5854ab4fdaf395d8735d8f6ea0ad60b3098026786c1b63
                                                          • Instruction Fuzzy Hash: 5BA13B62F1C96AD9FB50EB70D4911FD27A5AF9434CF804431EA0D96ACAEF78D504C3A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682A83D0 Relevance: .2, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63b0937c46eee77e6e065513f5f3c5f2d3aa468551e1e3886b16cfce749ea75f
                                                          • Instruction ID: 919a190f9e786e03dc019581aa9daa774176bc8761e5e80157e4733171b54c7d
                                                          • Opcode Fuzzy Hash: 63b0937c46eee77e6e065513f5f3c5f2d3aa468551e1e3886b16cfce749ea75f
                                                          • Instruction Fuzzy Hash: A7913D62F1C96AD9EB50EB70D4921FD2365AF9478CF804431DA0E97ACAEE7CD509C324
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BD2D0 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 342651f7941b53e1c2daeed97fc389139813d0af81c11ef1969de60611c4736f
                                                          • Instruction ID: aeab0bc86354a36d73f221fc8b6db2d36273cd0677a386add02922b33f7b3300
                                                          • Opcode Fuzzy Hash: 342651f7941b53e1c2daeed97fc389139813d0af81c11ef1969de60611c4736f
                                                          • Instruction Fuzzy Hash: 0D91B222B2C566D2EB50EB61D4556FE67A4FF94788F800031EA4D83ADADF7CD504CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682CE190 Relevance: .2, Instructions: 207COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56bd161f2c2f46643537efbbd3efd349dfb352c8731bf43f555d6b82eaabe288
                                                          • Instruction ID: 93e1092ba49f51e9f7cce90515763d77c96cf10521e4ce9693b3adc42c22fb44
                                                          • Opcode Fuzzy Hash: 56bd161f2c2f46643537efbbd3efd349dfb352c8731bf43f555d6b82eaabe288
                                                          • Instruction Fuzzy Hash: BF81B966A0C6AAC6EBB49B2AD44117D6B61FF84B94F184132CE8E477D1CE3CE441C325
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B6BF0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148b29d79c79a4020d320550dce8c4bc94dfc8ebf88defd29fe7c0d8df34dd18
                                                          • Instruction ID: 905e9ce36708f41283eea4b2fa9bf7807e0be00806c85ad3b7d06fe19ca55fb7
                                                          • Opcode Fuzzy Hash: 148b29d79c79a4020d320550dce8c4bc94dfc8ebf88defd29fe7c0d8df34dd18
                                                          • Instruction Fuzzy Hash: E4916D22B0D96AC6FB60EB61D4916FE23A1AF84B4CF844431DA0E876D6DF78E404C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BEC30 Relevance: .2, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 933fc6c7d7f9af988b328be651fb1545f49bdab96ec60eabe5f34ecb71447f27
                                                          • Instruction ID: c00f84761435f758826d8e9f20eeaccd68d4d944ff18ea96721b85663ade5939
                                                          • Opcode Fuzzy Hash: 933fc6c7d7f9af988b328be651fb1545f49bdab96ec60eabe5f34ecb71447f27
                                                          • Instruction Fuzzy Hash: 08914866B0C96AD6FB50EB70C5512FD2761AF9075CF800132EA1E979CAEF38E509C364
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B2650 Relevance: .2, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bac69f9b4a5db7cc8872f01b7a06f0e4e3f1a225578c742b96f8c99616c9fdd
                                                          • Instruction ID: c8b82d03fb887e6605537d90a582fc40ccae1acc1cd11f730dcea605fd334aae
                                                          • Opcode Fuzzy Hash: 6bac69f9b4a5db7cc8872f01b7a06f0e4e3f1a225578c742b96f8c99616c9fdd
                                                          • Instruction Fuzzy Hash: 8E915D22F0CA6AD5FB50EB61D0952FE2761EF98B4CF804032DA0D576DADE78E505C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F5910 Relevance: .2, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d170de1884a79715357f5e29a2da4e7c92a17acbf3f6d3a9ae9f5afda9183d4c
                                                          • Instruction ID: 4d339c006e7b1b143ffb011285c15e7181a53f75617d73ac328c7faef9ec7939
                                                          • Opcode Fuzzy Hash: d170de1884a79715357f5e29a2da4e7c92a17acbf3f6d3a9ae9f5afda9183d4c
                                                          • Instruction Fuzzy Hash: 0581B366B1C65AD4FB40EF71D4A10FC23A5AF8838CB844531EA0D87ACAEF38D505C324
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C1730 Relevance: .2, Instructions: 182COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12d6b6570887948d2036593c4fa2e517d7a349a684e81613430d1f86f35ae348
                                                          • Instruction ID: 4129d698cd2dded33f9c63ae88cf4d5869e0da41311981da5d82292bbe789eac
                                                          • Opcode Fuzzy Hash: 12d6b6570887948d2036593c4fa2e517d7a349a684e81613430d1f86f35ae348
                                                          • Instruction Fuzzy Hash: CC71C121B0D65AC5FB94AB61D4113BD27D19F8478CF444435DA0D47BCAEE3CE905C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F6E80 Relevance: .2, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48a73122aa90b1427d502a98990fdf7291d62d4851d7f0b35ec174ae5dd513cd
                                                          • Instruction ID: 7fda5bfbbd307056ed22ee4f7a888860a5bc717862ddadb0d33cb8f37a91fb5b
                                                          • Opcode Fuzzy Hash: 48a73122aa90b1427d502a98990fdf7291d62d4851d7f0b35ec174ae5dd513cd
                                                          • Instruction Fuzzy Hash: DF611111B0C6AAC5FA90E722D4615BA57E1AFC57D8F844235EA5D837C6FE2CE401C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682EE190 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2caf3cc3d18f3bdde1b2a88a9497d69fa6785ba81ed1363ac3444b02ccccdd39
                                                          • Instruction ID: b345a5d196be8c70cf85985ed81227d405d5c6189d3a561bcccc20942e08f136
                                                          • Opcode Fuzzy Hash: 2caf3cc3d18f3bdde1b2a88a9497d69fa6785ba81ed1363ac3444b02ccccdd39
                                                          • Instruction Fuzzy Hash: 9A619426B1C66AD6FB50EB61C0542FE23A5AF8874CF805431DE0D57ACAEE38D506C379
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68291620 Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b39bc435c6f424e6a24847b32e2f34c7ff3f0e5b6e360ef9859df5e86b155e70
                                                          • Instruction ID: 4cdfb0f29afe17f70d19c9d02e2e2ce22f00fd3c4c9e3a863cebf517c44e019b
                                                          • Opcode Fuzzy Hash: b39bc435c6f424e6a24847b32e2f34c7ff3f0e5b6e360ef9859df5e86b155e70
                                                          • Instruction Fuzzy Hash: 1E619622A2C66AC1FF50DB16D0546BE63A4FFC5788F805131EA5D47ADADE7CD401C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C0AF0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: b0fc26077fb7dfd3e82a944be5800063d8e62ea182c57efd39adfe47ebf91e96
                                                          • Instruction ID: b1d7c8dcc3aa4fcb2a8b32d97ac8cb9b1e11d2e044d838ee728367a60b18bbf0
                                                          • Opcode Fuzzy Hash: b0fc26077fb7dfd3e82a944be5800063d8e62ea182c57efd39adfe47ebf91e96
                                                          • Instruction Fuzzy Hash: BF71BB72A1C699D9EB50DB60D4512ED7BA1FF8434CF844031EA4D47ACADF78E508CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F9970 Relevance: .2, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 997cc84da153571a6576113b1e96a68aba698dd2523c5cf0efd3b4fb32e9bf93
                                                          • Instruction ID: 99499c3fc7b293cc9c572fbc4a052d4b62843b1566cc53fc2b8f1b1f39db000a
                                                          • Opcode Fuzzy Hash: 997cc84da153571a6576113b1e96a68aba698dd2523c5cf0efd3b4fb32e9bf93
                                                          • Instruction Fuzzy Hash: E7518E62B1C66AD1FB50EB61E4552FE67A1EF94348F800031EA4D47ADADE7CE508CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B1C40 Relevance: .1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0769d196557d1790af2a64eafcf6092895f85137ff93f9c94ae419b301080d1a
                                                          • Instruction ID: e97a3bd20e5792ba58e7eec93cdb72737d6cdf12cc72c2d2a7eeed5af0aaddb2
                                                          • Opcode Fuzzy Hash: 0769d196557d1790af2a64eafcf6092895f85137ff93f9c94ae419b301080d1a
                                                          • Instruction Fuzzy Hash: A3613632908B8684E750DF31A491AED33E9FB49B4CF984138DE9D4B39ADF398051D328
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F9360 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc44db5f28221e0cf0ae5d1237f1819069b5c3e9a7d73ddd68a7a4c7c8699da6
                                                          • Instruction ID: 0e5fab37ed84017ec4e146d92db87ddee7fdfc4e4119d516f2ab3e93f4e5ea42
                                                          • Opcode Fuzzy Hash: cc44db5f28221e0cf0ae5d1237f1819069b5c3e9a7d73ddd68a7a4c7c8699da6
                                                          • Instruction Fuzzy Hash: 3951A422B2C5A6D2EB50EB22D4556AE6394FF94BC8F805031EE4D43BD6DE7CD404CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682C0450 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83469a3fea14c8a22ad37a3829d82cc6925ef5e6a2115f87bce9c10ebfc10028
                                                          • Instruction ID: de21317c0d78f3c3caf22707cb3705c732c3911520199e0e2d9a1226b5a45eec
                                                          • Opcode Fuzzy Hash: 83469a3fea14c8a22ad37a3829d82cc6925ef5e6a2115f87bce9c10ebfc10028
                                                          • Instruction Fuzzy Hash: 08517C22B0C95AD9FB50EB71D4516FD2361AF8878CF844031DE0D96ACADE78D505C368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BD0E0 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b4b7b2f185c89bde099cd347935f2a4d5f558a15fc4162d7e759108ac842e55
                                                          • Instruction ID: 12446e7f679ac0769e3dd6a60abb6a781cab4db0f255d8bbaf2c7c8b4c46a695
                                                          • Opcode Fuzzy Hash: 1b4b7b2f185c89bde099cd347935f2a4d5f558a15fc4162d7e759108ac842e55
                                                          • Instruction Fuzzy Hash: 61519E22B1C66AD5FB50EBA1D4513FE67A1AF9434CF840032EA4D479DADE7CE508CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682BE950 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e62cb177f987f71f3cf0e5803517de4d5bb4f146f42e0200321c919a982c235
                                                          • Instruction ID: a4ff7e218b36a0d2f960c892166d34739a81c1f154eeecdb1133d80a6fbc3716
                                                          • Opcode Fuzzy Hash: 5e62cb177f987f71f3cf0e5803517de4d5bb4f146f42e0200321c919a982c235
                                                          • Instruction Fuzzy Hash: BC51077660C66AD2EA10EB21C4915BE6364FFC8798F804132EB0D836D2EF3CE155C724
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F19C0 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c91ef941d1737411508bb001385e86c9cefe93bfa811a3ff23d670bc1e9ed299
                                                          • Instruction ID: c3bf6bfe9351ce08763e6d8b2f1afa34e28dd1896720c5f91f51a79ed79d2677
                                                          • Opcode Fuzzy Hash: c91ef941d1737411508bb001385e86c9cefe93bfa811a3ff23d670bc1e9ed299
                                                          • Instruction Fuzzy Hash: EC418F51F2C67AC4FB41E771D8511BE23A1AF88788F844031E90E97ACAEE7CD502C728
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F1B80 Relevance: .1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70eb0f53ad0297bd1b17417027bd2304b513837b3d44cc32065bd6379c9883c7
                                                          • Instruction ID: 1238f1914e490962665fc4537b15dc34359d5ba18980e6b6c7745a039a5a868a
                                                          • Opcode Fuzzy Hash: 70eb0f53ad0297bd1b17417027bd2304b513837b3d44cc32065bd6379c9883c7
                                                          • Instruction Fuzzy Hash: 44416C56F2C63AC5FB41E762D8510FD63A5AF8878CF944031DA0E97ACAEE2CD541C228
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B1F10 Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69c6acce53346106deabb2adb0fa8056310d1eb2e8744015d017380b53eaf195
                                                          • Instruction ID: e302b5aeb35ff4e2d8be1d7794791fe35b6bfff6cd85ee7b8cd0c21351a073ec
                                                          • Opcode Fuzzy Hash: 69c6acce53346106deabb2adb0fa8056310d1eb2e8744015d017380b53eaf195
                                                          • Instruction Fuzzy Hash: 24510732A18BA5C5E780DF35E4412ED33A8FB48F88F58413AEA8D4B799DF349152C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B7BE0 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: 832d85bf6204d5e14a830096db010d01002ddb84c0e9e4655a34d62ba22b0e7e
                                                          • Instruction ID: de617392280cd0895dd23285a8cae6dbf79e02b99b899a43e3e7d6276b38b63b
                                                          • Opcode Fuzzy Hash: 832d85bf6204d5e14a830096db010d01002ddb84c0e9e4655a34d62ba22b0e7e
                                                          • Instruction Fuzzy Hash: 1C515632718B96E2E748DB21D5913E9B368FF88708F908425DB9C13695CF38E1B6C718
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682B1850 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a884cfd8c748b068734e59e7f29a5d89b8f1b299cd0f2b200a9d6468436a8a8c
                                                          • Instruction ID: 945af226602f71d8743a7418ed58e98dcae7c292b82828e382d8621b6430b1ff
                                                          • Opcode Fuzzy Hash: a884cfd8c748b068734e59e7f29a5d89b8f1b299cd0f2b200a9d6468436a8a8c
                                                          • Instruction Fuzzy Hash: 88511972518BA5C5E784CF35E4813ED33A8FB48F88F58413AEA8D8B699DF348152C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC682F4640 Relevance: .1, Instructions: 93COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2dbfa565b830cccb199c4bdaf821914782019420120f90f5eec39ee9b891f0b9
                                                          • Instruction ID: e09c257d95993e481bb3e2f9c3626868487af192547b9b171ca9e7b403a387d8
                                                          • Opcode Fuzzy Hash: 2dbfa565b830cccb199c4bdaf821914782019420120f90f5eec39ee9b891f0b9
                                                          • Instruction Fuzzy Hash: 91315B62A4CA6AC2F6748B15A51037977C1EFC5349F588235DB9D433C4DEECE802C768
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68295350 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2435ecfe8df9d379fe949f65769208f67807e14af0845d1006c8829ca2cc55e0
                                                          • Instruction ID: 7ec69f81561fb915bf362deca5a4f4a0f804f626fc0d2c7a48575a3ee33c0f4d
                                                          • Opcode Fuzzy Hash: 2435ecfe8df9d379fe949f65769208f67807e14af0845d1006c8829ca2cc55e0
                                                          • Instruction Fuzzy Hash: A7314B32624BA495E788DB35D8812ED73A9FB88B48FA48036E78D476D5CF76D163C310
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFC68297E80 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC68290000, based on PE: true
                                                          • Associated: 00000000.00000002.311330619.00007FFC68290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312032725.00007FFC68311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312125637.00007FFC68324000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.312143807.00007FFC68326000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ffc68290000_loaddll64.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7785df124227ca2189d2f1e5e9692317ca2612ea228bf4003116393ecc44e874
                                                          • Instruction ID: 54403f9b688084dd1c91bd88c15697574edbe4363d1529286e606e8d0b19b065
                                                          • Opcode Fuzzy Hash: 7785df124227ca2189d2f1e5e9692317ca2612ea228bf4003116393ecc44e874
                                                          • Instruction Fuzzy Hash: 2231FA32604B4484E784DB35D9812F9B3E9FFA8B4CFA88436964D4A5E9DF76C157C320
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:18.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:15
                                                          Total number of Limit Nodes:1
                                                          execution_graph 230 267f494297b 231 267f4942989 230->231 236 267f494205a VirtualAlloc 231->236 233 267f49429a5 238 267f4942254 233->238 235 267f49429bd 237 267f49420be 236->237 237->233 239 267f494237c VirtualProtect 238->239 240 267f49422ff 238->240 241 267f49423e6 239->241 240->239 242 267f494244b VirtualProtect 241->242 243 267f4942505 VirtualProtect 242->243 244 267f4942542 242->244 243->244 246 267f49425bf 244->246 247 267f494258a RtlAvlRemoveNode 244->247 246->235 247->246

                                                          Callgraph

                                                          Executed Functions

                                                          Function 00000267F4942254 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.366848785.00000267F4940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000267F4940000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_267f4940000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$NodeRemove
                                                          • String ID:
                                                          • API String ID: 3879549435-0
                                                          • Opcode ID: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction ID: f16ddecbb27faf05100b04cb2f0039bb68eb624e2d53b0b7d3f774d13ade35dc
                                                          • Opcode Fuzzy Hash: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction Fuzzy Hash: 61B13076618BC586D770CB1AF440B9AB7A1F7C9B84F108026EE8957B69DF7EC8418F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000267F494205A Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000267F49429A5), ref: 00000267F49420AA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.366848785.00000267F4940000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000267F4940000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_267f4940000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction ID: ceb594ec032d438669cadf9a7a9dd15f7195d11963bb7548d142ac146708a4e4
                                                          • Opcode Fuzzy Hash: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction Fuzzy Hash: 3D314D72719B8086D790CF1AF45575A7BA0F389BD4F109026EF4D97B28DF3AC4428B00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:18.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:15
                                                          Total number of Limit Nodes:1
                                                          execution_graph 230 18772c8297b 231 18772c82989 230->231 236 18772c8205a VirtualAlloc 231->236 233 18772c829a5 238 18772c82254 233->238 235 18772c829bd 237 18772c820be 236->237 237->233 239 18772c822ff 238->239 240 18772c8237c VirtualProtect 238->240 239->240 241 18772c823e6 240->241 242 18772c8244b VirtualProtect 241->242 243 18772c82542 242->243 244 18772c82505 VirtualProtect 242->244 246 18772c825bf 243->246 247 18772c8258a RtlAvlRemoveNode 243->247 244->243 246->235 247->246

                                                          Callgraph

                                                          Executed Functions

                                                          Function 0000018772C82254 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.289788927.0000018772C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018772C80000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_18772c80000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$NodeRemove
                                                          • String ID:
                                                          • API String ID: 3879549435-0
                                                          • Opcode ID: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction ID: f9279df6191c4f9da5b4ac982a9937711ea3d8874a1c2d7c4eb769384b886f68
                                                          • Opcode Fuzzy Hash: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction Fuzzy Hash: 6CB14176618BC58AD770CB1AE4407DAB7A1F7D9B80F208026EE8957B98DF79C941CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000018772C8205A Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000018772C829A5), ref: 0000018772C820AA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.289788927.0000018772C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018772C80000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_18772c80000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction ID: c4c6de22a482e1088448bb0d36f80a90b362e94d499e7816dd3bd02489a8d8d3
                                                          • Opcode Fuzzy Hash: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction Fuzzy Hash: E7316B72615B8086D790CF1AE45479A7BB0F389BD4F209026EF8E97B58DF3AC442CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:18.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:15
                                                          Total number of Limit Nodes:1
                                                          execution_graph 230 14c9a26297b 231 14c9a262989 230->231 236 14c9a26205a VirtualAlloc 231->236 233 14c9a2629a5 238 14c9a262254 233->238 235 14c9a2629bd 237 14c9a2620be 236->237 237->233 239 14c9a2622ff 238->239 240 14c9a26237c VirtualProtect 238->240 239->240 241 14c9a2623e6 240->241 242 14c9a26244b VirtualProtect 241->242 243 14c9a262542 242->243 244 14c9a262505 VirtualProtect 242->244 246 14c9a2625bf 243->246 247 14c9a26258a RtlAvlRemoveNode 243->247 244->243 246->235 247->246

                                                          Callgraph

                                                          Executed Functions

                                                          Function 0000014C9A262254 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.296690512.0000014C9A260000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014C9A260000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_14c9a260000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$NodeRemove
                                                          • String ID:
                                                          • API String ID: 3879549435-0
                                                          • Opcode ID: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction ID: af97b28288f58b5eeeb18cfbf6ccbbfb238e8d217911e00166fd847ec75bc9cc
                                                          • Opcode Fuzzy Hash: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction Fuzzy Hash: 02B16776619BC486DB70CB1AE4407EEB7A1F7C9B84F108026DE8D53B69DB79C8518F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000014C9A26205A Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000014C9A2629A5), ref: 0000014C9A2620AA
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.296690512.0000014C9A260000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014C9A260000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_14c9a260000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction ID: 6c36949723612317465e262174faaf6ceb6d2d4b17694aa5b7769b02fef073ab
                                                          • Opcode Fuzzy Hash: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction Fuzzy Hash: 9D312D72715B8086D790DF1AE45479E7BA0F389BD4F109026EF4D97B68DF3AC4468B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:18.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:15
                                                          Total number of Limit Nodes:1
                                                          execution_graph 230 1bde0fe297b 231 1bde0fe2989 230->231 236 1bde0fe205a VirtualAlloc 231->236 233 1bde0fe29a5 238 1bde0fe2254 233->238 235 1bde0fe29bd 237 1bde0fe20be 236->237 237->233 239 1bde0fe237c VirtualProtect 238->239 240 1bde0fe22ff 238->240 241 1bde0fe23e6 239->241 240->239 242 1bde0fe244b VirtualProtect 241->242 243 1bde0fe2505 VirtualProtect 242->243 244 1bde0fe2542 242->244 243->244 246 1bde0fe258a RtlAvlRemoveNode 244->246 247 1bde0fe25bf 244->247 246->247 247->235

                                                          Callgraph

                                                          Executed Functions

                                                          Function 000001BDE0FE2254 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.304967424.000001BDE0FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BDE0FE0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1bde0fe0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$NodeRemove
                                                          • String ID:
                                                          • API String ID: 3879549435-0
                                                          • Opcode ID: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction ID: 6f998248978026aa06c4af0abb896f2583eb63b2552d4504158ff8968f8b053a
                                                          • Opcode Fuzzy Hash: 5be500564576e27efb21694368d3cfa9554e3f10a740d94740bbe2c04abcc7cb
                                                          • Instruction Fuzzy Hash: C5B15576619BC486D7708B1AF440BDEB7A1F799B90F108026EF8957B58DB39C852CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001BDE0FE205A Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001BDE0FE29A5), ref: 000001BDE0FE20AA
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.304967424.000001BDE0FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BDE0FE0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1bde0fe0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction ID: ac2e20b523d49d14b2b481edac808aa149e377609385777ff651f253e3b51759
                                                          • Opcode Fuzzy Hash: 011c6879bde9f1e75c40580259034cfef7b37f76bdcbeed9748d12d6c56c4f62
                                                          • Instruction Fuzzy Hash: 3E312C72615A9086D790DF1AE45579E7BA0F389BD4F209026EF4D9BB18DF3AC446CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:1.6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:6.3%
                                                          Total number of Nodes:1721
                                                          Total number of Limit Nodes:3
                                                          execution_graph 5501 7ff679f94f3e 5502 7ff679f94ec5 5501->5502 5502->5501 5504 7ff679f936e0 ResolveDelayLoadedAPI 5502->5504 5504->5502 5505 7ff679f93540 InitOnceBeginInitialize 5506 7ff679f9358e 5505->5506 5507 7ff679f93564 5505->5507 5507->5506 5509 7ff679f935a0 5507->5509 5510 7ff679f935e0 5509->5510 5511 7ff679f935c0 EventUnregister 5509->5511 5510->5506 5511->5510 6231 7ff679f94bc0 6232 7ff679f94bcc 6231->6232 6235 7ff679f936e0 ResolveDelayLoadedAPI 6232->6235 6234 7ff679f94c0b 6235->6234 6236 7ff679fa06c0 6237 7ff679fa06d6 6236->6237 6238 7ff679fa06cc SetEvent 6236->6238 6238->6237 6239 7ff679f9ccc2 6240 7ff679f9cce2 6239->6240 6241 7ff679f9cd0a 6239->6241 6240->6241 6247 7ff679f952d0 6240->6247 6242 7ff679f952d0 14 API calls 6241->6242 6244 7ff679f9cd0f 6242->6244 6246 7ff679f9cfd4 EtwTraceMessage 6246->6241 6248 7ff679f952e5 6247->6248 6251 7ff679f952f8 6248->6251 6252 7ff679f95310 6248->6252 6251->6246 6253 7ff679f98ea4 14 API calls 6252->6253 6254 7ff679f9530d 6253->6254 5512 7ff679f94c45 5513 7ff679f94bcc 5512->5513 5516 7ff679f936e0 ResolveDelayLoadedAPI 5513->5516 5515 7ff679f94c0b 5515->5515 5516->5515 6255 7ff679f94eb9 6256 7ff679f94ec5 6255->6256 6258 7ff679f936e0 ResolveDelayLoadedAPI 6256->6258 6258->6256 5517 7ff679f94350 __getmainargs 5518 7ff679f94250 5519 7ff679f94260 5518->5519 5520 7ff679f94265 5518->5520 5522 7ff679f98b8c 5519->5522 5538 7ff679f99ee0 WaitForSingleObjectEx 5522->5538 5527 7ff679f98c4e 5527->5520 5528 7ff679f98c3c 5528->5527 5530 7ff679f98c6c 16 API calls 5528->5530 5529 7ff679f9a000 18 API calls 5531 7ff679f98bd4 5529->5531 5530->5527 5532 7ff679f98bde GetLastError 5531->5532 5535 7ff679f98bf6 5531->5535 5548 7ff679f98c6c ReleaseMutex 5532->5548 5535->5528 5552 7ff679f975dc 5535->5552 5539 7ff679f98bb4 5538->5539 5540 7ff679f99f08 5538->5540 5539->5528 5543 7ff679f9a000 5539->5543 5540->5539 5563 7ff679f97ca8 5540->5563 5544 7ff679f9a022 GetLastError 5543->5544 5545 7ff679f98bc9 5543->5545 5566 7ff679f979d4 CloseHandle 5544->5566 5545->5529 5549 7ff679f98c7a 5548->5549 5551 7ff679f98bee SetLastError 5548->5551 5550 7ff679f99ec8 15 API calls 5549->5550 5550->5551 5551->5535 5555 7ff679f97602 5552->5555 5553 7ff679f9763b 5554 7ff679f97649 5553->5554 5556 7ff679f979d4 16 API calls 5553->5556 5558 7ff679f979d4 16 API calls 5554->5558 5559 7ff679f97657 5554->5559 5555->5553 5578 7ff679f97944 5555->5578 5556->5554 5558->5559 5560 7ff679f97665 GetProcessHeap HeapFree 5559->5560 5562 7ff679f979d4 16 API calls 5559->5562 5560->5528 5561 7ff679f97616 GetProcessHeap HeapFree 5561->5555 5562->5560 5564 7ff679f98ea4 14 API calls 5563->5564 5565 7ff679f97ce0 5564->5565 5567 7ff679f979f1 SetLastError 5566->5567 5568 7ff679f979e2 5566->5568 5567->5545 5570 7ff679f99ec8 5568->5570 5573 7ff679f98d94 5570->5573 5574 7ff679f9810c 15 API calls 5573->5574 5575 7ff679f98dc5 5574->5575 5576 7ff679f98c90 14 API calls 5575->5576 5577 7ff679f98e03 5576->5577 5577->5567 5579 7ff679f979a1 GetProcessHeap HeapFree 5578->5579 5580 7ff679f97971 5578->5580 5579->5561 5581 7ff679f97975 GetProcessHeap HeapFree 5580->5581 5581->5581 5582 7ff679f9799d 5581->5582 5582->5579 5588 7ff679f9e850 5589 7ff679f9e8c1 LoadStringW 5588->5589 5590 7ff679f9e974 LoadStringW 5588->5590 5593 7ff679f9e8d0 GetLastError 5589->5593 5621 7ff679f9e91a 5589->5621 5591 7ff679f9e983 GetLastError 5590->5591 5592 7ff679f9e9ba LocalAlloc 5590->5592 5616 7ff679f9e915 5591->5616 5620 7ff679f9e8f3 5591->5620 5610 7ff679f9ea33 5592->5610 5592->5620 5593->5616 5593->5620 5594 7ff679f9e927 LoadLibraryW 5595 7ff679f9ea80 LoadIconW LoadCursorW FreeLibrary RegisterClassW 5594->5595 5596 7ff679f9e940 GetLastError 5594->5596 5599 7ff679f9eb3f CreateWindowExW 5595->5599 5600 7ff679f9eb08 GetLastError 5595->5600 5596->5616 5596->5620 5597 7ff679f9eca2 5601 7ff679f9ecbd 5597->5601 5602 7ff679f9ecb4 LocalFree 5597->5602 5598 7ff679f9ec96 UnregisterClassW 5598->5597 5606 7ff679f9ebc1 ShowWindow 5599->5606 5607 7ff679f9eb8b GetLastError 5599->5607 5604 7ff679f9eb2b 5600->5604 5600->5616 5603 7ff679f94610 7 API calls 5601->5603 5602->5601 5608 7ff679f9eccf 5603->5608 5604->5599 5604->5616 5612 7ff679f9ebe2 5606->5612 5613 7ff679f9ebfd GetMessageW 5606->5613 5611 7ff679f9ebae 5607->5611 5607->5616 5625 7ff679f99aac 5610->5625 5611->5606 5611->5616 5612->5613 5629 7ff679f9a218 EtwTraceMessage 5612->5629 5614 7ff679f9ec62 5613->5614 5615 7ff679f9ec17 5613->5615 5614->5616 5630 7ff679f9a218 EtwTraceMessage 5614->5630 5615->5616 5618 7ff679f9ec44 TranslateMessage DispatchMessageW 5615->5618 5619 7ff679f9ec1c GetLastError 5615->5619 5616->5597 5616->5598 5618->5613 5619->5615 5619->5616 5620->5616 5624 7ff679f9a238 EtwTraceMessage 5620->5624 5621->5594 5621->5620 5624->5616 5626 7ff679f99aeb 5625->5626 5627 7ff679f99ad9 5625->5627 5626->5621 5631 7ff679f99b58 _vsnwprintf 5627->5631 5629->5613 5630->5616 5632 7ff679f99b85 5631->5632 5632->5626 5633 7ff679f9fe53 5634 7ff679f9fe62 UnregisterClassW 5633->5634 5635 7ff679f9fe7a 5633->5635 5634->5635 5636 7ff679f9fe80 UnregisterClassW 5635->5636 5637 7ff679f9fe98 LocalFree 5635->5637 5636->5637 5638 7ff679f9feb1 DeleteDC 5637->5638 5639 7ff679f9feb8 5637->5639 5638->5639 5640 7ff679f9fec4 LocalFree 5639->5640 5641 7ff679f9fecb 5639->5641 5640->5641 5646 7ff679f97760 5649 7ff679f97348 5646->5649 5648 7ff679f97774 5650 7ff679f9735e EventUnregister 5649->5650 5651 7ff679f97374 5649->5651 5650->5651 5651->5648 5652 7ff679f93860 5653 7ff679f93869 WaitForSingleObjectEx 5652->5653 5653->5653 5654 7ff679f93883 5653->5654 5655 7ff679f95460 5656 7ff679f95480 5655->5656 5657 7ff679f95469 5655->5657 5659 7ff679f95479 5656->5659 5661 7ff679f9a218 EtwTraceMessage 5656->5661 5658 7ff679f9546e DefWindowProcW 5657->5658 5657->5659 5658->5659 5661->5659 6262 7ff679f9fee0 6263 7ff679f9ffc3 6262->6263 6264 7ff679f9ff0a 6262->6264 6278 7ff679f9ffe8 SetPropW FlashWindowEx 6263->6278 6266 7ff679f9ff13 6264->6266 6267 7ff679f9ffb7 PostQuitMessage 6264->6267 6269 7ff679f9ff6c 6266->6269 6274 7ff679f9ff18 6266->6274 6268 7ff679f9ffc8 6267->6268 6270 7ff679f9ff9a 6269->6270 6277 7ff679f9a218 EtwTraceMessage 6269->6277 6271 7ff679f9ffa4 DefWindowProcW 6270->6271 6271->6268 6273 7ff679f9ff61 DestroyWindow 6273->6271 6274->6271 6274->6273 6276 7ff679f9a218 EtwTraceMessage 6274->6276 6276->6273 6277->6270 6278->6268 6279 7ff679fa06e0 LoadLibraryExW 6280 7ff679fa0759 GetLastError 6279->6280 6281 7ff679fa07ac 6279->6281 6285 7ff679fa0766 6280->6285 6314 7ff679fa0d04 6281->6314 6284 7ff679fa07e8 memset 6289 7ff679fa0869 6284->6289 6287 7ff679fa07a7 6285->6287 6313 7ff679f9a238 EtwTraceMessage 6285->6313 6291 7ff679fa0c5f FreeLibrary 6287->6291 6299 7ff679fa0c69 6287->6299 6288 7ff679fa0927 CreateEventW 6290 7ff679fa0946 GetLastError 6288->6290 6292 7ff679fa0953 6288->6292 6289->6287 6289->6288 6290->6292 6291->6299 6292->6287 6318 7ff679fa04c4 6292->6318 6294 7ff679fa0a18 6322 7ff679fa05bc RegOpenCurrentUser 6294->6322 6295 7ff679fa09dd 6297 7ff679fa0c25 CloseHandle 6295->6297 6321 7ff679f9a218 EtwTraceMessage 6295->6321 6297->6287 6301 7ff679fa0c33 CloseHandle 6297->6301 6302 7ff679f94610 7 API calls 6299->6302 6301->6287 6305 7ff679fa0cb0 6302->6305 6304 7ff679fa0a88 CreateFileW 6306 7ff679fa0abf GetLastError 6304->6306 6307 7ff679fa0b05 GetFileType 6304->6307 6309 7ff679fa0a40 6306->6309 6312 7ff679fa0b13 6307->6312 6308 7ff679fa0a13 6308->6297 6309->6297 6329 7ff679f9a238 EtwTraceMessage 6309->6329 6311 7ff679fa0c17 WaitForSingleObject 6311->6297 6312->6297 6312->6311 6313->6287 6315 7ff679fa0d25 6314->6315 6317 7ff679fa07b9 6314->6317 6316 7ff679fa0d44 GetProcAddress 6315->6316 6315->6317 6316->6317 6317->6284 6317->6285 6319 7ff679f948d0 new malloc 6318->6319 6320 7ff679fa04ee 6319->6320 6320->6294 6320->6295 6321->6308 6323 7ff679fa060c RegGetValueW 6322->6323 6324 7ff679fa05ec 6322->6324 6323->6324 6325 7ff679fa066e 6323->6325 6324->6325 6330 7ff679f9a238 EtwTraceMessage 6324->6330 6326 7ff679fa067e 6325->6326 6327 7ff679fa0678 RegCloseKey 6325->6327 6326->6304 6326->6309 6327->6326 6329->6308 6330->6325 6341 7ff679f9cbd6 6342 7ff679f9cbda 6341->6342 6343 7ff679f94610 7 API calls 6342->6343 6344 7ff679f9cbea 6343->6344 5674 7ff679f97e70 5675 7ff679f97e7e 5674->5675 5676 7ff679f97e99 5674->5676 5678 7ff679f98174 5675->5678 5679 7ff679f981c5 5678->5679 5680 7ff679f981aa GetModuleHandleExW 5678->5680 5681 7ff679f981dd GetModuleFileNameA 5679->5681 5684 7ff679f981c1 5679->5684 5680->5679 5680->5684 5681->5684 5682 7ff679f94610 7 API calls 5683 7ff679f98241 5682->5683 5683->5676 5684->5682 6350 7ff679f937f0 6351 7ff679f93801 6350->6351 6352 7ff679f9380b LocalFree 6351->6352 6353 7ff679f9381e AmsiUninitialize CoDisableCallCancellation CoUninitialize 6351->6353 6354 7ff679f93839 SetEvent LocalFree 6351->6354 6355 7ff679f97335 CoTaskMemFree 6351->6355 6352->6351 6353->6354 6354->6351 6355->6352 6356 7ff679f941f0 6357 7ff679f94206 6356->6357 6358 7ff679f9420b GetProcessHeap HeapFree 6357->6358 6359 7ff679f9423e 6357->6359 6358->6357 5685 7ff679f98a70 5686 7ff679f98a98 5685->5686 5687 7ff679f98a78 5685->5687 5688 7ff679f98a8a 5687->5688 5693 7ff679f98a7e 5687->5693 5688->5686 5695 7ff679f99064 5688->5695 5690 7ff679f99046 5691 7ff679f94610 7 API calls 5690->5691 5692 7ff679f99052 5691->5692 5693->5690 5701 7ff679f9a2fc EventWriteTransfer 5693->5701 5696 7ff679f991ee 5695->5696 5699 7ff679f9909b 5695->5699 5697 7ff679f94610 7 API calls 5696->5697 5698 7ff679f991fd 5697->5698 5698->5686 5702 7ff679f9a2fc EventWriteTransfer 5699->5702 5701->5690 5702->5696 5703 7ff679fa0470 5704 7ff679fa0496 SendMessageW 5703->5704 5705 7ff679fa047d 5703->5705 5707 7ff679fa04b9 5704->5707 5706 7ff679fa0482 WaitForSingleObject 5705->5706 5705->5707 5706->5704 5706->5707 5709 7ff679f95668 5710 7ff679f956a0 __GSHandlerCheckCommon 5709->5710 5711 7ff679f956bb __CxxFrameHandler3 5710->5711 5712 7ff679f956cc 5710->5712 5711->5712 6360 7ff679f956e8 6361 7ff679f9572a __GSHandlerCheckCommon 6360->6361 6362 7ff679f95741 __C_specific_handler 6361->6362 6363 7ff679f95753 6361->6363 6362->6363 6364 7ff679f98aeb 6365 7ff679f989e0 _vsnwprintf 6364->6365 6366 7ff679f98b09 6365->6366 5713 7ff679f9936c 5716 7ff679f989e0 5713->5716 5717 7ff679f98a17 5716->5717 5718 7ff679f989e5 5716->5718 5719 7ff679f99aac _vsnwprintf 5718->5719 5719->5717 6367 7ff679f9ecec 6368 7ff679f9ecfb UnregisterClassW 6367->6368 6369 7ff679f9ed0a 6367->6369 6368->6369 6370 7ff679f9ed26 6369->6370 6371 7ff679f9ed1f LocalFree 6369->6371 6371->6370 5720 7ff679f93780 CoInitializeEx 5721 7ff679f937a9 CoEnableCallCancellation 5720->5721 5728 7ff679f97296 5720->5728 5722 7ff679f937be AmsiUacInitialize 5721->5722 5721->5728 5726 7ff679f937d2 5722->5726 5722->5728 5723 7ff679f97307 5724 7ff679f97313 5723->5724 5725 7ff679f9730b CoDisableCallCancellation 5723->5725 5724->5726 5727 7ff679f9731b CoUninitialize 5724->5727 5725->5724 5727->5726 5728->5723 5730 7ff679f9a238 EtwTraceMessage 5728->5730 5730->5723 5731 7ff679f94280 5732 7ff679f94292 5731->5732 5738 7ff679f949b4 GetModuleHandleW 5732->5738 5734 7ff679f942f5 __set_app_type 5735 7ff679f94332 5734->5735 5736 7ff679f94348 5735->5736 5737 7ff679f9433b __setusermatherr 5735->5737 5737->5736 5739 7ff679f949c9 5738->5739 5739->5734 6372 7ff679f93600 6373 7ff679f97072 6372->6373 6374 7ff679f93633 AmsiUacScan 6372->6374 6375 7ff679f93698 SetEvent LocalFree LocalFree 6373->6375 6392 7ff679f9a218 EtwTraceMessage 6373->6392 6376 7ff679f971ab 6374->6376 6382 7ff679f93651 6374->6382 6378 7ff679f94610 7 API calls 6375->6378 6377 7ff679f971dc 6376->6377 6395 7ff679f9a238 EtwTraceMessage 6376->6395 6379 7ff679f93894 11 API calls 6377->6379 6380 7ff679f936c8 6378->6380 6387 7ff679f971e8 6379->6387 6385 7ff679f93894 11 API calls 6382->6385 6386 7ff679f93671 6382->6386 6384 7ff679f970b7 6384->6375 6389 7ff679f970fe 6385->6389 6386->6375 6394 7ff679f9a238 EtwTraceMessage 6386->6394 6387->6384 6396 7ff679f9a2fc EventWriteTransfer 6387->6396 6389->6386 6393 7ff679f9a2fc EventWriteTransfer 6389->6393 6392->6384 6393->6386 6394->6384 6395->6377 6396->6384 6397 7ff679f97e00 6405 7ff679f97d0c 6397->6405 6400 7ff679f97e4d 6401 7ff679f97e1e 6401->6400 6410 7ff679f98398 6401->6410 6406 7ff679f97d40 GetCurrentThreadId 6405->6406 6407 7ff679f97d6d 6405->6407 6406->6407 6409 7ff679f97d9d GetCurrentThreadId 6407->6409 6422 7ff679f982a8 6407->6422 6409->6400 6409->6401 6411 7ff679f983ad 6410->6411 6415 7ff679f97e3d 6410->6415 6426 7ff679f98250 6411->6426 6414 7ff679f983ba GetCurrentThreadId 6414->6415 6415->6400 6416 7ff679f99824 6415->6416 6417 7ff679f99855 6416->6417 6421 7ff679f99886 6416->6421 6418 7ff679f9991a 6417->6418 6419 7ff679f9985d GetProcessHeap HeapAlloc 6417->6419 6418->6400 6419->6418 6419->6421 6421->6418 6421->6421 6558 7ff679f994d8 6421->6558 6423 7ff679f98380 6422->6423 6424 7ff679f982d7 6422->6424 6423->6409 6424->6423 6424->6424 6425 7ff679f9835f memcpy_s 6424->6425 6425->6423 6427 7ff679f98268 6426->6427 6429 7ff679f9827b 6426->6429 6430 7ff679f97790 GetCurrentProcessId 6427->6430 6429->6414 6429->6415 6431 7ff679f99aac _vsnwprintf 6430->6431 6432 7ff679f977f4 CreateMutexExW 6431->6432 6433 7ff679f9a000 18 API calls 6432->6433 6434 7ff679f9781d 6433->6434 6435 7ff679f97837 6434->6435 6436 7ff679f9782b 6434->6436 6438 7ff679f99ee0 15 API calls 6435->6438 6456 7ff679f94fe8 6436->6456 6440 7ff679f97846 6438->6440 6439 7ff679f97830 6492 7ff679f97680 6439->6492 6459 7ff679f99c0c 6440->6459 6444 7ff679f9787e 6449 7ff679f99458 14 API calls 6444->6449 6450 7ff679f978a6 6444->6450 6446 7ff679f99458 14 API calls 6446->6444 6447 7ff679f94610 7 API calls 6448 7ff679f978f7 6447->6448 6448->6429 6449->6450 6453 7ff679f978b5 6450->6453 6454 7ff679f978c4 6450->6454 6496 7ff679f98870 GetProcessHeap HeapAlloc 6450->6496 6451 7ff679f99458 14 API calls 6451->6454 6453->6451 6453->6454 6488 7ff679f97698 6454->6488 6457 7ff679f9810c 15 API calls 6456->6457 6458 7ff679f95002 6457->6458 6458->6439 6460 7ff679f99c4e 6459->6460 6461 7ff679f99cd1 OpenSemaphoreW 6460->6461 6462 7ff679f99cf3 GetLastError 6461->6462 6463 7ff679f99d22 6461->6463 6464 7ff679f99d02 6462->6464 6485 7ff679f99d1b 6462->6485 6511 7ff679f98418 WaitForSingleObject 6463->6511 6467 7ff679f99440 15 API calls 6464->6467 6466 7ff679f99ea3 6471 7ff679f94610 7 API calls 6466->6471 6467->6485 6469 7ff679f99d3d 6472 7ff679f99458 14 API calls 6469->6472 6470 7ff679f979d4 16 API calls 6470->6466 6473 7ff679f9785f 6471->6473 6472->6485 6473->6444 6473->6446 6474 7ff679f99d60 OpenSemaphoreW 6476 7ff679f99e18 6474->6476 6477 7ff679f99dfb 6474->6477 6478 7ff679f98418 23 API calls 6476->6478 6479 7ff679f99440 15 API calls 6477->6479 6481 7ff679f99e25 6478->6481 6480 7ff679f99e14 6479->6480 6480->6485 6486 7ff679f979d4 16 API calls 6480->6486 6482 7ff679f99e58 6481->6482 6483 7ff679f99e2b 6481->6483 6482->6485 6487 7ff679f979d4 16 API calls 6482->6487 6484 7ff679f99458 14 API calls 6483->6484 6484->6480 6485->6466 6485->6470 6486->6485 6487->6485 6489 7ff679f976a4 6488->6489 6490 7ff679f976a9 6488->6490 6491 7ff679f98c6c 16 API calls 6489->6491 6490->6439 6491->6490 6493 7ff679f97691 6492->6493 6494 7ff679f9768c 6492->6494 6493->6447 6495 7ff679f979d4 16 API calls 6494->6495 6495->6493 6497 7ff679f988b9 6496->6497 6498 7ff679f988dc 6496->6498 6500 7ff679f99458 14 API calls 6497->6500 6499 7ff679f989b4 6498->6499 6526 7ff679f979f8 6498->6526 6502 7ff679f988d7 6500->6502 6553 7ff679f976b0 6502->6553 6504 7ff679f98924 memset memset 6508 7ff679f98922 6504->6508 6505 7ff679f98909 6507 7ff679f99458 14 API calls 6505->6507 6507->6508 6547 7ff679f976f8 6508->6547 6512 7ff679f98450 6511->6512 6525 7ff679f98435 6511->6525 6513 7ff679f98476 ReleaseSemaphore 6512->6513 6514 7ff679f984bb ReleaseSemaphore 6512->6514 6524 7ff679f9845b 6512->6524 6516 7ff679f9848c ReleaseSemaphore 6513->6516 6513->6525 6517 7ff679f984d9 6514->6517 6514->6525 6515 7ff679f99440 15 API calls 6521 7ff679f9844b 6515->6521 6519 7ff679f984a4 GetLastError 6516->6519 6516->6524 6520 7ff679f984e7 ReleaseSemaphore 6517->6520 6517->6524 6518 7ff679f99458 14 API calls 6518->6521 6519->6521 6519->6524 6522 7ff679f984fb GetLastError 6520->6522 6520->6524 6521->6469 6521->6474 6523 7ff679f98508 WaitForSingleObject 6522->6523 6522->6524 6523->6524 6523->6525 6524->6518 6524->6521 6525->6515 6528 7ff679f97a2a 6526->6528 6527 7ff679f97ae6 CreateSemaphoreExW 6529 7ff679f97c1f 6527->6529 6530 7ff679f97b24 6527->6530 6528->6527 6531 7ff679f99440 15 API calls 6529->6531 6532 7ff679f9a000 18 API calls 6530->6532 6533 7ff679f97c38 6531->6533 6536 7ff679f97b2f CreateSemaphoreExW 6532->6536 6534 7ff679f97c42 6533->6534 6533->6536 6535 7ff679f99458 14 API calls 6534->6535 6538 7ff679f97be2 6535->6538 6539 7ff679f97c62 6536->6539 6540 7ff679f97bd6 6536->6540 6543 7ff679f94610 7 API calls 6538->6543 6541 7ff679f99440 15 API calls 6539->6541 6542 7ff679f9a000 18 API calls 6540->6542 6544 7ff679f97c7b 6541->6544 6542->6538 6545 7ff679f97c14 6543->6545 6544->6538 6546 7ff679f99458 14 API calls 6544->6546 6545->6504 6545->6505 6546->6538 6548 7ff679f9770f 6547->6548 6549 7ff679f9770a 6547->6549 6551 7ff679f9771c 6548->6551 6552 7ff679f979d4 16 API calls 6548->6552 6550 7ff679f979d4 16 API calls 6549->6550 6550->6548 6551->6502 6552->6551 6554 7ff679f976c1 6553->6554 6555 7ff679f976bc 6553->6555 6554->6453 6557 7ff679f97ce8 GetProcessHeap HeapFree 6555->6557 6560 7ff679f9954b 6558->6560 6559 7ff679f99573 GetProcessHeap HeapAlloc 6561 7ff679f995af 6559->6561 6562 7ff679f99592 GetProcessHeap HeapFree 6559->6562 6560->6559 6560->6561 6563 7ff679f995f2 6561->6563 6564 7ff679f973d8 memcpy_s 6561->6564 6562->6561 6563->6418 6565 7ff679f995ce 6564->6565 6566 7ff679f973d8 memcpy_s 6565->6566 6567 7ff679f995e0 6566->6567 6568 7ff679f97464 memcpy_s 6567->6568 6568->6563 6569 7ff679f94900 6570 7ff679f9490f 6569->6570 6571 7ff679f94932 6569->6571 6570->6571 6572 7ff679f9492b ?terminate@ 6570->6572 6572->6571 5740 7ff679f9b880 WindowsDeleteString 6573 7ff679f992f6 6576 7ff679f98aa0 6573->6576 6577 7ff679f98ac8 6576->6577 6578 7ff679f98ad5 _CxxThrowException 6577->6578 6579 7ff679f98ae1 6577->6579 6578->6579 5745 7ff679f9667b 5746 7ff679f96680 5745->5746 5749 7ff679f9a238 EtwTraceMessage 5746->5749 5748 7ff679f92c26 5749->5748 6585 7ff679f95810 _XcptFilter 5750 7ff679f99490 5751 7ff679f994c5 5750->5751 5752 7ff679f994a4 5750->5752 5755 7ff679f9a150 5752->5755 5756 7ff679f9a160 GetModuleHandleW 5755->5756 5757 7ff679f994a9 GetProcAddress 5755->5757 5756->5757 5757->5751 5758 7ff679f9f290 EtwEventWrite EtwEventWrite 5759 7ff679f9e4d8 12 API calls 5758->5759 5760 7ff679f9f34f 5759->5760 5761 7ff679f9f35f GetLastError 5760->5761 5762 7ff679f9f3a5 EtwEventWrite 5760->5762 5763 7ff679f9f384 5761->5763 5808 7ff679f9f39e 5761->5808 5835 7ff679f9f3da 5762->5835 5763->5808 5849 7ff679f9a238 EtwTraceMessage 5763->5849 5764 7ff679f9f8dc 5766 7ff679f9d4b0 6 API calls 5764->5766 5764->5808 5770 7ff679f9f8f7 5766->5770 5767 7ff679f9fd8b 5771 7ff679f9fda0 LocalFree 5767->5771 5772 7ff679f9fd90 UnregisterClassW 5767->5772 5768 7ff679f9fd7b UnregisterClassW 5768->5767 5769 7ff679f9f8b1 5769->5808 5928 7ff679f9a218 EtwTraceMessage 5769->5928 5774 7ff679f9f921 SetDisplayAutoRotationPreferences GetCurrentProcessId #2513 InitLocalMsCtfMonitor 5770->5774 5770->5808 5775 7ff679f9fdbe 5771->5775 5776 7ff679f9fdb8 DeleteDC 5771->5776 5772->5771 5773 7ff679f9f511 EtwEventWrite 5862 7ff679f9efa4 GetForegroundWindow GetDesktopWindow 5773->5862 5780 7ff679f9f948 5774->5780 5781 7ff679f9fdd1 5775->5781 5782 7ff679f9fdcb LocalFree 5775->5782 5776->5775 5777 7ff679f9f456 EtwEventWrite 5851 7ff679f9f1bc 5777->5851 5786 7ff679f9f972 LoadCursorW RegisterClassW 5780->5786 5929 7ff679f9a218 EtwTraceMessage 5780->5929 5787 7ff679f9fde4 EtwEventWrite 5781->5787 5799 7ff679f9ef24 4 API calls 5781->5799 5782->5781 5784 7ff679f9f59d EtwEventWrite 5795 7ff679f9dbdc 7 API calls 5784->5795 5790 7ff679f9fa19 CreateWindowExW 5786->5790 5791 7ff679f9f9ed GetLastError 5786->5791 5792 7ff679f9fe24 5787->5792 5793 7ff679f9fe0a 5787->5793 5789 7ff679f9f4be Sleep 5789->5835 5801 7ff679f9fac0 5790->5801 5802 7ff679f9fa86 GetLastError 5790->5802 5800 7ff679f9fa05 5791->5800 5791->5808 5803 7ff679f94610 7 API calls 5792->5803 5793->5792 5935 7ff679f9a238 EtwTraceMessage 5793->5935 5794 7ff679f9f3ff 5794->5808 5850 7ff679f9a238 EtwTraceMessage 5794->5850 5805 7ff679f9f5c1 EtwEventWrite 5795->5805 5796 7ff679f9f597 EtwEventWrite 5796->5784 5797 7ff679f9f54c EtwEventWrite 5881 7ff679f9df6c memset CreateThread 5797->5881 5799->5787 5800->5790 5800->5808 5811 7ff679f9faca LoadCursorW RegisterClassW 5801->5811 5834 7ff679f9fb7c 5801->5834 5802->5808 5809 7ff679f9fa9a 5802->5809 5810 7ff679f9fe36 5803->5810 5805->5835 5808->5767 5808->5768 5809->5808 5930 7ff679f9a238 EtwTraceMessage 5809->5930 5813 7ff679f9fbf5 CreateWindowExW 5811->5813 5814 7ff679f9fb49 5811->5814 5812 7ff679f9f56c 5812->5808 5891 7ff679f9a218 EtwTraceMessage 5812->5891 5813->5834 5820 7ff679f9fb5b GetLastError 5814->5820 5814->5834 5815 7ff679f9f6b4 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 5819 7ff679f9f75a GetTickCount 5815->5819 5815->5835 5817 7ff679f9e090 28 API calls 5817->5835 5818 7ff679f9fba4 SetEvent 5826 7ff679f9fceb EtwEventWrite 5818->5826 5818->5834 5895 7ff679f9e55c EtwEventWrite GetDC CreateCompatibleDC 5819->5895 5931 7ff679f9a238 EtwTraceMessage 5820->5931 5821 7ff679f9fc8a GetLastError 5933 7ff679f9a238 EtwTraceMessage 5821->5933 5830 7ff679f9fd05 GetMessageW 5826->5830 5830->5808 5842 7ff679f9fd1f 5830->5842 5833 7ff679f9fbc9 GetLastError 5833->5808 5833->5834 5834->5808 5834->5813 5834->5818 5834->5821 5834->5833 5932 7ff679f9a218 EtwTraceMessage 5834->5932 5934 7ff679f9a218 EtwTraceMessage 5834->5934 5835->5764 5835->5769 5835->5773 5835->5777 5835->5784 5835->5794 5835->5808 5835->5812 5835->5815 5835->5817 5835->5819 5839 7ff679f9ef24 4 API calls 5835->5839 5840 7ff679f9f7c9 GetWindowRect 5835->5840 5841 7ff679f9a218 EtwTraceMessage 5835->5841 5844 7ff679f9f7ed GetLastError 5835->5844 5846 7ff679f9f87d DeleteDC 5835->5846 5892 7ff679f9a218 EtwTraceMessage 5835->5892 5893 7ff679fa02cc EtwTraceMessage 5835->5893 5894 7ff679fa02cc EtwTraceMessage 5835->5894 5925 7ff679fa0290 EtwTraceMessage 5835->5925 5927 7ff679f9a218 EtwTraceMessage 5835->5927 5837 7ff679f9fd24 GetLastError 5837->5808 5837->5842 5838 7ff679f9fd48 TranslateMessage DispatchMessageW 5838->5830 5839->5835 5840->5835 5841->5835 5842->5808 5842->5837 5842->5838 5926 7ff679f9a238 EtwTraceMessage 5844->5926 5847 7ff679f9ef24 4 API calls 5846->5847 5847->5835 5849->5808 5850->5808 5852 7ff679f9f1f4 GetCurrentProcessId WmsgSendMessage 5851->5852 5853 7ff679f9f1d9 5851->5853 5854 7ff679f9f222 5852->5854 5857 7ff679f9f259 5852->5857 5853->5852 5936 7ff679f9a218 EtwTraceMessage 5853->5936 5856 7ff679f9f251 RtlNtStatusToDosError 5854->5856 5858 7ff679f9f22a 5854->5858 5856->5857 5861 7ff679f9f24f EtwEventWrite 5857->5861 5938 7ff679f9a238 EtwTraceMessage 5857->5938 5858->5861 5937 7ff679f9a218 EtwTraceMessage 5858->5937 5861->5789 5861->5794 5863 7ff679f9efe3 5862->5863 5868 7ff679f9f00f 5862->5868 5864 7ff679f9f0c1 5863->5864 5865 7ff679f9efec GetWindowBand 5863->5865 5867 7ff679f9f0e8 GetAncestor 5864->5867 5940 7ff679f9a218 EtwTraceMessage 5864->5940 5875 7ff679f9effe 5865->5875 5866 7ff679f9f178 5866->5796 5866->5797 5869 7ff679f9f123 GetPropW 5867->5869 5870 7ff679f9f105 5867->5870 5868->5866 5943 7ff679f9a218 EtwTraceMessage 5868->5943 5869->5868 5873 7ff679f9f151 5869->5873 5870->5869 5941 7ff679f9a238 EtwTraceMessage 5870->5941 5873->5866 5942 7ff679f9a218 EtwTraceMessage 5873->5942 5874 7ff679f9f047 GetParent 5874->5867 5874->5875 5875->5867 5875->5868 5875->5874 5877 7ff679f9f08f 5875->5877 5880 7ff679f9f066 5875->5880 5877->5880 5939 7ff679f9a218 EtwTraceMessage 5877->5939 5880->5867 5880->5868 5882 7ff679f9e017 WaitForSingleObject 5881->5882 5883 7ff679f9dfd5 5881->5883 5884 7ff679f9e065 CloseHandle 5882->5884 5885 7ff679f9e027 5882->5885 5886 7ff679f9dff2 GetLastError 5883->5886 5890 7ff679f9e015 5883->5890 5884->5890 5885->5884 5887 7ff679f9e040 GetLastError 5885->5887 5944 7ff679f9a238 EtwTraceMessage 5886->5944 5945 7ff679f9a238 EtwTraceMessage 5887->5945 5890->5835 5891->5808 5892->5815 5893->5835 5894->5819 5896 7ff679f9e5d3 5895->5896 5897 7ff679f9e782 GetLastError 5895->5897 5896->5897 5899 7ff679f9e5dc CreateCompatibleBitmap 5896->5899 5898 7ff679f9e622 5897->5898 5914 7ff679f9e77a 5897->5914 5898->5914 5984 7ff679f9a238 EtwTraceMessage 5898->5984 5900 7ff679f9e5ff GetLastError 5899->5900 5901 7ff679f9e635 SelectObject 5899->5901 5900->5898 5900->5914 5904 7ff679f9e646 GetLastError 5901->5904 5905 7ff679f9e67d 5901->5905 5902 7ff679f9e7d0 5906 7ff679f9e7de EtwEventWrite 5902->5906 5907 7ff679f9e7d5 DeleteObject 5902->5907 5903 7ff679f9e7c5 ReleaseDC 5903->5902 5904->5898 5904->5914 5909 7ff679f9e6ea GetSystemMetrics 5905->5909 5912 7ff679f9e6b7 5905->5912 5913 7ff679f9e696 GetLayout 5905->5913 5908 7ff679f94610 7 API calls 5906->5908 5907->5906 5911 7ff679f9e807 GetTickCount 5908->5911 5915 7ff679f9e6f9 5909->5915 5916 7ff679f9e76a 5909->5916 5911->5835 5912->5909 5921 7ff679f9e6c9 GetLayout 5912->5921 5946 7ff679fa0290 EtwTraceMessage 5913->5946 5914->5902 5914->5903 5919 7ff679f9e720 SetDCBrushColor GetStockObject FillRect 5915->5919 5948 7ff679f9a218 EtwTraceMessage 5915->5948 5949 7ff679f9ed30 GetShellWindow 5916->5949 5919->5914 5947 7ff679fa0290 EtwTraceMessage 5921->5947 5925->5835 5926->5835 5927->5846 5928->5808 5929->5786 5930->5808 5931->5834 5932->5818 5933->5834 5934->5834 5935->5792 5936->5852 5937->5861 5938->5861 5939->5880 5940->5867 5941->5869 5942->5866 5943->5866 5944->5890 5945->5884 5946->5912 5947->5909 5948->5919 5950 7ff679f9eed0 PatBlt 5949->5950 5951 7ff679f9ed79 GetWindowRect CreateFileMappingW 5949->5951 5953 7ff679f9eef7 5950->5953 5951->5950 5952 7ff679f9edd3 SendMessageTimeoutW 5951->5952 5954 7ff679f9eec2 CloseHandle 5952->5954 5955 7ff679f9ee09 5952->5955 5956 7ff679f94610 7 API calls 5953->5956 5954->5950 5954->5953 5955->5954 5957 7ff679f9ee13 CreateDIBSection 5955->5957 5958 7ff679f9e772 5956->5958 5957->5954 5959 7ff679f9ee53 CreateCompatibleDC 5957->5959 5962 7ff679f9dd30 CreateCompatibleDC 5958->5962 5960 7ff679f9ee63 SelectObject BitBlt SelectObject DeleteDC 5959->5960 5961 7ff679f9eeb9 DeleteObject 5959->5961 5960->5961 5961->5954 5963 7ff679f9ddc4 memset CreateDIBSection 5962->5963 5964 7ff679f9dd7b 5962->5964 5965 7ff679f9de1e 5963->5965 5966 7ff679f9de67 SelectObject 5963->5966 5969 7ff679f9dd9c GetLastError 5964->5969 5979 7ff679f9ddbf 5964->5979 5970 7ff679f9df39 DeleteDC 5965->5970 5976 7ff679f9de3f GetLastError 5965->5976 5968 7ff679f9dec0 AlphaBlend 5966->5968 5972 7ff679f9de78 5966->5972 5967 7ff679f94610 7 API calls 5971 7ff679f9df4e 5967->5971 5973 7ff679f9df30 DeleteObject 5968->5973 5974 7ff679f9df01 5968->5974 5985 7ff679f9a238 EtwTraceMessage 5969->5985 5970->5979 5971->5914 5972->5973 5978 7ff679f9de99 GetLastError 5972->5978 5973->5970 5974->5973 5988 7ff679fa0178 EtwTraceMessage 5974->5988 5986 7ff679f9a238 EtwTraceMessage 5976->5986 5987 7ff679f9a238 EtwTraceMessage 5978->5987 5979->5967 5980 7ff679f9de62 5980->5970 5982 7ff679f9debe 5982->5973 5984->5914 5985->5979 5986->5980 5987->5982 5988->5973 6586 7ff679f99210 6587 7ff679f99233 6586->6587 6588 7ff679f99273 _CxxThrowException 6587->6588 6589 7ff679f9925a _CxxThrowException 6587->6589 6590 7ff679f99282 6588->6590 6589->6590 5989 7ff679f9928b 5992 7ff679f989bc 5989->5992 5993 7ff679f989cb 5992->5993 5994 7ff679f989da 5992->5994 5996 7ff679f97eac 5993->5996 5999 7ff679f97ee6 5996->5999 6024 7ff679f980bf 5996->6024 5997 7ff679f94610 7 API calls 5998 7ff679f980f5 5997->5998 5998->5994 6000 7ff679f97f5f FormatMessageW 5999->6000 5999->6024 6001 7ff679f97fae 6000->6001 6002 7ff679f97fd1 6000->6002 6025 7ff679f98800 6001->6025 6004 7ff679f98800 _vsnwprintf 6002->6004 6005 7ff679f97fcf 6004->6005 6006 7ff679f98006 GetCurrentThreadId 6005->6006 6007 7ff679f98800 _vsnwprintf 6005->6007 6008 7ff679f98800 _vsnwprintf 6006->6008 6009 7ff679f98003 6007->6009 6010 7ff679f9803d 6008->6010 6009->6006 6011 7ff679f98800 _vsnwprintf 6010->6011 6010->6024 6012 7ff679f98065 6011->6012 6013 7ff679f98080 6012->6013 6014 7ff679f98800 _vsnwprintf 6012->6014 6015 7ff679f9809b 6013->6015 6016 7ff679f98800 _vsnwprintf 6013->6016 6014->6013 6017 7ff679f980c1 6015->6017 6018 7ff679f980ab 6015->6018 6016->6015 6020 7ff679f980d7 6017->6020 6021 7ff679f980c9 6017->6021 6019 7ff679f98800 _vsnwprintf 6018->6019 6019->6024 6023 7ff679f98800 _vsnwprintf 6020->6023 6022 7ff679f98800 _vsnwprintf 6021->6022 6022->6024 6023->6024 6024->5997 6026 7ff679f98833 6025->6026 6028 7ff679f98845 6025->6028 6027 7ff679f99b58 _vsnwprintf 6026->6027 6027->6028 6028->6005 6028->6028 6601 7ff679f9750c ??0exception@@QEAA@AEBV0@ 6602 7ff679f99f3c 2 API calls 6601->6602 6603 7ff679f975a8 6602->6603 6604 7ff679f99f3c 2 API calls 6603->6604 6605 7ff679f975cb 6604->6605 4414 7ff679f943a0 4435 7ff679f94ad0 4414->4435 4418 7ff679f943e7 4419 7ff679f943f9 4418->4419 4420 7ff679f94413 Sleep 4418->4420 4421 7ff679f94409 _amsg_exit 4419->4421 4427 7ff679f94420 4419->4427 4420->4418 4422 7ff679f94475 4421->4422 4423 7ff679f94498 _initterm 4422->4423 4424 7ff679f94479 4422->4424 4426 7ff679f944b5 _IsNonwritableInCurrentImage 4422->4426 4423->4426 4425 7ff679f94593 _ismbblead 4425->4426 4426->4425 4428 7ff679f94518 4426->4428 4427->4422 4427->4424 4439 7ff679f94940 SetUnhandledExceptionFilter 4427->4439 4440 7ff679f910d0 4428->4440 4430 7ff679f94553 4431 7ff679f94562 exit 4430->4431 4432 7ff679f9456a 4430->4432 4431->4432 4432->4424 4433 7ff679f94573 _cexit 4432->4433 4433->4424 4436 7ff679f943a9 GetStartupInfoW 4435->4436 4437 7ff679f94afd 6 API calls 4435->4437 4436->4418 4438 7ff679f94b7c 4437->4438 4438->4436 4439->4427 4441 7ff679f911ab EtwRegisterTraceGuidsW 4440->4441 4441->4441 4442 7ff679f911f8 HeapSetInformation EventRegister 4441->4442 4443 7ff679f91235 4442->4443 4444 7ff679f91241 RtlInitString LsaRegisterLogonProcess 4443->4444 4445 7ff679f958a6 4443->4445 4446 7ff679f91301 4444->4446 4447 7ff679f9127d RtlInitString LsaLookupAuthenticationPackage 4444->4447 4450 7ff679f958b7 RtlNtStatusToDosError 4445->4450 4453 7ff679f91c7a LocalAlloc 4445->4453 4492 7ff679f91c74 4445->4492 4448 7ff679f91310 LsaDeregisterLogonProcess 4446->4448 4449 7ff679f91316 4446->4449 4447->4446 4451 7ff679f912a7 LsaCallAuthenticationPackage 4447->4451 4448->4449 4449->4450 4452 7ff679f9131e memset WinStationQueryInformationW 4449->4452 4450->4445 4450->4453 4451->4446 4455 7ff679f91375 GetCommandLineW 4452->4455 4456 7ff679f91365 4452->4456 4454 7ff679f91c93 EtwSendNotification LocalFree 4453->4454 4453->4492 4454->4492 4460 7ff679f9138c 4455->4460 4456->4455 4458 7ff679f95900 RegGetValueW 4456->4458 4457 7ff679f95f87 NtClose 4474 7ff679f95f96 4457->4474 4458->4455 4462 7ff679f9594f 4458->4462 4463 7ff679f95964 4460->4463 4465 7ff679f913a3 swscanf_s 4460->4465 4461 7ff679f91ce8 NtClose 4461->4492 4462->4455 4557 7ff679f9595a 4462->4557 4481 7ff679f95978 RtlNtStatusToDosError 4463->4481 4464 7ff679f91cff WaitForSingleObject 4470 7ff679f91d14 CloseHandle 4464->4470 4464->4474 4465->4463 4472 7ff679f913c3 4465->4472 4466 7ff679f960d6 EtwEventWrite 4919 7ff679f9da40 4466->4919 4467 7ff679f96115 UninitLocalMsCtfMonitor 4485 7ff679f96121 WaitForSingleObject 4467->4485 4470->4492 4471 7ff679f91d26 CloseHandle 4471->4492 4472->4463 4480 7ff679f913cb swscanf_s 4472->4480 4473 7ff679f91bb4 RtlInitString LsaRegisterLogonProcess 4476 7ff679f91c65 4473->4476 4477 7ff679f91bea RtlInitString LsaLookupAuthenticationPackage 4473->4477 4484 7ff679f96042 TerminateThread WaitForSingleObject 4474->4484 4505 7ff679f95fe8 4474->4505 4912 7ff679f9a238 EtwTraceMessage 4474->4912 4913 7ff679f93894 InitOnceBeginInitialize 4474->4913 4488 7ff679f91c6e LsaDeregisterLogonProcess 4476->4488 4476->4492 4477->4476 4486 7ff679f91c12 LsaCallAuthenticationPackage 4477->4486 4478 7ff679f91d35 CloseHandle 4479 7ff679f91d3b LocalFree 4478->4479 4479->4492 4480->4463 4487 7ff679f913e9 swscanf_s 4480->4487 4481->4473 4489 7ff679f95999 4481->4489 4483 7ff679f91d68 NtClose 4483->4492 4484->4470 4484->4492 4493 7ff679f96130 4485->4493 4494 7ff679f96167 CloseHandle 4485->4494 4486->4476 4487->4463 4495 7ff679f91408 GlobalFree 4487->4495 4488->4492 4489->4473 4824 7ff679f9a238 EtwTraceMessage 4489->4824 4490 7ff679f91d85 LocalFree 4490->4492 4491 7ff679f91d7b NtClose 4491->4490 4492->4453 4492->4457 4492->4461 4492->4464 4492->4466 4492->4467 4492->4470 4492->4471 4492->4478 4492->4479 4492->4483 4492->4485 4492->4490 4492->4491 4498 7ff679f91f4e DestroyIcon 4492->4498 4499 7ff679f91db3 CoTaskMemFree CoTaskMemFree CoTaskMemFree 4492->4499 4500 7ff679f93894 11 API calls 4492->4500 4513 7ff679f91e41 4492->4513 4823 7ff679f9a238 EtwTraceMessage 4492->4823 4918 7ff679f9a2fc EventWriteTransfer 4492->4918 4493->4494 4508 7ff679f96142 GetLastError 4493->4508 4495->4481 4501 7ff679f91419 NtOpenProcess 4495->4501 4496 7ff679f91ea0 EventUnregister 4497 7ff679f91ea6 4496->4497 4504 7ff679f91ead CoUninitialize 4497->4504 4510 7ff679f91eb3 4497->4510 4498->4445 4506 7ff679f91df0 CertFreeCertificateContext memset 4499->4506 4507 7ff679f91de6 CoTaskMemFree 4499->4507 4500->4492 4502 7ff679f959d2 RtlNtStatusToDosError 4501->4502 4503 7ff679f9146c 4501->4503 4502->4473 4502->4489 4620 7ff679f93380 HeapAlloc 4503->4620 4504->4510 4917 7ff679f9a2fc EventWriteTransfer 4505->4917 4506->4513 4507->4506 4940 7ff679f9a238 EtwTraceMessage 4508->4940 4511 7ff679f91edf 4510->4511 4521 7ff679f91ecd EtwUnregisterTraceGuids 4510->4521 4815 7ff679f94610 4511->4815 4513->4496 4513->4497 4518 7ff679f959cc 4518->4473 4519 7ff679f95a04 RtlNtStatusToDosError 4525 7ff679f95a3f 4519->4525 4526 7ff679f95a21 4519->4526 4520 7ff679f91488 ImpersonateLoggedOnUser 4523 7ff679f914e1 4520->4523 4524 7ff679f9149a GetUserPreferredUILanguages RevertToSelf 4520->4524 4521->4510 4529 7ff679f914f0 4523->4529 4530 7ff679f95a52 4523->4530 4524->4523 4528 7ff679f914ca SetProcessPreferredUILanguages 4524->4528 4525->4473 4525->4492 4526->4525 4825 7ff679f9a238 EtwTraceMessage 4526->4825 4528->4523 4531 7ff679f914fc CoInitializeEx 4529->4531 4534 7ff679f95a99 #2574 4529->4534 4826 7ff679f9d4b0 OpenDesktopW 4530->4826 4531->4525 4535 7ff679f91511 ConvertStringSecurityDescriptorToSecurityDescriptorW 4531->4535 4534->4531 4536 7ff679f95a57 4534->4536 4537 7ff679f95ad1 GetLastError 4535->4537 4538 7ff679f91539 MakeAbsoluteSD GetLastError 4535->4538 4536->4531 4607 7ff679f91f28 4536->4607 4537->4607 4539 7ff679f915ae LocalAlloc LocalAlloc LocalAlloc LocalAlloc LocalAlloc 4538->4539 4540 7ff679f916f4 LocalFree 4538->4540 4542 7ff679f91606 4539->4542 4543 7ff679f95abd 4539->4543 4541 7ff679f91706 4540->4541 4540->4607 4639 7ff679f932b0 LocalAlloc 4541->4639 4542->4543 4546 7ff679f9162a MakeAbsoluteSD 4542->4546 4543->4537 4545 7ff679f91717 4547 7ff679f9171e memset 4545->4547 4548 7ff679f9167e CoInitializeSecurity 4546->4548 4549 7ff679f95ab0 GetLastError 4546->4549 4661 7ff679f92c60 memset 4547->4661 4548->4543 4552 7ff679f916b8 LocalFree LocalFree LocalFree LocalFree LocalFree 4548->4552 4549->4543 4552->4540 4555 7ff679f95b4b 4555->4557 4837 7ff679f9a238 EtwTraceMessage 4555->4837 4556 7ff679f9174b 4560 7ff679f91766 4556->4560 4838 7ff679f9d2ac 4556->4838 4557->4518 4561 7ff679f917ac 4560->4561 4562 7ff679f95bdb 4560->4562 4841 7ff679f9a6e0 EtwTraceMessage 4560->4841 4563 7ff679f917b6 GetSidLengthRequired LocalAlloc 4561->4563 4564 7ff679f91848 4561->4564 4562->4430 4565 7ff679f95c21 4563->4565 4566 7ff679f917db InitializeSid GetTokenInformation 4563->4566 4576 7ff679f91857 4564->4576 4860 7ff679f9a5d0 EtwTraceMessage 4564->4860 4568 7ff679f95c2b GetLastError 4565->4568 4566->4568 4569 7ff679f9181b GetSidSubAuthority 4566->4569 4574 7ff679f95c44 4568->4574 4571 7ff679f9182e 4569->4571 4572 7ff679f91838 LocalFree 4569->4572 4571->4572 4575 7ff679f95c33 4571->4575 4572->4564 4573 7ff679f9186e 4579 7ff679f91881 4573->4579 4585 7ff679f91f23 4573->4585 4574->4430 4842 7ff679f9a394 4575->4842 4576->4557 4576->4573 4861 7ff679f9d3ec EtwTraceMessage 4576->4861 4580 7ff679f918fa 4579->4580 4581 7ff679f9188a EtwEventWrite 4579->4581 4584 7ff679f91914 NtQueryVolumeInformationFile 4580->4584 4591 7ff679f91932 4580->4591 4582 7ff679f918ad 4581->4582 4581->4591 4692 7ff679f92a00 4582->4692 4584->4591 4585->4557 4862 7ff679f9a218 EtwTraceMessage 4585->4862 4587 7ff679f91961 EtwEventWrite 4590 7ff679f9198e 4587->4590 4589 7ff679f918e0 EtwEventWrite 4589->4580 4592 7ff679f9199d 4590->4592 4594 7ff679f95d4f GetCurrentProcess SetPriorityClass 4590->4594 4591->4587 4591->4590 4593 7ff679f919a7 LocalAlloc 4592->4593 4605 7ff679f91a11 4592->4605 4597 7ff679f919d1 EtwSendNotification LocalFree 4593->4597 4593->4605 4595 7ff679f95d9e EtwEventWrite 4594->4595 4596 7ff679f95d67 GetLastError 4594->4596 4864 7ff679f9d574 GetTickCount LocalAlloc 4595->4864 4596->4595 4598 7ff679f95d80 4596->4598 4597->4605 4598->4595 4863 7ff679f9a238 EtwTraceMessage 4598->4863 4603 7ff679f95e52 RtlNtStatusToDosErrorNoTeb 4603->4605 4604 7ff679f91a62 NtQueryInformationToken 4604->4603 4604->4605 4605->4518 4605->4603 4605->4604 4606 7ff679f91a94 NtQueryInformationToken 4605->4606 4605->4607 4608 7ff679f95e6d NtClose 4605->4608 4610 7ff679f91ad5 EtwEventWrite 4605->4610 4730 7ff679f91f60 4605->4730 4606->4605 4609 7ff679f91abb NtClose 4606->4609 4607->4473 4607->4489 4607->4518 4608->4605 4609->4605 4757 7ff679f93940 4610->4757 4613 7ff679f91b1f 4614 7ff679f91b3c 4613->4614 4911 7ff679f9d3ec EtwTraceMessage 4613->4911 4614->4473 4615 7ff679f91b42 NtDuplicateObject CloseHandle 4614->4615 4617 7ff679f95f00 RtlNtStatusToDosError 4615->4617 4618 7ff679f91b89 NtWriteVirtualMemory 4615->4618 4617->4473 4617->4607 4618->4473 4619 7ff679f95f2e RtlNtStatusToDosError 4618->4619 4619->4473 4619->4607 4621 7ff679f933e4 NtReadVirtualMemory 4620->4621 4631 7ff679f96f10 4620->4631 4622 7ff679f93411 4621->4622 4623 7ff679f97046 HeapFree 4621->4623 4624 7ff679f93445 4622->4624 4625 7ff679f9341a NtDuplicateObject 4622->4625 4626 7ff679f9347e 4624->4626 4627 7ff679f93453 NtDuplicateObject 4624->4627 4625->4623 4625->4624 4628 7ff679f96ff6 4626->4628 4629 7ff679f9348d EtwEventWrite 4626->4629 4627->4626 4627->4628 4632 7ff679f97031 4628->4632 4633 7ff679f97023 NtClose 4628->4633 4630 7ff679f934c5 NtDuplicateObject 4629->4630 4629->4631 4630->4628 4634 7ff679f93510 4630->4634 4631->4628 4631->4634 4632->4623 4635 7ff679f97038 NtClose 4632->4635 4633->4632 4637 7ff679f94610 7 API calls 4634->4637 4635->4623 4638 7ff679f91480 4637->4638 4638->4519 4638->4520 4640 7ff679f932d7 CreateEventW 4639->4640 4641 7ff679f96dc8 4639->4641 4643 7ff679f96e04 GetLastError 4640->4643 4644 7ff679f932f6 CreateEventW 4640->4644 4642 7ff679f96dfa 4641->4642 4941 7ff679f9a238 EtwTraceMessage 4641->4941 4642->4643 4645 7ff679f96ebd 4643->4645 4653 7ff679f96e23 4643->4653 4646 7ff679f96e34 GetLastError 4644->4646 4647 7ff679f93315 CreateThread 4644->4647 4651 7ff679f96ed6 4645->4651 4652 7ff679f96ec6 SetEvent CloseHandle 4645->4652 4646->4645 4646->4653 4648 7ff679f93346 QueueUserAPC 4647->4648 4649 7ff679f96e5c GetLastError 4647->4649 4654 7ff679f9170f 4648->4654 4655 7ff679f96e84 GetLastError 4648->4655 4649->4645 4649->4653 4656 7ff679f96ede WaitForSingleObject CloseHandle 4651->4656 4657 7ff679f96ef0 4651->4657 4652->4651 4653->4645 4942 7ff679f9a238 EtwTraceMessage 4653->4942 4654->4545 4654->4547 4836 7ff679f9a238 EtwTraceMessage 4654->4836 4655->4645 4655->4653 4656->4657 4659 7ff679f96eff LocalFree 4657->4659 4660 7ff679f96ef9 CloseHandle 4657->4660 4660->4659 4684 7ff679f92cd8 4661->4684 4663 7ff679f9cf7c EtwTraceMessage 4663->4684 4664 7ff679f92f4f 4665 7ff679f92f94 4664->4665 4676 7ff679f9cee4 EtwTraceMessage 4664->4676 4670 7ff679f94610 7 API calls 4665->4670 4667 7ff679f9bf5c 22 API calls 4667->4684 4668 7ff679f9a62c EtwTraceMessage 4668->4684 4669 7ff679f96ad8 GetLastError 4674 7ff679f92dcf CoTaskMemFree 4669->4674 4669->4684 4677 7ff679f91741 4670->4677 4672 7ff679f96971 memset 4672->4684 4673 7ff679f92d48 ImpersonateLoggedOnUser 4673->4669 4673->4684 4674->4684 4676->4665 4677->4555 4677->4556 4678 7ff679f9c0cc 26 API calls 4678->4684 4683 7ff679f92e30 GetSystemMetrics 4686 7ff679f92e59 4683->4686 4684->4663 4684->4664 4684->4667 4684->4668 4684->4669 4684->4672 4684->4673 4684->4674 4684->4678 4684->4683 4685 7ff679f9b994 14 API calls 4684->4685 4687 7ff679f92eaf 4684->4687 4943 7ff679f92fd0 memset memset memset 4684->4943 4963 7ff679f9d25c EtwTraceMessage 4684->4963 4964 7ff679f9d16c 4684->4964 4967 7ff679f9c420 4684->4967 4992 7ff679f9be38 4684->4992 4995 7ff679f9be9c memset StringFromGUID2 4684->4995 5003 7ff679f9cee4 4684->5003 4685->4684 4686->4686 4688 7ff679f92e83 CoCreateInstance 4686->4688 4690 7ff679f92f31 4686->4690 4689 7ff679f92f06 GetDriveTypeW 4687->4689 4687->4690 4688->4687 4688->4690 4689->4690 4690->4664 5006 7ff679f9a69c EtwTraceMessage 4690->5006 4693 7ff679f92a58 4692->4693 4721 7ff679f9639c 4692->4721 4694 7ff679f92a6d LocalAlloc 4693->4694 4693->4721 4695 7ff679f92a85 LocalAlloc 4694->4695 4694->4721 4696 7ff679f92a9d LocalAlloc 4695->4696 4695->4721 4698 7ff679f92ab6 4696->4698 4696->4721 4697 7ff679f92b33 LocalAlloc 4699 7ff679f96591 4697->4699 4700 7ff679f92b4a QueueUserAPC 4697->4700 5185 7ff679f92bb0 4698->5185 4703 7ff679f92b70 4699->4703 5195 7ff679f9a238 EtwTraceMessage 4699->5195 4700->4703 4705 7ff679f92b79 4703->4705 4706 7ff679f965cc 4703->4706 4713 7ff679f94610 7 API calls 4705->4713 4707 7ff679f965d4 LocalFree 4706->4707 4708 7ff679f965da 4706->4708 4707->4708 4715 7ff679f965e3 LocalFree 4708->4715 4716 7ff679f965e9 LocalFree 4708->4716 4709 7ff679f96461 GetLastError 4709->4697 4709->4721 4710 7ff679f92af6 WaitForSingleObject 4717 7ff679f96499 4710->4717 4718 7ff679f92b10 4710->4718 4714 7ff679f918d2 4713->4714 4714->4589 4714->4591 4715->4716 4719 7ff679f964a4 4717->4719 4720 7ff679f96549 4717->4720 4718->4697 4722 7ff679f964d2 4719->4722 5192 7ff679f9a218 EtwTraceMessage 4719->5192 4720->4718 4723 7ff679f96562 GetLastError 4720->4723 4721->4697 5191 7ff679f9a238 EtwTraceMessage 4721->5191 4724 7ff679f93894 11 API calls 4722->4724 5194 7ff679f9a238 EtwTraceMessage 4723->5194 4728 7ff679f964de 4724->4728 4727 7ff679f96533 CoCancelCall 4727->4697 4728->4727 5193 7ff679f9a2fc EventWriteTransfer 4728->5193 4731 7ff679f91f97 4730->4731 4732 7ff679f9617c ImpersonateLoggedOnUser 4730->4732 4733 7ff679f92059 4731->4733 4734 7ff679f91fb9 NtDuplicateToken RtlNtStatusToDosErrorNoTeb 4731->4734 4732->4731 4735 7ff679f9618e 4732->4735 4738 7ff679f96222 4733->4738 4739 7ff679f961a4 4733->4739 4744 7ff679f92007 4733->4744 4734->4744 4745 7ff679f961b6 4734->4745 5241 7ff679fa055c QueueUserWorkItem 4735->5241 4742 7ff679f96237 4738->4742 4738->4744 4746 7ff679f96286 4738->4746 5246 7ff679f9b1e0 memset 4739->5246 4740 7ff679f9203d 4740->4605 4742->4744 5253 7ff679f9b020 NtQueryInformationToken 4742->5253 4744->4740 5198 7ff679f92070 memset 4744->5198 4745->4744 5296 7ff679f9a238 EtwTraceMessage 4745->5296 5262 7ff679f9b144 memset GetTokenInformation 4746->5262 4750 7ff679f96251 4750->4745 5283 7ff679f9b2e8 memset 4750->5283 4755 7ff679f962c7 5267 7ff679f9b4b4 memset memset GetModuleHandleW LoadStringW 4755->5267 4758 7ff679f939d1 LocalAlloc 4757->4758 4759 7ff679f939fa 4757->4759 4758->4759 4763 7ff679f93a02 ImpersonateLoggedOnUser 4758->4763 4761 7ff679f941ae UnloadUserProfile 4759->4761 4762 7ff679f941b7 LocalFree 4759->4762 4761->4762 4764 7ff679f91afb EtwEventWrite 4762->4764 4765 7ff679f941d6 CloseHandle 4762->4765 4766 7ff679f93a0f GetLastError 4763->4766 4767 7ff679f93a1c GetUserNameExW 4763->4767 4764->4607 4764->4613 4765->4764 4766->4759 4768 7ff679f93a42 RevertToSelf wcschr 4767->4768 4769 7ff679f93a35 GetLastError 4767->4769 4771 7ff679f93a5b LoadUserProfileW 4768->4771 4770 7ff679f94055 RevertToSelf 4769->4770 4772 7ff679f9405b 4770->4772 4774 7ff679f93a91 4771->4774 4775 7ff679f93a84 GetLastError 4771->4775 4772->4759 4776 7ff679f94070 CloseHandle 4772->4776 4777 7ff679f9407d 4772->4777 4778 7ff679f93af8 4774->4778 4779 7ff679f93aa0 ConvertStringSecurityDescriptorToSecurityDescriptorW 4774->4779 4775->4759 4776->4777 4782 7ff679f94096 ConvertStringSecurityDescriptorToSecurityDescriptorW 4777->4782 4783 7ff679f94089 CloseHandle 4777->4783 4780 7ff679f93b63 4778->4780 4781 7ff679f93b0b ConvertStringSecurityDescriptorToSecurityDescriptorW 4778->4781 4779->4778 4784 7ff679f93ac0 CreateEventW LocalFree 4779->4784 4786 7ff679f93c81 4780->4786 4790 7ff679f93b83 ConvertStringSecurityDescriptorToSecurityDescriptorW 4780->4790 4781->4780 4785 7ff679f93b2b CreateEventW LocalFree 4781->4785 4787 7ff679f940f6 ConvertStringSecurityDescriptorToSecurityDescriptorW 4782->4787 4788 7ff679f940b8 CreateEventW LocalFree 4782->4788 4783->4782 4784->4778 4785->4780 5342 7ff679fa0f6c 4786->5342 4791 7ff679f9414f 4787->4791 4792 7ff679f94113 CreateEventW LocalFree 4787->4792 4788->4787 4794 7ff679f93bdf ConvertStringSecurityDescriptorToSecurityDescriptorW 4790->4794 4795 7ff679f93ba3 CreateEventW LocalFree 4790->4795 4796 7ff679f94178 4791->4796 4797 7ff679f9416f CloseHandle 4791->4797 4798 7ff679f94159 SetEvent 4791->4798 4792->4791 4793 7ff679f93c86 memset ImpersonateLoggedOnUser 4800 7ff679f93cb1 GetLastError 4793->4800 4814 7ff679f93cbe 4793->4814 4801 7ff679f93bff CreateEventW LocalFree 4794->4801 4802 7ff679f93c39 4794->4802 4795->4794 4796->4759 4799 7ff679f9417d CloseHandle 4796->4799 4797->4796 4798->4797 4803 7ff679f94166 SetEvent 4798->4803 4799->4759 4800->4772 4801->4802 4805 7ff679f93c71 4802->4805 4809 7ff679f93c46 SetEvent 4802->4809 4810 7ff679f93c68 CloseHandle 4802->4810 4803->4797 4804 7ff679f93cd0 CreateFileW 4807 7ff679f9404b 4804->4807 4808 7ff679f93d0b GetLastError 4804->4808 4805->4793 4806 7ff679f93c76 CloseHandle 4805->4806 4806->4793 4807->4770 4808->4814 4811 7ff679f93c53 SetEvent 4809->4811 4812 7ff679f93c60 4809->4812 4810->4805 4811->4812 4812->4810 4813 7ff679f93e1c wcsrchr 4813->4814 4814->4804 4814->4807 4814->4813 4816 7ff679f94619 4815->4816 4817 7ff679f91ef7 4816->4817 4818 7ff679f94670 RtlCaptureContext RtlLookupFunctionEntry 4816->4818 4817->4430 4819 7ff679f946b5 RtlVirtualUnwind 4818->4819 4820 7ff679f946f7 4818->4820 4819->4820 5347 7ff679f94630 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 4820->5347 4823->4492 4824->4518 4825->4525 4827 7ff679f9d52d GetLastError 4826->4827 4828 7ff679f9d4dc SetThreadDesktop 4826->4828 4831 7ff679f9d566 4827->4831 4832 7ff679f9d548 4827->4832 4829 7ff679f9d522 CloseDesktop 4828->4829 4830 7ff679f9d4e9 GetLastError 4828->4830 4829->4831 4830->4829 4833 7ff679f9d504 4830->4833 4831->4536 4832->4831 5349 7ff679f9a238 EtwTraceMessage 4832->5349 4833->4829 5348 7ff679f9a238 EtwTraceMessage 4833->5348 4836->4545 4837->4557 4839 7ff679f9d2c5 EtwTraceMessage 4838->4839 4839->4560 4841->4561 4843 7ff679f9a3f5 ImpersonateLoggedOnUser 4842->4843 4844 7ff679f9a3c9 4842->4844 4845 7ff679f9a407 4843->4845 4846 7ff679f9a436 4843->4846 4844->4843 5350 7ff679f9a6e0 EtwTraceMessage 4844->5350 4847 7ff679f9a4e2 4845->4847 4851 7ff679f9a434 4845->4851 5351 7ff679f9a218 EtwTraceMessage 4845->5351 4848 7ff679f9a466 4846->4848 4849 7ff679f9a43d 4846->4849 4847->4574 4852 7ff679f9a446 4848->4852 5364 7ff679f9a500 StringFromGUID2 RegGetValueW 4848->5364 4849->4852 5352 7ff679f9bbac 4849->5352 4851->4847 5370 7ff679f9a69c EtwTraceMessage 4851->5370 4855 7ff679f9a4ac RevertToSelf 4852->4855 4855->4851 4859 7ff679f9bbac 26 API calls 4859->4852 4860->4576 4861->4573 4862->4557 4863->4595 4865 7ff679f9d5ed CreateEventW 4864->4865 4871 7ff679f9d879 4864->4871 4866 7ff679f9d63f 4865->4866 4867 7ff679f9d696 CreateThread 4865->4867 4866->4871 4874 7ff679f9d660 GetLastError 4866->4874 4868 7ff679f9d6c3 4867->4868 4869 7ff679f9d709 ResumeThread WaitForMultipleObjects 4867->4869 4870 7ff679f9d6fb LocalFree 4868->4870 4876 7ff679f9d6dc GetLastError 4868->4876 4872 7ff679f9d7af GetExitCodeThread 4869->4872 4873 7ff679f9d738 4869->4873 4877 7ff679f9d867 CloseHandle 4870->4877 4882 7ff679f9d686 4871->4882 5388 7ff679f9dbdc 4871->5388 4880 7ff679f9d802 4872->4880 4889 7ff679f9d7c9 4872->4889 4885 7ff679f9d73d 4873->4885 4886 7ff679f9d778 4873->4886 5382 7ff679f9a238 EtwTraceMessage 4874->5382 4875 7ff679f9d907 EtwEventWrite GetCurrentProcessId WmsgSendMessage 4884 7ff679f9d94f 4875->4884 4896 7ff679f9d98d 4875->4896 5383 7ff679f9a238 EtwTraceMessage 4876->5383 4877->4871 4881 7ff679f9d9d4 GetTickCount 4877->4881 4893 7ff679f9d80b 4880->4893 4899 7ff679f9d83d 4880->4899 4887 7ff679f9d9e1 4881->4887 4906 7ff679f9d9f2 4881->4906 4882->4875 4895 7ff679f9d9b3 EtwEventWrite 4882->4895 5404 7ff679f9a218 EtwTraceMessage 4882->5404 4891 7ff679f9d984 RtlNtStatusToDosError 4884->4891 4892 7ff679f9d956 4884->4892 4885->4877 4888 7ff679f9d75e GetLastError 4885->4888 4886->4877 5384 7ff679f9a218 EtwTraceMessage 4886->5384 4897 7ff679f9d9e7 CloseHandle 4887->4897 4887->4906 4888->4899 4894 7ff679f9d7aa 4889->4894 5385 7ff679f9a218 EtwTraceMessage 4889->5385 4891->4896 4892->4895 5405 7ff679f9a218 EtwTraceMessage 4892->5405 4893->4894 5386 7ff679f9a218 EtwTraceMessage 4893->5386 4894->4877 4895->4881 4896->4895 5406 7ff679f9a238 EtwTraceMessage 4896->5406 4897->4906 4898 7ff679f95dd5 EtwEventWrite 4898->4592 4898->4607 4899->4877 5387 7ff679f9a238 EtwTraceMessage 4899->5387 4906->4898 5407 7ff679fa0290 EtwTraceMessage 4906->5407 4910 7ff679f9d982 4910->4895 4911->4614 4912->4474 4914 7ff679f93915 4913->4914 4915 7ff679f938ca 4913->4915 4914->4474 4915->4914 5411 7ff679f9737c 4915->5411 4917->4484 4918->4492 4920 7ff679f9da58 EtwEventWrite GetCurrentProcessId WmsgSendMessage 4919->4920 4921 7ff679f9daeb 4919->4921 5421 7ff679f9e4d8 GetCurrentThreadId GetThreadDesktop 4920->5421 4922 7ff679f9db02 PostMessageW WaitForSingleObject 4921->4922 4923 7ff679f9db86 4921->4923 4925 7ff679f9db71 CloseHandle 4922->4925 4926 7ff679f9db30 4922->4926 4927 7ff679f9db9b 4923->4927 5458 7ff679f9ef24 4923->5458 4925->4923 4930 7ff679f9db67 4926->4930 4934 7ff679f9db42 GetLastError 4926->4934 4928 7ff679f9dba0 LocalFree 4927->4928 4929 7ff679f9dba9 4927->4929 4928->4929 4933 7ff679f960f5 EtwEventWrite 4929->4933 5467 7ff679f9a218 EtwTraceMessage 4929->5467 4930->4925 4933->4467 5457 7ff679f9a238 EtwTraceMessage 4934->5457 4935 7ff679f9da9f 4937 7ff679f9dad1 EtwEventWrite 4935->4937 4939 7ff679f9dabf Sleep 4935->4939 5429 7ff679f9e090 EtwEventWrite WTSQuerySessionInformationW 4935->5429 4937->4921 4939->4935 4939->4937 4940->4494 4941->4642 4942->4645 4944 7ff679f930e6 4943->4944 4946 7ff679f930f0 4943->4946 4944->4946 5007 7ff679f9d04c 4944->5007 4947 7ff679f9315d 4946->4947 4948 7ff679f93140 4946->4948 5010 7ff679f9a238 EtwTraceMessage 4946->5010 4949 7ff679f93269 4947->4949 4959 7ff679f93186 4947->4959 4948->4947 5011 7ff679f9d324 4948->5011 4950 7ff679f931fa 4949->4950 4951 7ff679f96d2e CertFreeCertificateContext 4949->4951 4952 7ff679f93229 4950->4952 4958 7ff679f9d2ac EtwTraceMessage 4950->4958 5014 7ff679f9ba18 memset 4951->5014 4955 7ff679f94610 7 API calls 4952->4955 4957 7ff679f92dc7 RevertToSelf 4955->4957 4957->4674 4958->4952 4960 7ff679f931c2 4959->4960 5018 7ff679f9cf7c 4959->5018 4960->4950 4962 7ff679f9cf7c EtwTraceMessage 4960->4962 4962->4950 4963->4684 4965 7ff679f9d199 EtwTraceMessage 4964->4965 4965->4684 4968 7ff679f9c44a 4967->4968 4969 7ff679f9c463 ImpersonateLoggedOnUser 4968->4969 4972 7ff679f9c647 4968->4972 4970 7ff679f9c475 4969->4970 4969->4972 5021 7ff679f9c9bc 4970->5021 5080 7ff679f9babc 4972->5080 4993 7ff679f9be4f GetSystemMetrics 4992->4993 4994 7ff679f9be7c 4992->4994 4993->4994 4994->4684 4996 7ff679f9befb CoTaskMemFree 4995->4996 4997 7ff679f9beec 4995->4997 4998 7ff679f9bf19 4996->4998 4997->4996 4999 7ff679f9bf2c 4998->4999 5175 7ff679f9cd20 4998->5175 5001 7ff679f94610 7 API calls 4999->5001 5002 7ff679f9bf44 5001->5002 5002->4684 5004 7ff679f9cefd 5003->5004 5004->5004 5005 7ff679f9cf15 EtwTraceMessage 5004->5005 5005->4684 5006->4664 5008 7ff679f9d07c 5007->5008 5008->5008 5009 7ff679f9d0df EtwTraceMessage 5008->5009 5009->4946 5010->4948 5012 7ff679f9d34b EtwTraceMessage 5011->5012 5012->4947 5015 7ff679f9ba6d 5014->5015 5016 7ff679f94610 7 API calls 5015->5016 5017 7ff679f9baab 5016->5017 5017->4950 5019 7ff679f9cf88 EtwTraceMessage 5018->5019 5019->4960 5088 7ff679f9b950 5021->5088 5023 7ff679f9ca22 5024 7ff679f9ca35 RoGetActivationFactory 5023->5024 5025 7ff679f9cbfe 5024->5025 5026 7ff679f9ca5c 5024->5026 5105 7ff679f9534c 5025->5105 5093 7ff679f950c0 5026->5093 5029 7ff679f9ca66 5099 7ff679f95058 5029->5099 5033 7ff679f9534c 14 API calls 5035 7ff679f9cc27 5033->5035 5038 7ff679f9534c 14 API calls 5035->5038 5039 7ff679f9cc3c 5038->5039 5108 7ff679f9ce40 RaiseException 5039->5108 5081 7ff679f9bb0f 5080->5081 5084 7ff679f9baef 5080->5084 5082 7ff679f94610 7 API calls 5081->5082 5083 7ff679f9bb9b 5082->5083 5083->4684 5084->5081 5173 7ff679f9bd10 CoCreateInstance 5084->5173 5086 7ff679f9bb0b 5086->5081 5087 7ff679f9bb3a GetDriveTypeW 5086->5087 5087->5081 5089 7ff679f9b95f 5088->5089 5090 7ff679f9b963 WindowsCreateStringReference 5088->5090 5089->5090 5091 7ff679f9b979 RaiseException 5090->5091 5092 7ff679f9b98c 5090->5092 5091->5092 5092->5023 5109 7ff679f95138 5093->5109 5095 7ff679f950eb 5096 7ff679f950ef 5095->5096 5097 7ff679f9534c 14 API calls 5095->5097 5096->5029 5098 7ff679f95111 5097->5098 5098->5029 5100 7ff679f9b950 2 API calls 5099->5100 5101 7ff679f9507c 5100->5101 5102 7ff679f95088 5101->5102 5170 7ff679f952a8 5102->5170 5106 7ff679f98ea4 14 API calls 5105->5106 5107 7ff679f95372 5106->5107 5107->5033 5124 7ff679f95378 5109->5124 5111 7ff679f95151 GetTokenInformation 5112 7ff679f95225 5111->5112 5113 7ff679f9517c GetLastError 5111->5113 5115 7ff679f99440 15 API calls 5112->5115 5113->5112 5114 7ff679f9518b 5113->5114 5126 7ff679f948d0 5114->5126 5123 7ff679f951c1 5115->5123 5118 7ff679f951c3 GetTokenInformation 5121 7ff679f951eb 5118->5121 5118->5123 5119 7ff679f951a3 5129 7ff679f99458 5119->5129 5132 7ff679f99440 5121->5132 5123->5095 5125 7ff679f95390 5124->5125 5125->5111 5135 7ff679f94f88 5126->5135 5139 7ff679f98ea4 5129->5139 5161 7ff679f98e1c 5132->5161 5136 7ff679f94fa6 malloc 5135->5136 5137 7ff679f948e2 5136->5137 5138 7ff679f94f97 5136->5138 5137->5118 5137->5119 5138->5136 5138->5137 5142 7ff679f98c90 5139->5142 5143 7ff679f98c9d 5142->5143 5148 7ff679f98564 5143->5148 5145 7ff679f94610 7 API calls 5147 7ff679f98d87 5145->5147 5147->5123 5149 7ff679f985bd 5148->5149 5150 7ff679f985c9 5148->5150 5149->5150 5151 7ff679f98ea4 11 API calls 5149->5151 5152 7ff679f98661 GetCurrentThreadId memset 5150->5152 5151->5150 5153 7ff679f986c5 5152->5153 5154 7ff679f987fa 5153->5154 5155 7ff679f95014 IsDebuggerPresent 5153->5155 5156 7ff679f9873c 5155->5156 5157 7ff679f987b3 5156->5157 5158 7ff679f97eac 10 API calls 5156->5158 5160 7ff679f98751 5156->5160 5159 7ff679f987b8 OutputDebugStringW 5157->5159 5157->5160 5158->5157 5159->5160 5160->5145 5166 7ff679f9810c GetLastError 5161->5166 5164 7ff679f98c90 14 API calls 5165 7ff679f98e84 5164->5165 5165->5123 5167 7ff679f9815d 5166->5167 5168 7ff679f9812d 5166->5168 5167->5164 5169 7ff679f98ea4 14 API calls 5168->5169 5169->5167 5171 7ff679f950a0 RoGetActivationFactory 5170->5171 5174 7ff679f9bd4d 5173->5174 5174->5086 5176 7ff679f9ce22 5175->5176 5177 7ff679f9cd46 5175->5177 5176->4999 5177->5176 5178 7ff679f9cda2 CoTaskMemAlloc 5177->5178 5178->5176 5179 7ff679f9cdb0 5178->5179 5180 7ff679f9ce19 CoTaskMemFree 5179->5180 5181 7ff679f9cdcd LoadLibraryExW _errno _wtol 5179->5181 5180->5176 5182 7ff679f9ce10 FreeLibrary 5181->5182 5183 7ff679f9cdf7 _errno 5181->5183 5182->5180 5183->5182 5184 7ff679f9ce01 LoadIconW 5183->5184 5184->5182 5186 7ff679f92c3b 5185->5186 5189 7ff679f92be7 5185->5189 5186->5189 5196 7ff679f9a238 EtwTraceMessage 5186->5196 5187 7ff679f92adb QueueUserAPC 5187->4709 5187->4710 5189->5187 5197 7ff679f9a238 EtwTraceMessage 5189->5197 5191->4718 5192->4722 5193->4727 5194->4718 5195->4703 5196->5189 5197->5187 5199 7ff679f920de 5198->5199 5200 7ff679f92732 5199->5200 5201 7ff679f9211a StringFromGUID2 5199->5201 5203 7ff679f92737 5200->5203 5204 7ff679f9277c 5200->5204 5202 7ff679f92135 5201->5202 5297 7ff679f929d0 wcsrchr 5202->5297 5207 7ff679f929d0 wcsrchr 5203->5207 5206 7ff679f92789 5204->5206 5208 7ff679f929d0 wcsrchr 5204->5208 5209 7ff679f927b9 5206->5209 5210 7ff679f9279a 5206->5210 5211 7ff679f92740 wcsrchr 5207->5211 5208->5206 5213 7ff679f929d0 wcsrchr 5209->5213 5212 7ff679f929d0 wcsrchr 5210->5212 5218 7ff679f92146 5211->5218 5212->5218 5214 7ff679f927c2 5213->5214 5215 7ff679f9291c 5214->5215 5216 7ff679f927e8 _wcsicmp 5214->5216 5215->5218 5222 7ff679f9292e GetTokenInformation 5215->5222 5219 7ff679f927fc _wcsicmp 5216->5219 5238 7ff679f92814 5216->5238 5217 7ff679f92706 5220 7ff679f94610 7 API calls 5217->5220 5218->5217 5221 7ff679f92344 InitOnceBeginInitialize 5218->5221 5224 7ff679f93894 11 API calls 5218->5224 5219->5215 5219->5238 5223 7ff679f92717 5220->5223 5225 7ff679f9236d 5221->5225 5236 7ff679f9243e 5221->5236 5226 7ff679f929a8 GetLastError 5222->5226 5227 7ff679f92958 GetSidSubAuthorityCount 5222->5227 5223->4740 5239 7ff679f92172 5224->5239 5229 7ff679f923ac EventRegister 5225->5229 5225->5236 5226->5218 5227->5218 5228 7ff679f92979 GetSidSubAuthorityCount GetSidSubAuthority 5227->5228 5228->5218 5231 7ff679f923f1 EventSetInformation 5229->5231 5232 7ff679f92406 InitOnceComplete 5229->5232 5230 7ff679f92913 GlobalFree 5230->5215 5231->5232 5232->5236 5233 7ff679f929d0 wcsrchr 5233->5238 5235 7ff679f9266a EventWriteTransfer 5235->5217 5236->5217 5236->5235 5236->5236 5237 7ff679f9290e 5237->5230 5238->5215 5238->5230 5238->5233 5238->5237 5239->5221 5299 7ff679f9a2fc EventWriteTransfer 5239->5299 5242 7ff679f96193 RevertToSelf 5241->5242 5243 7ff679fa0579 5241->5243 5242->4731 5243->5242 5244 7ff679fa0592 GetLastError 5243->5244 5300 7ff679f9a238 EtwTraceMessage 5244->5300 5247 7ff679f9b23c 5246->5247 5250 7ff679f9b255 5246->5250 5247->5250 5301 7ff679f9a218 EtwTraceMessage 5247->5301 5249 7ff679f961b0 5249->4745 5252 7ff679f9afd0 NtDuplicateToken RtlNtStatusToDosErrorNoTeb 5249->5252 5250->5249 5302 7ff679f9a238 EtwTraceMessage 5250->5302 5252->4745 5254 7ff679f9b062 5253->5254 5255 7ff679f9b08c 5253->5255 5256 7ff679f9b075 LocalAlloc 5254->5256 5257 7ff679f9b069 RtlNtStatusToDosError 5254->5257 5258 7ff679f9b0e9 LocalFree 5255->5258 5256->5255 5259 7ff679f9b091 NtQueryInformationToken 5256->5259 5257->5258 5258->4750 5259->5257 5260 7ff679f9b0b5 5259->5260 5260->5255 5261 7ff679f9b117 RtlSubAuthoritySid RtlSubAuthoritySid 5260->5261 5261->5258 5263 7ff679f9b1a5 5262->5263 5264 7ff679f9b1b4 GetLastError 5262->5264 5265 7ff679f94610 7 API calls 5263->5265 5264->5263 5266 7ff679f96296 5265->5266 5266->4745 5266->4755 5268 7ff679f9b56e GetModuleHandleW LoadStringW 5267->5268 5269 7ff679f9b78b GetLastError 5267->5269 5268->5269 5271 7ff679f9b596 GetModuleHandleW LoadStringW 5268->5271 5270 7ff679f9b787 5269->5270 5272 7ff679f94610 7 API calls 5270->5272 5271->5269 5273 7ff679f9b5d1 GetModuleHandleW LoadStringW 5271->5273 5274 7ff679f9b7a0 5272->5274 5273->5269 5281 7ff679f9b5f9 5273->5281 5274->4744 5275 7ff679f9b677 LocalAlloc 5275->5281 5279 7ff679f9b6d3 WaitForSingleObject 5280 7ff679f9b6e2 LocalFree 5279->5280 5279->5281 5280->5281 5281->5270 5281->5275 5282 7ff679f9a218 EtwTraceMessage 5281->5282 5303 7ff679f9a744 LocalAlloc 5281->5303 5307 7ff679fa03c4 memset GetModuleHandleW #345 5281->5307 5308 7ff679f9a238 EtwTraceMessage 5281->5308 5282->5281 5286 7ff679f9b353 5283->5286 5287 7ff679f9b46a 5286->5287 5293 7ff679f9b430 CoTaskMemFree 5286->5293 5294 7ff679f9b439 CoTaskMemAlloc 5286->5294 5309 7ff679f9a218 EtwTraceMessage 5286->5309 5310 7ff679f9ae4c RtlLengthRequiredSid RtlLengthRequiredSid LocalAlloc 5286->5310 5318 7ff679f9a238 EtwTraceMessage 5286->5318 5288 7ff679f9b473 CoTaskMemFree 5287->5288 5289 7ff679f9b484 5287->5289 5288->5289 5291 7ff679f9b492 5289->5291 5292 7ff679f9b489 CoTaskMemFree 5289->5292 5291->4745 5292->5291 5293->5294 5294->5286 5295 7ff679f9b44a memcpy 5294->5295 5295->5286 5296->4744 5298 7ff679f929e9 5297->5298 5298->5218 5299->5221 5300->5242 5301->5250 5302->5249 5304 7ff679f9a780 5303->5304 5305 7ff679f9a787 LocalAlloc 5303->5305 5304->5281 5305->5304 5306 7ff679f9a7ad CreateThread 5305->5306 5306->5304 5307->5279 5308->5281 5309->5286 5311 7ff679f9aebe 5310->5311 5312 7ff679f9aec6 8 API calls 5310->5312 5314 7ff679f9af9e LocalFree 5311->5314 5315 7ff679f9af98 SeciFreeCallContext 5311->5315 5319 7ff679f9a808 memset RtlAdjustPrivilege 5312->5319 5316 7ff679f94610 7 API calls 5314->5316 5315->5314 5317 7ff679f9afb5 5316->5317 5317->5286 5318->5286 5320 7ff679f9a8ab LsaRegisterLogonProcess 5319->5320 5338 7ff679f9a8a4 RtlNtStatusToDosError 5319->5338 5322 7ff679f9a8c1 5320->5322 5320->5338 5325 7ff679f9a8ca NtAllocateLocallyUniqueId 5322->5325 5323 7ff679f9aa4d 5324 7ff679f9aa52 5323->5324 5326 7ff679f9aa64 NtClose 5323->5326 5328 7ff679f9aa73 LsaFreeReturnBuffer 5324->5328 5329 7ff679f9aa79 5324->5329 5327 7ff679f9a8d8 RegGetValueW 5325->5327 5325->5338 5326->5324 5330 7ff679f9a911 5327->5330 5331 7ff679f9a917 LsaLogonUser 5327->5331 5328->5329 5333 7ff679f9aa82 LsaDeregisterLogonProcess 5329->5333 5334 7ff679f9aa88 5329->5334 5330->5331 5332 7ff679f9a996 LsaLogonUser 5330->5332 5331->5323 5335 7ff679f9a98d 5331->5335 5339 7ff679f9aa04 5332->5339 5333->5334 5336 7ff679f94610 7 API calls 5334->5336 5335->5332 5335->5339 5337 7ff679f9aa96 5336->5337 5337->5311 5338->5323 5339->5323 5339->5338 5341 7ff679f9b80c EtwTraceMessage 5339->5341 5341->5338 5343 7ff679fa0f8a 5342->5343 5344 7ff679fa0f7c CloseHandle 5342->5344 5345 7ff679fa0fa4 5343->5345 5346 7ff679fa0f96 CloseHandle 5343->5346 5344->5343 5345->4793 5346->5345 5348->4829 5349->4831 5350->4843 5351->4851 5353 7ff679f92fd0 17 API calls 5352->5353 5354 7ff679f9bc29 5353->5354 5355 7ff679f9bc34 5354->5355 5357 7ff679f9bcc5 5354->5357 5371 7ff679f9b994 5355->5371 5356 7ff679f9bcac 5356->4852 5357->5356 5378 7ff679f9a238 EtwTraceMessage 5357->5378 5361 7ff679f9babc 9 API calls 5362 7ff679f9bc79 5361->5362 5362->5356 5363 7ff679f9bc82 GetSystemMetrics 5362->5363 5363->5356 5365 7ff679f9a577 5364->5365 5366 7ff679f9a5b5 5365->5366 5379 7ff679f9a62c 5365->5379 5367 7ff679f94610 7 API calls 5366->5367 5369 7ff679f9a474 5367->5369 5369->4855 5369->4859 5370->4847 5372 7ff679f9b9b1 CoTaskMemFree CoTaskMemFree CoTaskMemFree 5371->5372 5373 7ff679f9b9a6 DestroyIcon 5371->5373 5374 7ff679f9b9f2 CertFreeCertificateContext 5372->5374 5375 7ff679f9b9e7 CoTaskMemFree 5372->5375 5373->5372 5376 7ff679f9ba18 8 API calls 5374->5376 5375->5374 5377 7ff679f9ba0a 5376->5377 5377->5361 5378->5356 5380 7ff679f9a638 EtwTraceMessage 5379->5380 5380->5366 5382->4882 5383->4870 5384->4894 5385->4894 5386->4894 5387->4877 5389 7ff679f9dc08 5388->5389 5390 7ff679f9d8a3 5388->5390 5391 7ff679f9dc34 WaitForSingleObject 5389->5391 5408 7ff679fa0380 EtwTraceMessage 5389->5408 5390->4882 5403 7ff679f9a238 EtwTraceMessage 5390->5403 5392 7ff679f9dc72 5391->5392 5393 7ff679f9dc46 GetLastError 5391->5393 5394 7ff679f9dcb2 5392->5394 5395 7ff679f9dc79 WaitForSingleObject 5392->5395 5393->5390 5401 7ff679f9dc5e 5393->5401 5398 7ff679f9dcb9 5394->5398 5394->5401 5395->5390 5397 7ff679f9dc93 GetLastError 5395->5397 5397->5390 5397->5401 5398->5390 5409 7ff679f9a218 EtwTraceMessage 5398->5409 5399 7ff679f9dc2d 5399->5391 5401->5390 5410 7ff679f9a238 EtwTraceMessage 5401->5410 5403->4882 5404->4875 5405->4910 5406->4895 5407->4898 5408->5399 5409->5390 5410->5390 5412 7ff679f973c0 InitOnceComplete 5411->5412 5413 7ff679f97390 5411->5413 5416 7ff679f9a17c EventRegister 5413->5416 5417 7ff679f9a1e1 EventSetInformation 5416->5417 5418 7ff679f9a1d4 5416->5418 5417->5418 5419 7ff679f94610 7 API calls 5418->5419 5420 7ff679f973a4 5419->5420 5420->5412 5422 7ff679f9e510 5421->5422 5423 7ff679f9e4fa 5421->5423 5425 7ff679f9e54e 5422->5425 5427 7ff679f9e529 GetLastError 5422->5427 5468 7ff679f9e3c4 GetUserObjectInformationW GetLastError 5423->5468 5425->4935 5479 7ff679f9a238 EtwTraceMessage 5427->5479 5430 7ff679f9e12f EtwEventWrite WTSFreeMemory 5429->5430 5432 7ff679f9e0e6 5429->5432 5433 7ff679f9e18f EtwEventWrite 5430->5433 5434 7ff679f9e15a 5430->5434 5431 7ff679f9e124 GetLastError 5437 7ff679f9e184 5431->5437 5432->5431 5436 7ff679f9e0ff GetLastError 5432->5436 5484 7ff679f9e340 OpenInputDesktop 5433->5484 5434->5437 5483 7ff679fa0290 EtwTraceMessage 5434->5483 5482 7ff679f9a238 EtwTraceMessage 5436->5482 5437->4935 5440 7ff679f9e1b6 5443 7ff679f9e1e2 GetLastError 5440->5443 5492 7ff679f9a218 EtwTraceMessage 5440->5492 5441 7ff679f9e1fa EtwEventWrite _wcsicmp 5444 7ff679f9e261 _wcsicmp 5441->5444 5445 7ff679f9e228 5441->5445 5443->5431 5443->5437 5446 7ff679f9e271 5444->5446 5447 7ff679f9e2aa _wcsicmp 5444->5447 5448 7ff679f9e256 LocalFree 5445->5448 5493 7ff679f9a218 EtwTraceMessage 5445->5493 5446->5448 5454 7ff679f9cf7c EtwTraceMessage 5446->5454 5449 7ff679f9e2be 5447->5449 5450 7ff679f9e2f4 5447->5450 5448->5437 5449->5448 5494 7ff679f9a218 EtwTraceMessage 5449->5494 5450->5448 5495 7ff679fa01e8 5450->5495 5454->5448 5457->4930 5459 7ff679f9ef9e 5458->5459 5461 7ff679f9ef36 5458->5461 5459->4927 5460 7ff679f9ef64 ReleaseMutex 5460->5459 5462 7ff679f9ef6e GetLastError 5460->5462 5461->5460 5499 7ff679fa0380 EtwTraceMessage 5461->5499 5462->5459 5464 7ff679f9ef80 5462->5464 5464->5459 5500 7ff679f9a238 EtwTraceMessage 5464->5500 5465 7ff679f9ef5d 5465->5460 5467->4933 5469 7ff679f9e445 LocalAlloc 5468->5469 5471 7ff679f9e3fc 5468->5471 5470 7ff679f9e45c GetUserObjectInformationW 5469->5470 5477 7ff679f9e440 CloseDesktop 5469->5477 5472 7ff679f9e480 5470->5472 5470->5477 5473 7ff679f9e41d GetLastError 5471->5473 5471->5477 5474 7ff679f9e4be LocalFree 5472->5474 5476 7ff679f9e499 GetLastError 5472->5476 5480 7ff679f9a238 EtwTraceMessage 5473->5480 5474->5477 5481 7ff679f9a238 EtwTraceMessage 5476->5481 5477->5425 5479->5425 5480->5477 5481->5474 5482->5431 5483->5437 5485 7ff679f9e362 5484->5485 5487 7ff679f9e378 5484->5487 5488 7ff679f9e3c4 8 API calls 5485->5488 5486 7ff679f9e1ae 5486->5440 5486->5441 5487->5486 5490 7ff679f9e391 GetLastError 5487->5490 5489 7ff679f9e36a CloseDesktop 5488->5489 5489->5486 5498 7ff679f9a238 EtwTraceMessage 5490->5498 5492->5443 5493->5448 5494->5448 5496 7ff679fa020b EtwTraceMessage 5495->5496 5496->5448 5498->5486 5499->5465 5500->5459 6029 7ff679f910a0 memset 6030 7ff679f948a0 ??1type_info@@UEAA 6031 7ff679f948ba 6030->6031 6032 7ff679f9a0a0 6033 7ff679f9a0ac 6032->6033 6034 7ff679f97eac 10 API calls 6033->6034 6041 7ff679f9a127 6033->6041 6036 7ff679f9a0e6 6034->6036 6035 7ff679f94610 7 API calls 6037 7ff679f9a147 6035->6037 6042 7ff679f99a30 6036->6042 6041->6035 6043 7ff679f99a5d _vsnprintf_s 6042->6043 6044 7ff679f99a7e 6042->6044 6043->6044 6045 7ff679f99f78 6044->6045 6046 7ff679f99fa1 GetProcessHeap HeapAlloc 6045->6046 6047 7ff679f99f9a 6045->6047 6049 7ff679f99fbe 6046->6049 6050 7ff679f99f9f 6046->6050 6054 7ff679f9a054 6047->6054 6051 7ff679f99fc6 memcpy_s 6049->6051 6052 7ff679f99fd9 6049->6052 6050->6041 6051->6052 6058 7ff679f99f3c 6052->6058 6055 7ff679f9a085 6054->6055 6056 7ff679f9a065 6054->6056 6055->6050 6056->6055 6057 7ff679f9a071 GetProcessHeap HeapFree 6056->6057 6057->6055 6059 7ff679f9a054 _RunAllParam 2 API calls 6058->6059 6060 7ff679f99f59 6059->6060 6060->6050 6611 7ff679f9e81d 6612 7ff679f9e82f ReleaseDC 6611->6612 6613 7ff679f9e838 6611->6613 6612->6613 6614 7ff679f9e841 DeleteObject 6613->6614 6615 7ff679f9e848 6613->6615 6614->6615 6616 7ff679f9582e _unlock 6617 7ff679f9932e 6618 7ff679f989bc 10 API calls 6617->6618 6619 7ff679f99357 6618->6619 6069 7ff679f953b0 6070 7ff679f953c0 6069->6070 6071 7ff679f95432 GetWindowLongW SetWindowLongW 6069->6071 6072 7ff679f953c5 6070->6072 6073 7ff679f95428 PostQuitMessage 6070->6073 6079 7ff679f953e5 6071->6079 6074 7ff679f95421 6072->6074 6075 7ff679f953ca 6072->6075 6073->6079 6083 7ff679fa003c BeginPaint GetWindowDC 6074->6083 6077 7ff679f953cf 6075->6077 6078 7ff679f953ec 6075->6078 6077->6079 6080 7ff679f953d9 DefWindowProcW 6077->6080 6078->6079 6082 7ff679f9a218 EtwTraceMessage 6078->6082 6080->6079 6082->6079 6084 7ff679fa0083 6083->6084 6085 7ff679fa0145 EndPaint 6083->6085 6087 7ff679fa00f5 BitBlt ReleaseDC 6084->6087 6089 7ff679fa009c GetLayout 6084->6089 6091 7ff679fa00bd 6084->6091 6086 7ff679f94610 7 API calls 6085->6086 6088 7ff679fa0163 6086->6088 6087->6085 6088->6079 6093 7ff679fa0290 EtwTraceMessage 6089->6093 6091->6087 6094 7ff679fa0318 EtwTraceMessage 6091->6094 6093->6091 6094->6087 6620 7ff679f97730 6623 7ff679f976c8 6620->6623 6624 7ff679f9a054 _RunAllParam 2 API calls 6623->6624 6625 7ff679f976dd 6624->6625 6626 7ff679f9a054 _RunAllParam 2 API calls 6625->6626 6627 7ff679f976e9 ??1exception@@UEAA 6626->6627 6095 7ff679f99bb0 ??0exception@@QEAA 6098 7ff679f99614 6095->6098 6099 7ff679f9968c 6098->6099 6100 7ff679f9a054 _RunAllParam 2 API calls 6099->6100 6101 7ff679f99730 6099->6101 6102 7ff679f99723 6100->6102 6122 7ff679f97464 6101->6122 6103 7ff679f99f78 5 API calls 6102->6103 6103->6101 6108 7ff679f973d8 memcpy_s 6109 7ff679f99783 6108->6109 6110 7ff679f973d8 memcpy_s 6109->6110 6111 7ff679f99796 6110->6111 6112 7ff679f973d8 memcpy_s 6111->6112 6113 7ff679f997a9 6112->6113 6114 7ff679f973d8 memcpy_s 6113->6114 6115 7ff679f997bc 6114->6115 6116 7ff679f973d8 memcpy_s 6115->6116 6117 7ff679f997cf 6116->6117 6118 7ff679f97464 memcpy_s 6117->6118 6119 7ff679f997e2 6118->6119 6120 7ff679f973d8 memcpy_s 6119->6120 6121 7ff679f997f5 6120->6121 6130 7ff679f99408 6122->6130 6124 7ff679f9749d memcpy_s 6125 7ff679f974cf 6124->6125 6126 7ff679f973d8 6125->6126 6132 7ff679f993e4 6126->6132 6129 7ff679f9742e 6129->6108 6131 7ff679f9940f 6130->6131 6131->6124 6131->6131 6133 7ff679f9740a memcpy_s 6132->6133 6133->6129 6134 7ff679f9aab0 LocalAlloc 6135 7ff679f9ab43 6134->6135 6136 7ff679f9ab4b memset memcpy SeciAllocateAndSetCallFlags RtlInitString LsaRegisterLogonProcess 6134->6136 6139 7ff679f9add3 LsaFreeReturnBuffer 6135->6139 6140 7ff679f9add9 6135->6140 6137 7ff679f9ac30 6136->6137 6138 7ff679f9ac23 6136->6138 6144 7ff679f9ac39 NtAllocateLocallyUniqueId 6137->6144 6141 7ff679f9ac25 RtlNtStatusToDosError 6138->6141 6139->6140 6142 7ff679f9ade2 CloseHandle 6140->6142 6143 7ff679f9ade8 6140->6143 6141->6135 6142->6143 6145 7ff679f9adf1 LsaDeregisterLogonProcess 6143->6145 6146 7ff679f9adf7 6143->6146 6147 7ff679f9ac74 LsaLogonUser 6144->6147 6148 7ff679f9ac59 6144->6148 6145->6146 6149 7ff679f9ae11 LocalFree 6146->6149 6150 7ff679f9ae00 CoTaskMemFree 6146->6150 6151 7ff679f9acea 6147->6151 6156 7ff679f9ad09 6147->6156 6148->6147 6164 7ff679f9a218 EtwTraceMessage 6148->6164 6153 7ff679f94610 7 API calls 6149->6153 6150->6149 6151->6156 6165 7ff679f9b80c EtwTraceMessage 6151->6165 6152 7ff679f9ad2b GetTokenInformation 6157 7ff679f9ad52 GetTokenInformation 6152->6157 6158 7ff679f9adbc GetLastError 6152->6158 6159 7ff679f9ae2b 6153->6159 6155 7ff679f9ad24 6155->6152 6156->6141 6156->6152 6156->6155 6157->6158 6161 7ff679f9ad77 RtlEqualSid 6157->6161 6158->6135 6161->6135 6162 7ff679f9ad8c 6161->6162 6162->6135 6166 7ff679f9a218 EtwTraceMessage 6162->6166 6164->6147 6165->6156 6166->6135 6628 7ff679f99430 _CxxThrowException 6629 7ff679f9d430 6630 7ff679f9d460 EtwGetTraceLoggerHandle EtwGetTraceEnableLevel EtwGetTraceEnableFlags 6629->6630 6631 7ff679f9d44b 6629->6631 6630->6631 6167 7ff679f959b4 6168 7ff679f959bc 6167->6168 6217 7ff679f9a238 EtwTraceMessage 6168->6217 6170 7ff679f91bb4 RtlInitString LsaRegisterLogonProcess 6172 7ff679f91c65 6170->6172 6173 7ff679f91bea RtlInitString LsaLookupAuthenticationPackage 6170->6173 6175 7ff679f91c6e LsaDeregisterLogonProcess 6172->6175 6194 7ff679f91c74 6172->6194 6173->6172 6174 7ff679f91c12 LsaCallAuthenticationPackage 6173->6174 6174->6172 6175->6194 6176 7ff679f91c7a LocalAlloc 6177 7ff679f91c93 EtwSendNotification LocalFree 6176->6177 6176->6194 6177->6194 6178 7ff679f95f87 NtClose 6178->6194 6179 7ff679f91ce8 NtClose 6179->6194 6180 7ff679f91cff WaitForSingleObject 6184 7ff679f91d14 CloseHandle 6180->6184 6180->6194 6181 7ff679f960d6 EtwEventWrite 6183 7ff679f9da40 45 API calls 6181->6183 6182 7ff679f96115 UninitLocalMsCtfMonitor 6191 7ff679f96121 WaitForSingleObject 6182->6191 6186 7ff679f960f5 EtwEventWrite 6183->6186 6184->6194 6185 7ff679f91d26 CloseHandle 6185->6194 6186->6182 6187 7ff679f91d35 CloseHandle 6188 7ff679f91d3b LocalFree 6187->6188 6188->6194 6189 7ff679f91d68 NtClose 6189->6194 6190 7ff679f96042 TerminateThread WaitForSingleObject 6190->6184 6190->6194 6195 7ff679f96130 6191->6195 6196 7ff679f96167 CloseHandle 6191->6196 6192 7ff679f91d85 LocalFree 6192->6194 6193 7ff679f91d7b NtClose 6193->6192 6194->6176 6194->6178 6194->6179 6194->6180 6194->6181 6194->6182 6194->6184 6194->6185 6194->6187 6194->6188 6194->6189 6194->6190 6194->6191 6194->6192 6194->6193 6199 7ff679f91f4e DestroyIcon 6194->6199 6200 7ff679f91db3 CoTaskMemFree CoTaskMemFree CoTaskMemFree 6194->6200 6201 7ff679f93894 11 API calls 6194->6201 6208 7ff679f91e41 6194->6208 6211 7ff679f958b7 RtlNtStatusToDosError 6194->6211 6216 7ff679f9a238 EtwTraceMessage 6194->6216 6218 7ff679f9a2fc EventWriteTransfer 6194->6218 6219 7ff679f9a2fc EventWriteTransfer 6194->6219 6195->6196 6205 7ff679f96142 GetLastError 6195->6205 6197 7ff679f91ea0 EventUnregister 6198 7ff679f91ea6 6197->6198 6202 7ff679f91ead CoUninitialize 6198->6202 6212 7ff679f91eb3 6198->6212 6199->6194 6203 7ff679f91df0 CertFreeCertificateContext memset 6200->6203 6204 7ff679f91de6 CoTaskMemFree 6200->6204 6201->6194 6202->6212 6203->6208 6204->6203 6220 7ff679f9a238 EtwTraceMessage 6205->6220 6206 7ff679f91edf 6210 7ff679f94610 7 API calls 6206->6210 6208->6197 6208->6198 6214 7ff679f91ef7 6210->6214 6211->6176 6211->6194 6212->6206 6213 7ff679f91ecd EtwUnregisterTraceGuids 6212->6213 6213->6212 6216->6194 6217->6170 6218->6190 6219->6194 6220->6196 6221 7ff679f945b5 6222 7ff679f945c4 _exit 6221->6222 6223 7ff679f945cd 6221->6223 6222->6223 6224 7ff679f945e2 6223->6224 6225 7ff679f945d6 _cexit 6223->6225 6225->6224

                                                          Executed Functions

                                                          Function 00007FF679F910D0 Relevance: 216.5, APIs: 115, Strings: 8, Instructions: 1299nativememoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Local$Free$AllocClose$Event$Write$ErrorInformationProcess$DuplicateObjectStatusString$AuthenticationHandleInitLogonPackageQueryRegisterTaskToken$InitializeSecuritymemsetswscanf_s$AbsoluteCallDeregisterDescriptorGuidsHeapLanguagesLookupMakeMemoryNotificationPreferredSendTraceUnregisterUserVirtual$AuthorityCertCertificateCommandContextConvertDestroyFileGlobalIconImpersonateLastLengthLineLoggedOpenReadRequiredRevertSelfSingleStationUninitializeVolumeWait
                                                          • String ID: BlockConsentUI$ConsentUI$FALSE$MICROSOFT_AUTHENTICATION_PACKAGE_V1_0$Microsoft Windows (c) 2009 Microsoft Corporation$O:BAG:BAD:(A;;0x3;;;IU)(A;;0x3;;;SY)S:(ML;;NX;;;HI)$Software\Microsoft\MediaCenterPeripheral$TRUE
                                                          • API String ID: 1314931228-3125038416
                                                          • Opcode ID: 940eee0e2c10b54a07ea211019aecd208bef5496832005ffeacbc3a4ba17b35b
                                                          • Instruction ID: 0bef805b0e717847e6cebbecdeb9ac7037000767bea91c61b045c3b638d10cdb
                                                          • Opcode Fuzzy Hash: 940eee0e2c10b54a07ea211019aecd208bef5496832005ffeacbc3a4ba17b35b
                                                          • Instruction Fuzzy Hash: 40E23837B28AC38AEB20CF65E8442A927E0FB85768F544135DA4EC7AA4DF7CE545C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F94940 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 377 7ff679f94940-7ff679f94957 SetUnhandledExceptionFilter
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 0c08039c36c4a98cffeaa35831f9db072ad85e4cb2ec66eefda2a813b58ad3b7
                                                          • Instruction ID: 0cfac2c16d98b26d2e6e4eab183334dbe3f16849ec5a1c034395e9c302738553
                                                          • Opcode Fuzzy Hash: 0c08039c36c4a98cffeaa35831f9db072ad85e4cb2ec66eefda2a813b58ad3b7
                                                          • Instruction Fuzzy Hash: 9BB09215F76883C9D604AF22AC8906112E0BF68314FC10430C00EC2120EF1CA19A8B00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F943A0 Relevance: 12.1, APIs: 8, Instructions: 137sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 327 7ff679f943a0-7ff679f943e5 call 7ff679f94ad0 GetStartupInfoW 331 7ff679f943e7-7ff679f943f2 327->331 332 7ff679f943fe-7ff679f94407 331->332 333 7ff679f943f4-7ff679f943f7 331->333 336 7ff679f94420-7ff679f94428 332->336 337 7ff679f94409-7ff679f94411 _amsg_exit 332->337 334 7ff679f94413-7ff679f9441e Sleep 333->334 335 7ff679f943f9 333->335 334->331 335->332 339 7ff679f94483 336->339 340 7ff679f9442a-7ff679f94447 336->340 338 7ff679f9448d-7ff679f94496 337->338 341 7ff679f944b5-7ff679f944b7 338->341 342 7ff679f94498-7ff679f944ab _initterm 338->342 339->338 343 7ff679f9444b-7ff679f9444e 340->343 344 7ff679f944c2-7ff679f944ca 341->344 345 7ff679f944b9-7ff679f944bb 341->345 342->341 346 7ff679f94450-7ff679f94452 343->346 347 7ff679f94475-7ff679f94477 343->347 348 7ff679f944f6-7ff679f94505 344->348 349 7ff679f944cc-7ff679f944da call 7ff679f94a50 344->349 345->344 350 7ff679f94454-7ff679f94458 346->350 351 7ff679f94479-7ff679f9447e 346->351 347->338 347->351 355 7ff679f94509-7ff679f9450e 348->355 349->348 360 7ff679f944dc-7ff679f944ec 349->360 353 7ff679f9446a-7ff679f94473 350->353 354 7ff679f9445a-7ff679f94464 call 7ff679f94940 350->354 356 7ff679f945e2-7ff679f945f7 351->356 353->343 363 7ff679f94466 354->363 358 7ff679f94510-7ff679f94512 355->358 359 7ff679f94581-7ff679f94584 355->359 364 7ff679f94514-7ff679f94516 358->364 365 7ff679f94518-7ff679f9451d 358->365 361 7ff679f94593-7ff679f9459e _ismbblead 359->361 362 7ff679f94586-7ff679f9458f 359->362 360->348 366 7ff679f945a0-7ff679f945a3 361->366 367 7ff679f945a8-7ff679f945b0 361->367 362->361 363->353 364->359 364->365 368 7ff679f9451f-7ff679f94529 365->368 369 7ff679f9452b-7ff679f94560 call 7ff679f910d0 365->369 366->367 367->355 368->365 372 7ff679f94562-7ff679f94564 exit 369->372 373 7ff679f9456a-7ff679f94571 369->373 372->373 374 7ff679f9457f 373->374 375 7ff679f94573-7ff679f94579 _cexit 373->375 374->356 375->374
                                                          APIs
                                                            • Part of subcall function 00007FF679F94AD0: GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B01
                                                            • Part of subcall function 00007FF679F94AD0: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B0F
                                                            • Part of subcall function 00007FF679F94AD0: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B1B
                                                            • Part of subcall function 00007FF679F94AD0: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B27
                                                            • Part of subcall function 00007FF679F94AD0: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B37
                                                            • Part of subcall function 00007FF679F94AD0: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B52
                                                          • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF679F943D1
                                                          • _amsg_exit.MSVCRT ref: 00007FF679F9440C
                                                          • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF679F94418
                                                          • _initterm.MSVCRT ref: 00007FF679F944A6
                                                          • _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF679F944D3
                                                          • exit.KERNELBASE ref: 00007FF679F94564
                                                          • _cexit.MSVCRT ref: 00007FF679F94573
                                                          • _ismbblead.MSVCRT ref: 00007FF679F94596
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                          • String ID:
                                                          • API String ID: 2995914023-0
                                                          • Opcode ID: 63c3275b775b2315c0d68cec4c0e8ce81620dc47f8642194da29ff36ff41ba60
                                                          • Instruction ID: be988d523ec07165df9b9c6dc70a2dd043c33759233b56503a6e4b6d33aa6ac4
                                                          • Opcode Fuzzy Hash: 63c3275b775b2315c0d68cec4c0e8ce81620dc47f8642194da29ff36ff41ba60
                                                          • Instruction Fuzzy Hash: 8C512433E28A9786F760EF15E85037A22E0FF697A8F590035D95DC76A4DF7CE8458A00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00007FF679F93940 Relevance: 71.0, APIs: 47, Instructions: 490memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$DescriptorEventLocalSecurity$FreeUser$ConvertCreateErrorLastString$AllocImpersonateLoggedNameProfileRevertSelfUnload
                                                          • String ID:
                                                          • API String ID: 3490941813-0
                                                          • Opcode ID: 3d21345d0a2389a2903e0e4cc1b664589a5cc136661fbb59c8dda6ff7e2a718a
                                                          • Instruction ID: 13d338a81fb4bef41b706f95e14fa6b9756a0efdae30168db8c65aab7e6e10df
                                                          • Opcode Fuzzy Hash: 3d21345d0a2389a2903e0e4cc1b664589a5cc136661fbb59c8dda6ff7e2a718a
                                                          • Instruction Fuzzy Hash: C3227B37B28BD385FB649F65A88827923E0EF45BA8F154135DA1DC37A4DF7DA8488301
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F959B4 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 201nativememoryencryptionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 723 7ff679f959b4-7ff679f959cd RtlInitString LsaRegisterLogonProcess call 7ff679f9a238 728 7ff679f91c65-7ff679f91c6c 723->728 729 7ff679f91bea-7ff679f91c10 RtlInitString LsaLookupAuthenticationPackage 723->729 731 7ff679f91c6e LsaDeregisterLogonProcess 728->731 732 7ff679f91c74 728->732 729->728 730 7ff679f91c12-7ff679f91c5f LsaCallAuthenticationPackage 729->730 730->728 731->732 733 7ff679f91c7a-7ff679f91c91 LocalAlloc 732->733 734 7ff679f91cd2-7ff679f91cd9 733->734 735 7ff679f91c93-7ff679f91ccc EtwSendNotification LocalFree 733->735 736 7ff679f91cdf-7ff679f91ce6 734->736 737 7ff679f95f87-7ff679f95f8d NtClose 734->737 735->734 738 7ff679f91cf2-7ff679f91cf5 736->738 739 7ff679f91ce8-7ff679f91cee NtClose 736->739 742 7ff679f95f96-7ff679f95fa0 737->742 740 7ff679f91d44-7ff679f91d49 738->740 741 7ff679f91cf7-7ff679f91cfd 738->741 739->738 747 7ff679f91d4f-7ff679f91d54 740->747 748 7ff679f960d6-7ff679f9610f EtwEventWrite call 7ff679f9da40 EtwEventWrite 740->748 743 7ff679f91cff-7ff679f91d0e WaitForSingleObject 741->743 744 7ff679f91d1d-7ff679f91d24 741->744 745 7ff679f95fc0-7ff679f95fd3 call 7ff679f93894 742->745 746 7ff679f95fa2-7ff679f95fa6 742->746 743->742 753 7ff679f91d14-7ff679f91d17 CloseHandle 743->753 754 7ff679f91d26 CloseHandle 744->754 755 7ff679f91d2c-7ff679f91d33 744->755 766 7ff679f96042-7ff679f9605f TerminateThread WaitForSingleObject 745->766 767 7ff679f95fd5-7ff679f95fe6 call 7ff679f9a2d8 745->767 746->745 756 7ff679f95fa8-7ff679f95fbb call 7ff679f9a238 746->756 749 7ff679f96115-7ff679f9611b UninitLocalMsCtfMonitor 747->749 750 7ff679f91d5a-7ff679f91d5d 747->750 748->749 768 7ff679f96121-7ff679f9612e WaitForSingleObject 749->768 757 7ff679f91d8e-7ff679f91d95 750->757 758 7ff679f91d5f-7ff679f91d66 750->758 753->744 754->755 761 7ff679f91d35 CloseHandle 755->761 762 7ff679f91d3b-7ff679f91d3e LocalFree 755->762 756->745 757->768 769 7ff679f91d9b-7ff679f91da0 757->769 764 7ff679f91d72-7ff679f91d79 758->764 765 7ff679f91d68-7ff679f91d6e NtClose 758->765 761->762 762->740 770 7ff679f91d85-7ff679f91d88 LocalFree 764->770 771 7ff679f91d7b-7ff679f91d81 NtClose 764->771 765->764 766->753 775 7ff679f96065-7ff679f96078 call 7ff679f93894 766->775 767->766 787 7ff679f95fe8-7ff679f9603d call 7ff679f9a2fc 767->787 776 7ff679f96130-7ff679f9613a 768->776 777 7ff679f96167-7ff679f96173 CloseHandle 768->777 773 7ff679f91e94-7ff679f91e9e 769->773 774 7ff679f91da6-7ff679f91dad 769->774 770->757 771->770 778 7ff679f91ea0 EventUnregister 773->778 779 7ff679f91ea6-7ff679f91eab 773->779 781 7ff679f91f4e-7ff679f958d2 DestroyIcon RtlNtStatusToDosError 774->781 782 7ff679f91db3-7ff679f91de4 CoTaskMemFree * 3 774->782 775->753 798 7ff679f9607e-7ff679f9608f call 7ff679f9a2d8 775->798 776->777 784 7ff679f9613c-7ff679f96140 776->784 778->779 785 7ff679f91eb3-7ff679f91ebd 779->785 786 7ff679f91ead CoUninitialize 779->786 781->733 810 7ff679f958d8-7ff679f958dc 781->810 788 7ff679f91df0-7ff679f91e3f CertFreeCertificateContext memset 782->788 789 7ff679f91de6-7ff679f91dec CoTaskMemFree 782->789 784->777 791 7ff679f96142-7ff679f96162 GetLastError call 7ff679f9a238 784->791 793 7ff679f91ebf-7ff679f91ec2 785->793 794 7ff679f91ee6-7ff679f91f17 call 7ff679f94610 785->794 786->785 787->766 796 7ff679f91e90 788->796 797 7ff679f91e41-7ff679f91e8a call 7ff679faa060 788->797 789->788 791->777 800 7ff679f91edf 793->800 801 7ff679f91ec4-7ff679f91ecb 793->801 796->773 797->796 798->753 811 7ff679f96095-7ff679f960d1 call 7ff679f9a2fc 798->811 800->794 806 7ff679f91ed7-7ff679f91edd 801->806 807 7ff679f91ecd-7ff679f91ed3 EtwUnregisterTraceGuids 801->807 806->800 806->801 807->806 810->733 813 7ff679f958e2-7ff679f958fb call 7ff679f9a238 810->813 811->753 813->733
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Free$Close$LocalTask$Handle$AuthenticationInitLogonPackageProcessStringTraceUnregister$AllocCallCertCertificateContextDeregisterEventGuidsLookupMessageNotificationObjectRegisterSendSingleUninitializeWaitmemset
                                                          • String ID: ConsentUI$MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
                                                          • API String ID: 2158492339-2701293193
                                                          • Opcode ID: 8840379615fe0c9efddfa03aeee61ce24276b724681c730d928d2ade057b4e79
                                                          • Instruction ID: c67c3c6ef4ea814a725cf3e8b6a180d81b2d170d456f5fdf45fbb606e6453908
                                                          • Opcode Fuzzy Hash: 8840379615fe0c9efddfa03aeee61ce24276b724681c730d928d2ade057b4e79
                                                          • Instruction Fuzzy Hash: 26A10826B29FC38AEB65CF61E8542A827E4FB85B98F054135DA4E87A54DF3CE548C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9AAB0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 235memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 881 7ff679f9aab0-7ff679f9ab41 LocalAlloc 882 7ff679f9ab43-7ff679f9ab46 881->882 883 7ff679f9ab4b-7ff679f9ac21 memset memcpy SeciAllocateAndSetCallFlags RtlInitString LsaRegisterLogonProcess 881->883 884 7ff679f9adc4-7ff679f9add1 882->884 885 7ff679f9ac30-7ff679f9ac57 call 7ff679f9b7c0 NtAllocateLocallyUniqueId 883->885 886 7ff679f9ac23 883->886 887 7ff679f9add3 LsaFreeReturnBuffer 884->887 888 7ff679f9add9-7ff679f9ade0 884->888 897 7ff679f9ac74-7ff679f9ace8 LsaLogonUser 885->897 898 7ff679f9ac59-7ff679f9ac5d 885->898 889 7ff679f9ac25-7ff679f9ac2b RtlNtStatusToDosError 886->889 887->888 891 7ff679f9ade2 CloseHandle 888->891 892 7ff679f9ade8-7ff679f9adef 888->892 893 7ff679f9adc2 889->893 891->892 895 7ff679f9adf1 LsaDeregisterLogonProcess 892->895 896 7ff679f9adf7-7ff679f9adfe 892->896 893->884 895->896 899 7ff679f9ae11-7ff679f9ae4b LocalFree call 7ff679f94610 896->899 900 7ff679f9ae00-7ff679f9ae0b CoTaskMemFree 896->900 902 7ff679f9ad09-7ff679f9ad0b 897->902 903 7ff679f9acea-7ff679f9acee 897->903 898->897 901 7ff679f9ac5f-7ff679f9ac6f call 7ff679f9a218 898->901 900->899 901->897 904 7ff679f9ad2b-7ff679f9ad50 GetTokenInformation 902->904 905 7ff679f9ad0d-7ff679f9ad16 902->905 903->902 908 7ff679f9acf0-7ff679f9ad04 call 7ff679f9b80c 903->908 911 7ff679f9ad52-7ff679f9ad75 GetTokenInformation 904->911 912 7ff679f9adbc GetLastError 904->912 909 7ff679f9ad24 905->909 910 7ff679f9ad18-7ff679f9ad1e 905->910 908->902 909->904 910->889 910->909 911->912 915 7ff679f9ad77-7ff679f9ad8a RtlEqualSid 911->915 912->893 916 7ff679f9adb8-7ff679f9adba 915->916 917 7ff679f9ad8c-7ff679f9ad96 915->917 916->884 918 7ff679f9adb1-7ff679f9adb6 917->918 919 7ff679f9ad98-7ff679f9ad9c 917->919 918->884 919->918 920 7ff679f9ad9e-7ff679f9adac call 7ff679f9a218 919->920 920->918
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Free$LocalLogonProcess$AllocAllocateBufferCallCloseDeregisterErrorFlagsHandleInitRegisterReturnSeciStatusStringTaskmemcpymemset
                                                          • String ID: Winlogon
                                                          • API String ID: 1693999484-744610081
                                                          • Opcode ID: ada491b27562d3412a9634d2f259be747cdf0da85b494c8f7eece2d79c689b54
                                                          • Instruction ID: 0b0602f641e629c3a69d7a7f70e7355d617bfd35a44479420f2dba5d88e7d6a1
                                                          • Opcode Fuzzy Hash: ada491b27562d3412a9634d2f259be747cdf0da85b494c8f7eece2d79c689b54
                                                          • Instruction Fuzzy Hash: BEB11436A29B828AEB10CF65E4806AD37F4FB48B58B514136DE8D93B64DF3CE555CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9D574 Relevance: 28.8, APIs: 19, Instructions: 303memorythreadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1037 7ff679f9d574-7ff679f9d5e7 GetTickCount LocalAlloc 1038 7ff679f9d87b 1037->1038 1039 7ff679f9d5ed-7ff679f9d63d CreateEventW 1037->1039 1040 7ff679f9d87e-7ff679f9d88c 1038->1040 1041 7ff679f9d63f-7ff679f9d650 1039->1041 1042 7ff679f9d696-7ff679f9d6c1 CreateThread 1039->1042 1043 7ff679f9d892-7ff679f9d89a 1040->1043 1041->1043 1044 7ff679f9d656-7ff679f9d65a 1041->1044 1045 7ff679f9d6c3-7ff679f9d6d4 1042->1045 1046 7ff679f9d709-7ff679f9d736 ResumeThread WaitForMultipleObjects 1042->1046 1049 7ff679f9d8eb-7ff679f9d8ee 1043->1049 1050 7ff679f9d89c-7ff679f9d8a8 call 7ff679f9dbdc 1043->1050 1044->1043 1053 7ff679f9d660-7ff679f9d691 GetLastError call 7ff679f9a238 1044->1053 1047 7ff679f9d6d6-7ff679f9d6da 1045->1047 1048 7ff679f9d6fb-7ff679f9d704 LocalFree 1045->1048 1051 7ff679f9d7af-7ff679f9d7c7 GetExitCodeThread 1046->1051 1052 7ff679f9d738-7ff679f9d73b 1046->1052 1047->1048 1056 7ff679f9d6dc-7ff679f9d6f6 GetLastError call 7ff679f9a238 1047->1056 1057 7ff679f9d867-7ff679f9d873 CloseHandle 1048->1057 1054 7ff679f9d8f0-7ff679f9d8f4 1049->1054 1055 7ff679f9d907-7ff679f9d94d EtwEventWrite GetCurrentProcessId WmsgSendMessage 1049->1055 1080 7ff679f9d8d5 1050->1080 1081 7ff679f9d8aa-7ff679f9d8b4 1050->1081 1062 7ff679f9d802-7ff679f9d809 1051->1062 1063 7ff679f9d7c9-7ff679f9d7da 1051->1063 1059 7ff679f9d778-7ff679f9d789 1052->1059 1060 7ff679f9d73d-7ff679f9d74e 1052->1060 1053->1049 1054->1055 1068 7ff679f9d8f6-7ff679f9d902 call 7ff679f9a218 1054->1068 1070 7ff679f9d94f-7ff679f9d954 1055->1070 1071 7ff679f9d98d-7ff679f9d997 1055->1071 1056->1048 1064 7ff679f9d9d4-7ff679f9d9df GetTickCount 1057->1064 1065 7ff679f9d879 1057->1065 1059->1057 1076 7ff679f9d78f-7ff679f9d793 1059->1076 1060->1057 1075 7ff679f9d754-7ff679f9d758 1060->1075 1072 7ff679f9d80b-7ff679f9d81c 1062->1072 1073 7ff679f9d83d-7ff679f9d84e 1062->1073 1066 7ff679f9d7f3-7ff679f9d800 1063->1066 1067 7ff679f9d7dc-7ff679f9d7e0 1063->1067 1078 7ff679f9d9e1-7ff679f9d9e5 1064->1078 1079 7ff679f9d9f9-7ff679f9d9fd 1064->1079 1065->1040 1066->1057 1067->1066 1084 7ff679f9d7e2-7ff679f9d7ee call 7ff679f9a218 1067->1084 1068->1055 1086 7ff679f9d984-7ff679f9d98a RtlNtStatusToDosError 1070->1086 1087 7ff679f9d956-7ff679f9d96b 1070->1087 1091 7ff679f9d9b3-7ff679f9d9cd EtwEventWrite 1071->1091 1092 7ff679f9d999-7ff679f9d99d 1071->1092 1088 7ff679f9d81e-7ff679f9d822 1072->1088 1089 7ff679f9d835-7ff679f9d83b 1072->1089 1073->1057 1090 7ff679f9d850-7ff679f9d854 1073->1090 1075->1057 1082 7ff679f9d75e-7ff679f9d773 GetLastError 1075->1082 1076->1057 1083 7ff679f9d799-7ff679f9d7aa call 7ff679f9a218 1076->1083 1093 7ff679f9d9f2 1078->1093 1094 7ff679f9d9e7-7ff679f9d9f0 CloseHandle 1078->1094 1095 7ff679f9d9ff-7ff679f9da09 1079->1095 1096 7ff679f9da25-7ff679f9da3f 1079->1096 1101 7ff679f9d8dc 1080->1101 1097 7ff679f9d8e3-7ff679f9d8e5 1081->1097 1098 7ff679f9d8b6-7ff679f9d8ba 1081->1098 1099 7ff679f9d85b-7ff679f9d862 call 7ff679f9a238 1082->1099 1083->1057 1084->1066 1086->1071 1087->1091 1103 7ff679f9d96d-7ff679f9d971 1087->1103 1088->1089 1104 7ff679f9d824-7ff679f9d830 call 7ff679f9a218 1088->1104 1089->1057 1090->1057 1105 7ff679f9d856 1090->1105 1091->1064 1092->1091 1106 7ff679f9d99f-7ff679f9d9ae call 7ff679f9a238 1092->1106 1093->1079 1094->1079 1095->1096 1107 7ff679f9da0b-7ff679f9da0f 1095->1107 1097->1049 1097->1091 1098->1097 1108 7ff679f9d8bc-7ff679f9d8d3 call 7ff679f9a238 1098->1108 1099->1057 1101->1097 1103->1091 1110 7ff679f9d973-7ff679f9d982 call 7ff679f9a218 1103->1110 1104->1089 1105->1099 1106->1091 1107->1096 1114 7ff679f9da11-7ff679f9da20 call 7ff679fa0290 1107->1114 1108->1101 1110->1091 1114->1096
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorEvent$CloseCountCreateHandleLastLocalMessageTickWrite$AllocCurrentFreeProcessSendStatusThreadTraceWmsg
                                                          • String ID:
                                                          • API String ID: 2066120322-0
                                                          • Opcode ID: 0ece021af2e5bbf01638358dbbadf21677eae37f36c9973c6e1376814828987f
                                                          • Instruction ID: 067a968f59a9130a3186ba86dceeabcca07217edf9f2b2d18fa052456cb09b03
                                                          • Opcode Fuzzy Hash: 0ece021af2e5bbf01638358dbbadf21677eae37f36c9973c6e1376814828987f
                                                          • Instruction Fuzzy Hash: E3E17D37A28AC386EB14DF15D84427927E1FB45BA8F644036DA0EC7AA5CF7DE456C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9ED30 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 124windowtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CreateObject$DeleteSelectWindow$CloseCompatibleFileHandleMappingMessageRectSectionSendShellTimeout
                                                          • String ID: $B$Local\Microsoft-Windows-DesktopBackground
                                                          • API String ID: 2267755424-2070915447
                                                          • Opcode ID: 97602d448d7a0d64b356a54eebcf58ccd4d53053855e27b3c76a815c09432a48
                                                          • Instruction ID: ddbe59530b342538eda2f2c91f33dad67d45f4048a31f7744760acdb1741210e
                                                          • Opcode Fuzzy Hash: 97602d448d7a0d64b356a54eebcf58ccd4d53053855e27b3c76a815c09432a48
                                                          • Instruction Fuzzy Hash: A1518D37B29B828AEB10DF62A80466977E5FB49B98F464239DE0D93B54DF3CD405CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9A808 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 173nativeregistrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Logon$ProcessUser$AdjustAllocateBufferCloseDeregisterErrorFreeLocallyPrivilegeRegisterReturnStatusUniqueValuememset
                                                          • String ID: CredProvConsent$InteractiveLogonFirst$Software\Microsoft\Windows\CurrentVersion\Policies\System
                                                          • API String ID: 3467969132-1257621240
                                                          • Opcode ID: 284e21510437373785a2d7f589c9069567d096410125ca6fbfd78e0161a84a17
                                                          • Instruction ID: 3370e807633e4b7902862c4d73f78c60fc04862ea402879e8e1fb79e2067427a
                                                          • Opcode Fuzzy Hash: 284e21510437373785a2d7f589c9069567d096410125ca6fbfd78e0161a84a17
                                                          • Instruction Fuzzy Hash: 5081C336B19B829AEB10CFA5E4806AD73F5EB48758B400139DA8D93A58EF3CD519C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F92C60 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482comCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1441 7ff679f92c60-7ff679f92cd6 memset 1442 7ff679f92ce3-7ff679f92cfe 1441->1442 1443 7ff679f92cd8-7ff679f92cdd 1441->1443 1445 7ff679f96800-7ff679f96803 1442->1445 1446 7ff679f92d04-7ff679f92d07 1442->1446 1443->1442 1444 7ff679f967e0-7ff679f967fb call 7ff679f9d25c 1443->1444 1444->1442 1447 7ff679f96a48-7ff679f96a4b 1445->1447 1448 7ff679f96809-7ff679f9680c 1445->1448 1449 7ff679f92d14-7ff679f92d24 1446->1449 1450 7ff679f92d09-7ff679f92d0e 1446->1450 1453 7ff679f96a6d-7ff679f96a8f call 7ff679f9bf5c call 7ff679f9be9c 1447->1453 1454 7ff679f96a4d-7ff679f96a52 1447->1454 1455 7ff679f968c1-7ff679f968c4 1448->1455 1456 7ff679f96812-7ff679f96815 1448->1456 1458 7ff679f96ac1-7ff679f96ac8 1449->1458 1459 7ff679f92d2a-7ff679f92d38 call 7ff679faa038 1449->1459 1450->1449 1457 7ff679f96a95-7ff679f96abc call 7ff679f9cf7c 1450->1457 1453->1457 1454->1453 1460 7ff679f96a54-7ff679f96a68 call 7ff679f9cf7c 1454->1460 1464 7ff679f96902-7ff679f96907 1455->1464 1465 7ff679f968c6-7ff679f968cb 1455->1465 1461 7ff679f9686f-7ff679f96872 1456->1461 1462 7ff679f96817-7ff679f9681a 1456->1462 1457->1449 1470 7ff679f96ad0 1458->1470 1491 7ff679f92d3e-7ff679f92d54 call 7ff679faa040 ImpersonateLoggedOnUser 1459->1491 1492 7ff679f92dd9-7ff679f92df1 1459->1492 1460->1453 1468 7ff679f96894-7ff679f968bb call 7ff679f9bf5c call 7ff679f9be38 1461->1468 1469 7ff679f96874-7ff679f96879 1461->1469 1472 7ff679f96820-7ff679f96823 1462->1472 1473 7ff679f92f64-7ff679f92f87 1462->1473 1478 7ff679f96909-7ff679f9690c 1464->1478 1479 7ff679f9694b-7ff679f9696b call 7ff679f9bf5c 1464->1479 1465->1464 1475 7ff679f968cd-7ff679f968fb call 7ff679f9a62c 1465->1475 1468->1455 1469->1468 1482 7ff679f9687b-7ff679f9688f call 7ff679f9cf7c 1469->1482 1502 7ff679f96ad8-7ff679f96ae2 GetLastError 1470->1502 1486 7ff679f96830-7ff679f96833 1472->1486 1487 7ff679f96825-7ff679f9682b 1472->1487 1484 7ff679f92f94-7ff679f92fb1 call 7ff679f94610 1473->1484 1485 7ff679f92f89-7ff679f92f8e 1473->1485 1475->1464 1480 7ff679f9690e 1478->1480 1481 7ff679f96920-7ff679f96945 call 7ff679f9bf5c call 7ff679f9c0cc 1478->1481 1512 7ff679f96971-7ff679f9698e memset 1479->1512 1513 7ff679f96a34-7ff679f96a42 call 7ff679f9c0cc 1479->1513 1493 7ff679f96910-7ff679f96913 1480->1493 1494 7ff679f96915 1480->1494 1481->1479 1482->1468 1485->1484 1504 7ff679f96c1c-7ff679f96c43 call 7ff679f9cee4 1485->1504 1496 7ff679f96835-7ff679f9683a 1486->1496 1497 7ff679f9685b-7ff679f96869 call 7ff679f9c420 1486->1497 1487->1473 1491->1502 1527 7ff679f92d5a-7ff679f92d7c 1491->1527 1506 7ff679f92df3-7ff679f92df7 1492->1506 1507 7ff679f92dfd-7ff679f92e08 1492->1507 1493->1479 1493->1494 1494->1481 1496->1497 1510 7ff679f9683c-7ff679f96856 call 7ff679f9d16c 1496->1510 1497->1461 1515 7ff679f92dcf-7ff679f92dd3 CoTaskMemFree 1502->1515 1516 7ff679f96ae8-7ff679f96af1 1502->1516 1504->1484 1506->1507 1520 7ff679f96af6-7ff679f96b1f call 7ff679f9cee4 1506->1520 1521 7ff679f92e0e-7ff679f92e2a call 7ff679faa038 call 7ff679faa048 1507->1521 1522 7ff679f96b24 1507->1522 1510->1497 1512->1513 1526 7ff679f96994-7ff679f969c4 call 7ff679f9bf5c 1512->1526 1513->1447 1515->1492 1516->1515 1520->1507 1551 7ff679f92e30-7ff679f92e65 GetSystemMetrics call 7ff679faa018 1521->1551 1552 7ff679f92fb2-7ff679f92fc7 call 7ff679faa028 call 7ff679faa038 1521->1552 1539 7ff679f96b2c-7ff679f96b4b 1522->1539 1543 7ff679f969c6-7ff679f969d4 call 7ff679f9b994 1526->1543 1544 7ff679f969d8-7ff679f969e9 1526->1544 1527->1470 1536 7ff679f92d82-7ff679f92dc9 call 7ff679f92fd0 RevertToSelf 1527->1536 1536->1515 1553 7ff679f96b81 1539->1553 1554 7ff679f96b4d-7ff679f96b7b 1539->1554 1543->1526 1561 7ff679f969d6 1543->1561 1549 7ff679f96a16-7ff679f96a28 call 7ff679f9b994 * 2 1544->1549 1550 7ff679f969eb-7ff679f969ef 1544->1550 1571 7ff679f96a2d 1549->1571 1550->1549 1556 7ff679f969f1-7ff679f96a11 call 7ff679f9a62c 1550->1556 1567 7ff679f92f36-7ff679f92f40 1551->1567 1568 7ff679f92e6b-7ff679f92e6f 1551->1568 1552->1444 1560 7ff679f96b88-7ff679f96b8d 1553->1560 1554->1553 1556->1549 1569 7ff679f96b93-7ff679f96b98 1560->1569 1570 7ff679f92ef5-7ff679f92f00 call 7ff679faa030 1560->1570 1561->1571 1577 7ff679f92f4f-7ff679f92f5d 1567->1577 1578 7ff679f92f42-7ff679f92f49 1567->1578 1574 7ff679f92e70-7ff679f92e77 1568->1574 1569->1567 1584 7ff679f92f06-7ff679f92f2b GetDriveTypeW 1570->1584 1585 7ff679f96bd7-7ff679f96bdc 1570->1585 1571->1513 1574->1574 1580 7ff679f92e79-7ff679f92e7d 1574->1580 1577->1473 1578->1577 1582 7ff679f96be1-7ff679f96beb 1578->1582 1580->1567 1583 7ff679f92e83-7ff679f92ea9 CoCreateInstance 1580->1583 1586 7ff679f96c10-7ff679f96c17 1582->1586 1587 7ff679f96bed-7ff679f96bf1 1582->1587 1583->1585 1588 7ff679f92eaf-7ff679f92ec9 1583->1588 1589 7ff679f92f31 1584->1589 1590 7ff679f96b9d-7ff679f96ba0 1584->1590 1585->1567 1586->1577 1587->1586 1591 7ff679f96bf3-7ff679f96c0b call 7ff679f9a69c 1587->1591 1588->1539 1597 7ff679f92ecf-7ff679f92ee5 1588->1597 1589->1567 1592 7ff679f96ba2-7ff679f96ba5 1590->1592 1593 7ff679f96bcd-7ff679f96bd2 1590->1593 1591->1586 1592->1569 1596 7ff679f96ba7-7ff679f96baa 1592->1596 1593->1567 1598 7ff679f96bc3-7ff679f96bc8 1596->1598 1599 7ff679f96bac-7ff679f96baf 1596->1599 1597->1585 1603 7ff679f92eeb-7ff679f92eef 1597->1603 1598->1567 1600 7ff679f96bb1-7ff679f96bb4 1599->1600 1601 7ff679f96bb9-7ff679f96bbe 1599->1601 1600->1567 1601->1567 1603->1560 1603->1570
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CreateDriveFreeImpersonateInstanceLoggedMetricsRevertSelfSystemTaskTypeUsermemset
                                                          • String ID: FALSE$TRUE$W$W
                                                          • API String ID: 380875043-2421341635
                                                          • Opcode ID: 75b7765715b5257bd25d8d8980dc53470390ce17ef591a445d49fc56cc71da30
                                                          • Instruction ID: d6e9898a1cb257a510a11c96e20993b50debd077678f866f833f7fd0688684a3
                                                          • Opcode Fuzzy Hash: 75b7765715b5257bd25d8d8980dc53470390ce17ef591a445d49fc56cc71da30
                                                          • Instruction Fuzzy Hash: 26224A37A28A8786EB24DF25D8446B923E5FB45BA8F014132DA4EC3BA5DF3DE545C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9C0CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 237memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wtoi.MSVCRT ref: 00007FF679F9C14D
                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C16B
                                                          • CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C17E
                                                          • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C19A
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C1A7
                                                          • CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C260
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C3BF
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C3FB
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,00000000,?,?,0000000A,00007FF679F96A42), ref: 00007FF679F9C404
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Task$Free$AllocInfoLocale$_wtoi
                                                          • String ID: %s%s%s%s%s
                                                          • API String ID: 2618417621-2610978714
                                                          • Opcode ID: faf39c8d6cd064c1003b8f0dd0420065ba799b629d017e0fef2c6435cb65d594
                                                          • Instruction ID: e507aa0e52ff78f08a403b0c37de353f167b5f50d88493073e8e604f0b79d787
                                                          • Opcode Fuzzy Hash: faf39c8d6cd064c1003b8f0dd0420065ba799b629d017e0fef2c6435cb65d594
                                                          • Instruction Fuzzy Hash: 27A15F67B29B8382EA549F25991067922E1FF45BB8F504232DE6EC37D8DF3CE4858704
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F93380 Relevance: 13.7, APIs: 9, Instructions: 199nativememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: DuplicateObject$Heap$AllocEventFreeMemoryReadVirtualWrite
                                                          • String ID:
                                                          • API String ID: 491614474-0
                                                          • Opcode ID: 38a11174f61b7cce3158488a8d6e1456c15c9873dace2d2091946d86059b8ce9
                                                          • Instruction ID: e486b06657d4b0189f7d1023803fdc84342164a6447fa8d9ce371c833bcc28f4
                                                          • Opcode Fuzzy Hash: 38a11174f61b7cce3158488a8d6e1456c15c9873dace2d2091946d86059b8ce9
                                                          • Instruction Fuzzy Hash: 6C916E73A28B8286DB20CF29D44422977E4FB89BA8F144235DA5DC7798EF3DE851C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9C6CC Relevance: 12.2, APIs: 8, Instructions: 187COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: StringWindows$Delete$BufferCompareExceptionMessageOrdinalRaiseTracememset
                                                          • String ID:
                                                          • API String ID: 2934883565-0
                                                          • Opcode ID: 24d4e45d1c55644b09def586142ccf952e506189b5a0e11465aaed664477fb2d
                                                          • Instruction ID: 732a75518a0d17c3c03aff05da3d4e6cc0718e293cae1a070df8afee4619f4e0
                                                          • Opcode Fuzzy Hash: 24d4e45d1c55644b09def586142ccf952e506189b5a0e11465aaed664477fb2d
                                                          • Instruction Fuzzy Hash: 83811927A28AC782EB50DF25E88026A67E0FB85BA4F045035EE9EC3765DF3DD455CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9B020 Relevance: 10.6, APIs: 7, Instructions: 83memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: AuthorityLocal$AllocErrorFreeInformationQueryStatusToken
                                                          • String ID:
                                                          • API String ID: 134697546-0
                                                          • Opcode ID: 1d0658bbc21f42e473f616f4e368dce9115a9f3f3dccd8fbe91e7778e62f066f
                                                          • Instruction ID: 879d15dbfad49bc9821e9b9230376e197995b1b486873dbd4ee789f1cb12205a
                                                          • Opcode Fuzzy Hash: 1d0658bbc21f42e473f616f4e368dce9115a9f3f3dccd8fbe91e7778e62f066f
                                                          • Instruction Fuzzy Hash: 18318B37B28A928BE7148F12E48462D77A0FB88B95F058039CA4D87B64DF3DE815CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F94AD0 Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B01
                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B0F
                                                          • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B1B
                                                          • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B27
                                                          • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B37
                                                          • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,00007FF679F943A9), ref: 00007FF679F94B52
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 4104442557-0
                                                          • Opcode ID: 6d0cdc2d78082eb4a7d7cdf4a4d2663ae9ea4f01ca4d92b289326d4aa200cf59
                                                          • Instruction ID: ac7cc44570b6ac420eecd90be4c3862e93ad69845359b9c8bb21c8e0c2bc366c
                                                          • Opcode Fuzzy Hash: 6d0cdc2d78082eb4a7d7cdf4a4d2663ae9ea4f01ca4d92b289326d4aa200cf59
                                                          • Instruction Fuzzy Hash: 48110B26B14F828AEB00DF61E84416933E4FB097A8B411A35EA6D83754EF7CD5648740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F91F60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: DuplicateErrorImpersonateLoggedRevertSelfStatusTokenUser
                                                          • String ID: 0
                                                          • API String ID: 1528932592-4108050209
                                                          • Opcode ID: fbb040aaaf263dda08a827431e3444a14085b2fd2c8133341b807e734ef2c8ac
                                                          • Instruction ID: f80098faba8871ab0961cd91a71144ac8b26bc9414cad06c21b8cd3ea3683c57
                                                          • Opcode Fuzzy Hash: fbb040aaaf263dda08a827431e3444a14085b2fd2c8133341b807e734ef2c8ac
                                                          • Instruction Fuzzy Hash: DC912A33A28AC386FB608F15E84477962E5FB85798F144035DA4DC3AA9DF7DE891CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9AFD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: DuplicateErrorStatusToken
                                                          • String ID: 0
                                                          • API String ID: 3791273963-4108050209
                                                          • Opcode ID: eaf2eb0f86443ef3fb02d1402e6392b18156d88f5e7170f0e2b0192bcf0cd68a
                                                          • Instruction ID: c5b42ad864107b42e9099b70ed25b5c6255b96038edac39eb54d694fb5af8ee2
                                                          • Opcode Fuzzy Hash: eaf2eb0f86443ef3fb02d1402e6392b18156d88f5e7170f0e2b0192bcf0cd68a
                                                          • Instruction Fuzzy Hash: BEE03077F38B8186E310CF70A40954E72E1FB84384F514335D68843600EF7D8555CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F97944 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF679F97616,?,?,?,00007FF679F98C26), ref: 00007FF679F97975
                                                          • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF679F97616,?,?,?,00007FF679F98C26), ref: 00007FF679F97983
                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF679F97616,?,?,?,00007FF679F98C26), ref: 00007FF679F979A1
                                                          • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF679F97616,?,?,?,00007FF679F98C26), ref: 00007FF679F979AF
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Heap$FreeProcess
                                                          • String ID:
                                                          • API String ID: 3859560861-0
                                                          • Opcode ID: 64c2b0fc4226b00f776ac0e9beb43cf368554fabd588ad3b1efa1f632691267f
                                                          • Instruction ID: 78f6e0acd5f731c5f54bc345fdef78bef4493f9923a3c2864bc348d9ade302ba
                                                          • Opcode Fuzzy Hash: 64c2b0fc4226b00f776ac0e9beb43cf368554fabd588ad3b1efa1f632691267f
                                                          • Instruction Fuzzy Hash: 11016D62B18B9686EB00CF66E440059B3B4FB48F94B4C8035DB8C83B18DF3CE492C744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679FA0E88 Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FF679FA0DF2,?,?,?,?,00000000,00007FF679F9C139,?,?,?,?,00000000,?), ref: 00007FF679FA0EC1
                                                          • LoadResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FF679FA0DF2,?,?,?,?,00000000,00007FF679F9C139,?,?,?,?,00000000,?), ref: 00007FF679FA0ED4
                                                          • LockResource.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,00000000,00007FF679FA0DF2,?,?,?,?,00000000,00007FF679F9C139,?,?,?,?,00000000,?), ref: 00007FF679FA0EE2
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLock
                                                          • String ID:
                                                          • API String ID: 2752051264-0
                                                          • Opcode ID: ba763983280beb37cf959841ca2f8f93c2c959291dc6a3f642176b83ea4e8cf6
                                                          • Instruction ID: 8ae0eb8565dff817d5067b3b25e2ae42ec9ed75f997744fd32c2fee445e9da36
                                                          • Opcode Fuzzy Hash: ba763983280beb37cf959841ca2f8f93c2c959291dc6a3f642176b83ea4e8cf6
                                                          • Instruction Fuzzy Hash: 26219063B29B9386EB548F65A45023962E0EF4AF84B084035EE4DD7758DE3DE850C300
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F95014 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,00007FF679F9873C), ref: 00007FF679F9503B
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 1347740429-0
                                                          • Opcode ID: 1b6e96f42492e7d50caee4dbbbf13e9157c0cf237e83a0ed2e457a477d76dfc6
                                                          • Instruction ID: 1c83fc7d31468dca6c4123900869f049d1500104e80af4caf1d7db51dc709db5
                                                          • Opcode Fuzzy Hash: 1b6e96f42492e7d50caee4dbbbf13e9157c0cf237e83a0ed2e457a477d76dfc6
                                                          • Instruction Fuzzy Hash: F2E08626F2A6C34AFB586F61189113523D4AF57761F08143DCC4EC72A0EE1D78AC5360
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9E850 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 261windowregistrylibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 817 7ff679f9e850-7ff679f9e8bb 818 7ff679f9e8c1-7ff679f9e8ce LoadStringW 817->818 819 7ff679f9e974-7ff679f9e981 LoadStringW 817->819 822 7ff679f9e8d0-7ff679f9e8ed GetLastError 818->822 823 7ff679f9e91a-7ff679f9e922 818->823 820 7ff679f9e983-7ff679f9e9a0 GetLastError 819->820 821 7ff679f9e9ba 819->821 824 7ff679f9ec91-7ff679f9ec94 820->824 825 7ff679f9e9a6-7ff679f9e9aa 820->825 826 7ff679f9e9be-7ff679f9e9c6 821->826 822->824 827 7ff679f9e8f3-7ff679f9e8f7 822->827 828 7ff679f9e927-7ff679f9e93a LoadLibraryW 823->828 834 7ff679f9eca2-7ff679f9eca5 824->834 835 7ff679f9ec96-7ff679f9ec9c UnregisterClassW 824->835 825->824 829 7ff679f9e9b0-7ff679f9e9b5 825->829 826->826 830 7ff679f9e9c8-7ff679f9e9d0 826->830 827->824 831 7ff679f9e8fd 827->831 832 7ff679f9ea80-7ff679f9eb06 LoadIconW LoadCursorW FreeLibrary RegisterClassW 828->832 833 7ff679f9e940-7ff679f9e95d GetLastError 828->833 836 7ff679f9e902 829->836 839 7ff679f9e9d4-7ff679f9e9dc 830->839 831->836 837 7ff679f9eb3f-7ff679f9eb89 CreateWindowExW 832->837 838 7ff679f9eb08-7ff679f9eb25 GetLastError 832->838 833->824 840 7ff679f9e963-7ff679f9e967 833->840 841 7ff679f9eca7-7ff679f9ecb2 834->841 842 7ff679f9ecbd-7ff679f9eceb call 7ff679f94610 834->842 835->834 846 7ff679f9e905-7ff679f9e915 call 7ff679f9a238 836->846 848 7ff679f9ebc1-7ff679f9ebe0 ShowWindow 837->848 849 7ff679f9eb8b-7ff679f9eba8 GetLastError 837->849 838->824 845 7ff679f9eb2b-7ff679f9eb2f 838->845 839->839 847 7ff679f9e9de-7ff679f9e9fe LocalAlloc 839->847 840->824 850 7ff679f9e96d-7ff679f9e972 840->850 841->842 843 7ff679f9ecb4-7ff679f9ecb7 LocalFree 841->843 843->842 845->824 852 7ff679f9eb35 845->852 846->824 854 7ff679f9ea00-7ff679f9ea18 847->854 855 7ff679f9ea33-7ff679f9ea4b call 7ff679f99aac 847->855 857 7ff679f9ebe2-7ff679f9ebe6 848->857 858 7ff679f9ebfd-7ff679f9ec15 GetMessageW 848->858 849->824 856 7ff679f9ebae-7ff679f9ebb2 849->856 850->836 852->837 854->824 862 7ff679f9ea1e-7ff679f9ea22 854->862 855->828 875 7ff679f9ea51-7ff679f9ea6b 855->875 856->824 863 7ff679f9ebb8 856->863 857->858 865 7ff679f9ebe8-7ff679f9ebf8 call 7ff679f9a218 857->865 859 7ff679f9ec62-7ff679f9ec73 858->859 860 7ff679f9ec17-7ff679f9ec1a 858->860 859->824 868 7ff679f9ec75-7ff679f9ec79 859->868 866 7ff679f9ec44-7ff679f9ec60 TranslateMessage DispatchMessageW 860->866 867 7ff679f9ec1c-7ff679f9ec32 GetLastError 860->867 862->824 869 7ff679f9ea28 862->869 863->848 865->858 866->858 867->824 872 7ff679f9ec34-7ff679f9ec38 867->872 868->824 873 7ff679f9ec7b-7ff679f9ec90 call 7ff679f9a218 868->873 874 7ff679f9ea2b-7ff679f9ea2e 869->874 872->824 877 7ff679f9ec3a 872->877 873->824 874->846 875->824 876 7ff679f9ea71-7ff679f9ea75 875->876 876->824 879 7ff679f9ea7b-7ff679f9ea7e 876->879 877->866 879->874
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Load$ClassFreeLibraryLocalStringWindow$AllocCreateCursorIconMessageRegisterShowUnregister
                                                          • String ID: $$$Secure UAP Dummy Window Class For Interim Dialog$imageres.dll
                                                          • API String ID: 677155613-2841547504
                                                          • Opcode ID: 8d7d3c35a3cced3d440a923cfbf0355decb1178b3f54aadb432bfedb8f4f2f3e
                                                          • Instruction ID: 10149894cdfa3a629a472e7965037527bae6983af8fcfcedb98e4b27cd818e99
                                                          • Opcode Fuzzy Hash: 8d7d3c35a3cced3d440a923cfbf0355decb1178b3f54aadb432bfedb8f4f2f3e
                                                          • Instruction Fuzzy Hash: 31C14732A2CBC381E7658F15E4443A966E1FB85BA4F554135CA9EC3AA4DF7CE445C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9B4B4 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 182memorysynchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1120 7ff679f9b4b4-7ff679f9b568 memset * 2 GetModuleHandleW LoadStringW 1121 7ff679f9b56e-7ff679f9b590 GetModuleHandleW LoadStringW 1120->1121 1122 7ff679f9b78b GetLastError 1120->1122 1121->1122 1124 7ff679f9b596-7ff679f9b5cb GetModuleHandleW LoadStringW 1121->1124 1123 7ff679f9b791-7ff679f9b7bc call 7ff679f94610 1122->1123 1124->1122 1126 7ff679f9b5d1-7ff679f9b5f3 GetModuleHandleW LoadStringW 1124->1126 1126->1122 1128 7ff679f9b5f9-7ff679f9b5fb 1126->1128 1129 7ff679f9b602 1128->1129 1130 7ff679f9b609-7ff679f9b60c 1129->1130 1131 7ff679f9b60e-7ff679f9b612 1130->1131 1132 7ff679f9b629-7ff679f9b671 call 7ff679faa080 1130->1132 1131->1132 1133 7ff679f9b614-7ff679f9b624 call 7ff679f9a218 1131->1133 1137 7ff679f9b73e-7ff679f9b748 1132->1137 1138 7ff679f9b677-7ff679f9b689 LocalAlloc 1132->1138 1133->1132 1141 7ff679f9b76f-7ff679f9b771 1137->1141 1142 7ff679f9b74a-7ff679f9b74e 1137->1142 1139 7ff679f9b693-7ff679f9b6bb call 7ff679f9a744 1138->1139 1140 7ff679f9b68b-7ff679f9b68e 1138->1140 1150 7ff679f9b735-7ff679f9b73c 1139->1150 1151 7ff679f9b6bd-7ff679f9b6e0 call 7ff679fa03c4 WaitForSingleObject 1139->1151 1140->1129 1145 7ff679f9b773-7ff679f9b779 1141->1145 1146 7ff679f9b787-7ff679f9b789 1141->1146 1142->1141 1144 7ff679f9b750-7ff679f9b768 call 7ff679f9a238 1142->1144 1144->1141 1145->1146 1147 7ff679f9b77b-7ff679f9b781 1145->1147 1146->1123 1147->1130 1147->1146 1150->1145 1155 7ff679f9b6e2-7ff679f9b6f4 LocalFree 1151->1155 1156 7ff679f9b6f6-7ff679f9b700 1151->1156 1157 7ff679f9b729-7ff679f9b72c 1155->1157 1158 7ff679f9b702-7ff679f9b706 1156->1158 1159 7ff679f9b724 1156->1159 1157->1141 1161 7ff679f9b72e-7ff679f9b733 1157->1161 1158->1159 1160 7ff679f9b708-7ff679f9b71d call 7ff679f9a218 1158->1160 1159->1157 1160->1159 1161->1141
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Localmemset$AllocErrorFreeLastMessageObjectSingleTraceWait
                                                          • String ID: $H
                                                          • API String ID: 1414692188-1323546614
                                                          • Opcode ID: 8c18cf2a8790c3b67d0b2f72982d3ac43231f8a9322975c054c660eee088c4f1
                                                          • Instruction ID: 61a8420a7de06cff8bea7637528b1191f9d8498f3717c3ad9b7018da8e2426bb
                                                          • Opcode Fuzzy Hash: 8c18cf2a8790c3b67d0b2f72982d3ac43231f8a9322975c054c660eee088c4f1
                                                          • Instruction Fuzzy Hash: 7C813A32A29B8386EB64CF61E8846A933E0FB85B58F544136CA4EC7798DF7CE545C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9E090 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1177 7ff679f9e090-7ff679f9e0e4 EtwEventWrite WTSQuerySessionInformationW 1178 7ff679f9e12f-7ff679f9e158 EtwEventWrite WTSFreeMemory 1177->1178 1179 7ff679f9e0e6-7ff679f9e0f7 1177->1179 1182 7ff679f9e18f-7ff679f9e1b4 EtwEventWrite call 7ff679f9e340 1178->1182 1183 7ff679f9e15a-7ff679f9e16b 1178->1183 1180 7ff679f9e124-7ff679f9e12a GetLastError 1179->1180 1181 7ff679f9e0f9-7ff679f9e0fd 1179->1181 1186 7ff679f9e32f-7ff679f9e33e 1180->1186 1181->1180 1185 7ff679f9e0ff-7ff679f9e11f GetLastError call 7ff679f9a238 1181->1185 1193 7ff679f9e1b6-7ff679f9e1c7 1182->1193 1194 7ff679f9e1fa-7ff679f9e226 EtwEventWrite _wcsicmp 1182->1194 1187 7ff679f9e184-7ff679f9e18a 1183->1187 1188 7ff679f9e16d-7ff679f9e171 1183->1188 1185->1180 1189 7ff679f9e32d 1187->1189 1188->1187 1192 7ff679f9e173-7ff679f9e17f call 7ff679fa0290 1188->1192 1189->1186 1192->1187 1196 7ff679f9e1e2-7ff679f9e1ea GetLastError 1193->1196 1197 7ff679f9e1c9-7ff679f9e1cd 1193->1197 1198 7ff679f9e261-7ff679f9e26f _wcsicmp 1194->1198 1199 7ff679f9e228-7ff679f9e239 1194->1199 1196->1180 1203 7ff679f9e1f0-7ff679f9e1f5 1196->1203 1197->1196 1202 7ff679f9e1cf-7ff679f9e1dd call 7ff679f9a218 1197->1202 1200 7ff679f9e271-7ff679f9e282 1198->1200 1201 7ff679f9e2aa-7ff679f9e2bc _wcsicmp 1198->1201 1204 7ff679f9e256-7ff679f9e25c 1199->1204 1205 7ff679f9e23b-7ff679f9e23f 1199->1205 1206 7ff679f9e2a2-7ff679f9e2a8 1200->1206 1207 7ff679f9e284-7ff679f9e288 1200->1207 1208 7ff679f9e2be-7ff679f9e2cf 1201->1208 1209 7ff679f9e2f4-7ff679f9e305 1201->1209 1202->1196 1203->1186 1212 7ff679f9e324-7ff679f9e327 LocalFree 1204->1212 1205->1204 1211 7ff679f9e241-7ff679f9e251 call 7ff679f9a218 1205->1211 1206->1212 1207->1206 1213 7ff679f9e28a-7ff679f9e29d call 7ff679f9cf7c 1207->1213 1214 7ff679f9e2d1-7ff679f9e2d5 1208->1214 1215 7ff679f9e2ec-7ff679f9e2f2 1208->1215 1216 7ff679f9e31e 1209->1216 1217 7ff679f9e307-7ff679f9e30b 1209->1217 1211->1204 1212->1189 1213->1206 1214->1215 1220 7ff679f9e2d7-7ff679f9e2e7 call 7ff679f9a218 1214->1220 1215->1212 1216->1212 1217->1216 1221 7ff679f9e30d-7ff679f9e319 call 7ff679fa01e8 1217->1221 1220->1215 1221->1216
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: EventWrite$ErrorLastMessageTrace_wcsicmp$Free$InformationLocalMemoryQuerySession
                                                          • String ID: Screen-saver$winlogon
                                                          • API String ID: 1397932087-3534835409
                                                          • Opcode ID: cd536bb32b12b1e2001bc9e604705d68df8889e55565778c26a46f08fdc3f712
                                                          • Instruction ID: 70ec4b9462c42adbbbe54c2f0560b938bfe988b3ddaf38d0181d9baa9014699b
                                                          • Opcode Fuzzy Hash: cd536bb32b12b1e2001bc9e604705d68df8889e55565778c26a46f08fdc3f712
                                                          • Instruction Fuzzy Hash: C7811332A2CAC385EB148F15E8507B827E1FF86BA8F548431C94EC76A4DFADE546C744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F97EAC Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 151windowthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1224 7ff679f97eac-7ff679f97ee0 1225 7ff679f980e3-7ff679f9810b call 7ff679f94610 1224->1225 1226 7ff679f97ee6-7ff679f97ee9 1224->1226 1226->1225 1228 7ff679f97eef-7ff679f97efd 1226->1228 1230 7ff679f97eff-7ff679f97f06 1228->1230 1231 7ff679f97f21-7ff679f97f2c 1228->1231 1230->1231 1232 7ff679f97f08-7ff679f97f1b 1230->1232 1233 7ff679f97f2e-7ff679f97f31 1231->1233 1234 7ff679f97f58 1231->1234 1232->1225 1232->1231 1235 7ff679f97f4f-7ff679f97f56 1233->1235 1236 7ff679f97f33-7ff679f97f36 1233->1236 1237 7ff679f97f5f-7ff679f97fac FormatMessageW 1234->1237 1235->1237 1239 7ff679f97f46-7ff679f97f4d 1236->1239 1240 7ff679f97f38-7ff679f97f3b 1236->1240 1241 7ff679f97fae-7ff679f97fcf call 7ff679f98800 1237->1241 1242 7ff679f97fd1-7ff679f97fdd call 7ff679f98800 1237->1242 1239->1237 1240->1237 1245 7ff679f97f3d-7ff679f97f44 1240->1245 1247 7ff679f97fe2-7ff679f97fef 1241->1247 1242->1247 1245->1237 1248 7ff679f97ff1-7ff679f98003 call 7ff679f98800 1247->1248 1249 7ff679f98006-7ff679f98041 GetCurrentThreadId call 7ff679f98800 1247->1249 1248->1249 1254 7ff679f98053-7ff679f9806c call 7ff679f98800 1249->1254 1255 7ff679f98043-7ff679f98047 1249->1255 1259 7ff679f9806e-7ff679f9807b call 7ff679f98800 1254->1259 1260 7ff679f98080-7ff679f98087 1254->1260 1255->1254 1256 7ff679f98049-7ff679f9804d 1255->1256 1256->1225 1256->1254 1259->1260 1262 7ff679f98089-7ff679f98096 call 7ff679f98800 1260->1262 1263 7ff679f9809b-7ff679f980a9 1260->1263 1262->1263 1265 7ff679f980c1-7ff679f980c7 1263->1265 1266 7ff679f980ab-7ff679f980bf call 7ff679f98800 1263->1266 1268 7ff679f980d7-7ff679f980de call 7ff679f98800 1265->1268 1269 7ff679f980c9-7ff679f980d5 call 7ff679f98800 1265->1269 1266->1225 1268->1225 1269->1225
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CurrentFormatMessageThread
                                                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                          • API String ID: 2411632146-2849347638
                                                          • Opcode ID: 060396ede6836cc2de2ac2224add90ac5d042a73a2d3161d2f61deef7bd0de27
                                                          • Instruction ID: 70522a28b12eea3de42cf675740070bd3c0b4b1dbd1c75911f7c2aa3a1a62127
                                                          • Opcode Fuzzy Hash: 060396ede6836cc2de2ac2224add90ac5d042a73a2d3161d2f61deef7bd0de27
                                                          • Instruction Fuzzy Hash: 54615963A38BC381EA24DF61A4046BA63E0FF45BA8F454136DA4DD77A9DF3CE5508740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9E55C Relevance: 25.7, APIs: 17, Instructions: 165windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1274 7ff679f9e55c-7ff679f9e5cd EtwEventWrite GetDC CreateCompatibleDC 1275 7ff679f9e5d3-7ff679f9e5d6 1274->1275 1276 7ff679f9e782-7ff679f9e79f GetLastError 1274->1276 1275->1276 1279 7ff679f9e5dc-7ff679f9e5fd CreateCompatibleBitmap 1275->1279 1277 7ff679f9e7a1-7ff679f9e7a5 1276->1277 1278 7ff679f9e7c0-7ff679f9e7c3 1276->1278 1277->1278 1280 7ff679f9e7a7 1277->1280 1283 7ff679f9e7d0-7ff679f9e7d3 1278->1283 1284 7ff679f9e7c5-7ff679f9e7ca ReleaseDC 1278->1284 1281 7ff679f9e5ff-7ff679f9e61c GetLastError 1279->1281 1282 7ff679f9e635-7ff679f9e644 SelectObject 1279->1282 1285 7ff679f9e7ac-7ff679f9e7bf call 7ff679f9a238 1280->1285 1281->1278 1286 7ff679f9e622-7ff679f9e626 1281->1286 1287 7ff679f9e646-7ff679f9e663 GetLastError 1282->1287 1288 7ff679f9e67d-7ff679f9e68e 1282->1288 1289 7ff679f9e7de-7ff679f9e81c EtwEventWrite call 7ff679f94610 1283->1289 1290 7ff679f9e7d5-7ff679f9e7d8 DeleteObject 1283->1290 1284->1283 1285->1278 1286->1278 1296 7ff679f9e62c-7ff679f9e630 1286->1296 1287->1278 1291 7ff679f9e669-7ff679f9e66d 1287->1291 1293 7ff679f9e690-7ff679f9e694 1288->1293 1294 7ff679f9e6ea-7ff679f9e6f7 GetSystemMetrics 1288->1294 1290->1289 1291->1278 1297 7ff679f9e673-7ff679f9e678 1291->1297 1299 7ff679f9e6be-7ff679f9e6c1 1293->1299 1300 7ff679f9e696-7ff679f9e6b7 GetLayout call 7ff679fa0290 1293->1300 1302 7ff679f9e6f9-7ff679f9e703 1294->1302 1303 7ff679f9e76a 1294->1303 1296->1285 1297->1285 1299->1294 1306 7ff679f9e6c3-7ff679f9e6c7 1299->1306 1300->1299 1307 7ff679f9e720-7ff679f9e768 SetDCBrushColor GetStockObject FillRect 1302->1307 1308 7ff679f9e705-7ff679f9e709 1302->1308 1304 7ff679f9e76d call 7ff679f9ed30 1303->1304 1310 7ff679f9e772-7ff679f9e775 call 7ff679f9dd30 1304->1310 1306->1294 1312 7ff679f9e6c9-7ff679f9e6e5 GetLayout call 7ff679fa0290 1306->1312 1309 7ff679f9e77a-7ff679f9e780 1307->1309 1308->1307 1313 7ff679f9e70b-7ff679f9e71b call 7ff679f9a218 1308->1313 1309->1278 1310->1309 1312->1294 1313->1307
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CompatibleCreateEventObjectWrite$BitmapDeleteReleaseSelect
                                                          • String ID:
                                                          • API String ID: 3545452201-0
                                                          • Opcode ID: 55b5235950708ed3279645c731c22642f46337bfe29f92419ac9fbe5417875c1
                                                          • Instruction ID: 0c4bcc1bcf17a3220d4dc9d32351ae0457476b43692041cd3d7246480b1a390a
                                                          • Opcode Fuzzy Hash: 55b5235950708ed3279645c731c22642f46337bfe29f92419ac9fbe5417875c1
                                                          • Instruction Fuzzy Hash: 81815436B2DB8386EB548F21A85837923E0EB8AB94F144435DA5EC77A4CF7CE8018701
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679FA06E0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337libraryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1317 7ff679fa06e0-7ff679fa0757 LoadLibraryExW 1318 7ff679fa0759-7ff679fa0764 GetLastError 1317->1318 1319 7ff679fa07ac-7ff679fa07be call 7ff679fa0d04 1317->1319 1321 7ff679fa0771-7ff679fa0782 1318->1321 1322 7ff679fa0766-7ff679fa076a 1318->1322 1326 7ff679fa07c0-7ff679fa07d1 1319->1326 1327 7ff679fa07e8-7ff679fa0865 memset 1319->1327 1324 7ff679fa0788-7ff679fa078c 1321->1324 1325 7ff679fa0c3c-7ff679fa0c5d call 7ff679f952a8 * 3 1321->1325 1322->1321 1324->1325 1328 7ff679fa0792 1324->1328 1347 7ff679fa0c5f-7ff679fa0c68 FreeLibrary 1325->1347 1348 7ff679fa0c69-7ff679fa0c6c 1325->1348 1326->1325 1332 7ff679fa07d7-7ff679fa07db 1326->1332 1333 7ff679fa0869-7ff679fa08b1 1327->1333 1330 7ff679fa0797-7ff679fa07a7 call 7ff679f9a238 1328->1330 1330->1325 1332->1325 1336 7ff679fa07e1-7ff679fa07e6 1332->1336 1333->1333 1337 7ff679fa08b3-7ff679fa08fa 1333->1337 1336->1330 1343 7ff679fa0927-7ff679fa0944 CreateEventW 1337->1343 1344 7ff679fa08fc-7ff679fa090d 1337->1344 1345 7ff679fa0946-7ff679fa0951 GetLastError 1343->1345 1346 7ff679fa0989-7ff679fa09a6 call 7ff679fa04c4 1343->1346 1344->1325 1349 7ff679fa0913-7ff679fa0917 1344->1349 1351 7ff679fa095e-7ff679fa096f 1345->1351 1352 7ff679fa0953-7ff679fa0957 1345->1352 1362 7ff679fa09b1-7ff679fa09c1 1346->1362 1363 7ff679fa09a8-7ff679fa09ae 1346->1363 1347->1348 1353 7ff679fa0c7f-7ff679fa0cd0 call 7ff679f952a8 * 3 call 7ff679f94610 1348->1353 1354 7ff679fa0c6e-7ff679fa0c7e 1348->1354 1349->1325 1350 7ff679fa091d 1349->1350 1350->1343 1351->1325 1356 7ff679fa0975-7ff679fa0979 1351->1356 1352->1351 1354->1353 1356->1325 1359 7ff679fa097f 1356->1359 1359->1346 1365 7ff679fa09c3-7ff679fa09d5 1362->1365 1366 7ff679fa09d8-7ff679fa09db 1362->1366 1363->1362 1365->1366 1367 7ff679fa0a18-7ff679fa0a3e call 7ff679fa05bc 1366->1367 1368 7ff679fa09dd-7ff679fa09ee 1366->1368 1381 7ff679fa0a40 1367->1381 1382 7ff679fa0a88-7ff679fa0abd CreateFileW 1367->1382 1371 7ff679fa0c25-7ff679fa0c31 CloseHandle 1368->1371 1372 7ff679fa09f4-7ff679fa09f8 1368->1372 1371->1325 1378 7ff679fa0c33-7ff679fa0c36 CloseHandle 1371->1378 1372->1371 1376 7ff679fa09fe-7ff679fa0a13 call 7ff679f9a218 1372->1376 1376->1371 1378->1325 1387 7ff679fa0a42-7ff679fa0a46 1381->1387 1388 7ff679fa0a4d-7ff679fa0a5e 1381->1388 1384 7ff679fa0abf-7ff679fa0aca GetLastError 1382->1384 1385 7ff679fa0b05-7ff679fa0b11 GetFileType 1382->1385 1389 7ff679fa0ad7-7ff679fa0aeb 1384->1389 1390 7ff679fa0acc-7ff679fa0ad0 1384->1390 1391 7ff679fa0b3e-7ff679fa0b64 1385->1391 1392 7ff679fa0b13-7ff679fa0b24 1385->1392 1387->1388 1388->1371 1393 7ff679fa0a64-7ff679fa0a68 1388->1393 1389->1371 1394 7ff679fa0af1-7ff679fa0af5 1389->1394 1390->1389 1401 7ff679fa0b91-7ff679fa0bf2 1391->1401 1402 7ff679fa0b66-7ff679fa0b77 1391->1402 1392->1371 1395 7ff679fa0b2a-7ff679fa0b2e 1392->1395 1393->1371 1396 7ff679fa0a6e 1393->1396 1394->1371 1397 7ff679fa0afb-7ff679fa0b00 1394->1397 1395->1371 1398 7ff679fa0b34 1395->1398 1400 7ff679fa0a73-7ff679fa0a83 call 7ff679f9a238 1396->1400 1397->1400 1398->1391 1400->1371 1408 7ff679fa0bf4-7ff679fa0c05 1401->1408 1409 7ff679fa0c17-7ff679fa0c1f WaitForSingleObject 1401->1409 1402->1371 1404 7ff679fa0b7d-7ff679fa0b81 1402->1404 1404->1371 1406 7ff679fa0b87 1404->1406 1406->1401 1408->1371 1410 7ff679fa0c07-7ff679fa0c0b 1408->1410 1409->1371 1410->1371 1411 7ff679fa0c0d 1410->1411 1411->1409
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorLast$CreateFileHandleLibrary$CurrentEventFreeLoadOpenTypeUsermemset
                                                          • String ID: @B^E$audioses.dll
                                                          • API String ID: 2876429159-1282506805
                                                          • Opcode ID: d0fcbaf146fbdd1769b0ddc519b10e99716f830cbac5cc7ff8217c97c7750bd5
                                                          • Instruction ID: 7a8e6b59c1a3179f4f699e3fa1886c8111da537a130554e22bbda140db2bd52e
                                                          • Opcode Fuzzy Hash: d0fcbaf146fbdd1769b0ddc519b10e99716f830cbac5cc7ff8217c97c7750bd5
                                                          • Instruction Fuzzy Hash: 02F13923A28BC781EB10CF25E8506A967F0FB86798F548135DA4E87BA5DF7CE585C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F932B0 Relevance: 22.6, APIs: 15, Instructions: 126memorysynchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CloseCreateEventHandle$Local$AllocFreeObjectQueueSingleThreadUserWait
                                                          • String ID:
                                                          • API String ID: 1429053732-0
                                                          • Opcode ID: 3c482ecf7030dc25b736788c6e6c126186b5d84ab3906d5f0b598b0fdea1dfc4
                                                          • Instruction ID: 2ca3be10f4de8dbbb6d4c2257df5db1ad84fdf0cc733df80f9ef832946c535ad
                                                          • Opcode Fuzzy Hash: 3c482ecf7030dc25b736788c6e6c126186b5d84ab3906d5f0b598b0fdea1dfc4
                                                          • Instruction Fuzzy Hash: 4B512837A29E8386FB58DF25E81427823E1EF85B98F188435C91EC36A4DF7CE8458344
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F92A00 Relevance: 19.7, APIs: 13, Instructions: 235memoryinjectionsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Local$Alloc$Free$ErrorLastQueueUser$CallCancelObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 3629817563-0
                                                          • Opcode ID: 1aa3ed89118671ebc43add6e750f34f09290828d18ebd8ddc84d68243b274888
                                                          • Instruction ID: 63bf0ee9ed243ad536aaaced2cb02f498a7d6b31332a377b94b39c028b1d8af8
                                                          • Opcode Fuzzy Hash: 1aa3ed89118671ebc43add6e750f34f09290828d18ebd8ddc84d68243b274888
                                                          • Instruction Fuzzy Hash: A5B13533A29A8386EB54CF15E8447B933E0EB45B68F558431DA4EC76A4DF7CE84A8740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9AE4C Relevance: 19.6, APIs: 13, Instructions: 106memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Authority$LengthRequired$FreeInitializeLocalSeci$AddressAllocAllocateCallContext
                                                          • String ID:
                                                          • API String ID: 422712524-0
                                                          • Opcode ID: 72f91d84b24b300e0affb6d17c6e23072b4a18bfd84108dcc0ddd08e7aec4a2a
                                                          • Instruction ID: 2769dd9e709a1e4e4d1c1714feb3083531fec7f7409dd7b630cebbe309417469
                                                          • Opcode Fuzzy Hash: 72f91d84b24b300e0affb6d17c6e23072b4a18bfd84108dcc0ddd08e7aec4a2a
                                                          • Instruction Fuzzy Hash: 6341697BB14A528AF700CF62E8542AD73B1FB89B98F454435CE0A87B54EF7CA45AC700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F98418 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF679F99D37), ref: 00007FF679F9842A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ObjectSingleWait
                                                          • String ID: wil
                                                          • API String ID: 24740636-1589926490
                                                          • Opcode ID: 2c0373b28f76578aa9df17f6d571699a82e765928cf642f925477c393d57872f
                                                          • Instruction ID: 3d2f79defd7091fabba37d0b4cbee40eebdcec4cc2e8e83c9b4fbdeda4f36e87
                                                          • Opcode Fuzzy Hash: 2c0373b28f76578aa9df17f6d571699a82e765928cf642f925477c393d57872f
                                                          • Instruction Fuzzy Hash: D1313BA3B3C5C382F7608F25A94477A22E1EF817A5F605132D55AC7AD4DE3DE8498601
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9DD30 Relevance: 15.1, APIs: 10, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CreateErrorLast$CompatibleDeleteMessageSectionTracememset
                                                          • String ID:
                                                          • API String ID: 2042122949-0
                                                          • Opcode ID: d51d535511b30bea6ace68f6dec5e42e58a9f3c929de03feb12fbc4f7c249d36
                                                          • Instruction ID: cea58eb77f2af10eeeb98a6f59b2135e5af76efebfe3f6953d01857c55966440
                                                          • Opcode Fuzzy Hash: d51d535511b30bea6ace68f6dec5e42e58a9f3c929de03feb12fbc4f7c249d36
                                                          • Instruction Fuzzy Hash: 9C512A33A38A839AEB10CF11E8047A963E0FB86B9CF554136EA0E87664DF7CE5458740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9DA40 Relevance: 15.1, APIs: 10, Instructions: 89windowsleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EtwEventWrite.NTDLL ref: 00007FF679F9DA6C
                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF679F9DA72
                                                          • WmsgSendMessage.WMSGAPI ref: 00007FF679F9DA94
                                                            • Part of subcall function 00007FF679F9E4D8: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E4E4
                                                            • Part of subcall function 00007FF679F9E4D8: GetThreadDesktop.USER32(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E4EC
                                                            • Part of subcall function 00007FF679F9E4D8: CloseDesktop.USER32(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E508
                                                            • Part of subcall function 00007FF679F9E090: EtwEventWrite.NTDLL ref: 00007FF679F9E0BC
                                                            • Part of subcall function 00007FF679F9E090: WTSQuerySessionInformationW.WTSAPI32(?,?,?,?,00000001,00007FF679F9DAB4), ref: 00007FF679F9E0DC
                                                            • Part of subcall function 00007FF679F9E090: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000001,00007FF679F9DAB4), ref: 00007FF679F9E0FF
                                                            • Part of subcall function 00007FF679F9E090: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000001,00007FF679F9DAB4), ref: 00007FF679F9E124
                                                          • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF679F9DAC4
                                                          • EtwEventWrite.NTDLL ref: 00007FF679F9DAE5
                                                          • PostMessageW.USER32 ref: 00007FF679F9DB0C
                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF679F9DB26
                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF679F9DB42
                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF679F9DB78
                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF679F9DBA3
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorEventLastWrite$CloseCurrentDesktopMessageThread$FreeHandleInformationLocalObjectPostProcessQuerySendSessionSingleSleepWaitWmsg
                                                          • String ID:
                                                          • API String ID: 1459231317-0
                                                          • Opcode ID: 10601bb6fe27d357ab27081a837f8ed4986836c0097be689f06a8cdf717aa20c
                                                          • Instruction ID: 404bcd2c2ce4f49707197a31e721d21de459bde1717218a0b89d17340273e603
                                                          • Opcode Fuzzy Hash: 10601bb6fe27d357ab27081a837f8ed4986836c0097be689f06a8cdf717aa20c
                                                          • Instruction Fuzzy Hash: EA412737A38A8386FA549F15E89877523E1EF86BA8F545032D90EC76A1CF7CA449C701
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F92FD0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 243encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: memset$CertCertificateContextFree
                                                          • String ID: FALSE$NULL$TRUE$X
                                                          • API String ID: 488843482-2970198400
                                                          • Opcode ID: e0ecc7e6e3191f1e6cd953be9c89745b23701e0e794191e3838f541230b7185e
                                                          • Instruction ID: 0ec1736729c30ee7ccb5ebf3cb86adf016f175c6e26dbbe1184d930222a1425b
                                                          • Opcode Fuzzy Hash: e0ecc7e6e3191f1e6cd953be9c89745b23701e0e794191e3838f541230b7185e
                                                          • Instruction Fuzzy Hash: 2CC15933A28BC785EB20CF11E8443A967E5FB457A8F504036DA4E97AA8DFBDE545C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9EFA4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Window$AncestorBandDesktopForegroundParentProp
                                                          • String ID: AllowConsentToStealFocus
                                                          • API String ID: 419753130-2125348190
                                                          • Opcode ID: a2317f687a439c3ec87e68a716e9043f81bdc2e45beaa7a5433506624e6a3f2e
                                                          • Instruction ID: af2603927362f1c3bb321dcf361d135e4190597cd63b13852f6b0ff7181fe604
                                                          • Opcode Fuzzy Hash: a2317f687a439c3ec87e68a716e9043f81bdc2e45beaa7a5433506624e6a3f2e
                                                          • Instruction Fuzzy Hash: F9515C23A296C345FB99CF05D51537423D1EF82BA8F684032CD0ED76A5DEBDE8868780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679FA003C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Paint$BeginLayoutMessageReleaseTraceWindow
                                                          • String ID:
                                                          • API String ID: 2660142050-3916222277
                                                          • Opcode ID: 3a2c93ca69e43fad927191d85ab710223b0d35e792a0df8edd8125c207e329be
                                                          • Instruction ID: ab372e2f0aa472338593406a487b6557e6173471df49f05ac04da1a3fcf53e0a
                                                          • Opcode Fuzzy Hash: 3a2c93ca69e43fad927191d85ab710223b0d35e792a0df8edd8125c207e329be
                                                          • Instruction Fuzzy Hash: EA310136A2878286EB54CF15F45462AB7E0FB8AB94F144131DE4E83B68CF7DE445CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9CD20 Relevance: 12.1, APIs: 8, Instructions: 80memorylibrarywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FreeLibraryLoadTask_errno$AllocIcon_wtol
                                                          • String ID:
                                                          • API String ID: 3883829943-0
                                                          • Opcode ID: 1bea2f343861c28689dae4db68f67a7e16fdb981ebd31af88e725b1a45b67d5f
                                                          • Instruction ID: 6361c2377473ed2707bb383c73a3ced724c7b58e610a22aba12da0e0f972e01c
                                                          • Opcode Fuzzy Hash: 1bea2f343861c28689dae4db68f67a7e16fdb981ebd31af88e725b1a45b67d5f
                                                          • Instruction Fuzzy Hash: D2318137A19A8386EB24EF15A44407863F1FB49BA4B994131DE1EC3794EF3DE856CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9C420 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ImpersonateLoggedOnUser.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,00000000,00000000,?,?), ref: 00007FF679F9C467
                                                          • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF679F9C4AF
                                                          • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF679F9C4DB
                                                          • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF679F9C4F6
                                                          • WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF679F9C522
                                                          • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF679F9C5CF
                                                          • RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF679F9C637
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: StringWindows$Delete$Buffer$ImpersonateLoggedRevertSelfUser
                                                          • String ID:
                                                          • API String ID: 874656061-0
                                                          • Opcode ID: 284dee9168f5c8c4decd6e96c77035c4d48dde5b38e177f56b1e70b282ca3436
                                                          • Instruction ID: 481f3067d63a648a756a0e07c8869ffde56fd9ad47432c290d8a0953cebd347f
                                                          • Opcode Fuzzy Hash: 284dee9168f5c8c4decd6e96c77035c4d48dde5b38e177f56b1e70b282ca3436
                                                          • Instruction Fuzzy Hash: 06811933A28A8786EB14CF26C8943B927E0FB45BA8F144135DA0EC76A4DF7DE449C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9BF5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ImpersonateLoggedOnUser.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,00007FF679F96A84), ref: 00007FF679F9BFC6
                                                          • RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,00007FF679F96A84), ref: 00007FF679F9C03F
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,00007FF679F96A84), ref: 00007FF679F9C064
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FreeImpersonateLoggedRevertSelfTaskUser
                                                          • String ID: FALSE$TRUE
                                                          • API String ID: 3752364418-1412513891
                                                          • Opcode ID: 78378e669159d3ed43995d5b017fd894a5bd4d91803d17f85cb3e3148e295bd6
                                                          • Instruction ID: c2879612a4bbd99b4408da56c09a2db04bae0be56643cef694eed59bf7dd3fb3
                                                          • Opcode Fuzzy Hash: 78378e669159d3ed43995d5b017fd894a5bd4d91803d17f85cb3e3148e295bd6
                                                          • Instruction Fuzzy Hash: 89415933A28B8686EB60CF15E88036967E0FB85B94F404135DA8EC3B64DF7DE455CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9E3C4 Relevance: 10.6, APIs: 7, Instructions: 65memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$InformationLocalObjectUser$AllocFreeMessageTrace
                                                          • String ID:
                                                          • API String ID: 2029726541-0
                                                          • Opcode ID: cdef9c8008b1d24512f1f665c36496de61b3b215d5f65f46fd7682734cadae9a
                                                          • Instruction ID: b7fc8ba4002206d6c18cb096c9c702dc42dc37c96788c656136ecb22eb6e2ede
                                                          • Opcode Fuzzy Hash: cdef9c8008b1d24512f1f665c36496de61b3b215d5f65f46fd7682734cadae9a
                                                          • Instruction Fuzzy Hash: 04313C36B28A8395EB148F19E8447B923E0EF86B98F644535CA4EC76A8DF7CE4458700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9D4B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Desktop$ErrorLast$CloseMessageOpenThreadTrace
                                                          • String ID: winlogon
                                                          • API String ID: 3758285829-3575102327
                                                          • Opcode ID: 0b4a7dc20e99248901369e1b2af18269318e1223a8adc957210f73dbc0d4f38b
                                                          • Instruction ID: 99b480b161a899bf831000b1dbd455790e917868f5328ab06e0fce3a67dc4a48
                                                          • Opcode Fuzzy Hash: 0b4a7dc20e99248901369e1b2af18269318e1223a8adc957210f73dbc0d4f38b
                                                          • Instruction Fuzzy Hash: 37114263F28BC341EB14CF55E94867523E1EF46B98F645031DA0ECB664DE7DE4468300
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9B2E8 Relevance: 9.1, APIs: 6, Instructions: 123memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Task$Free$AllocMessageTracememcpymemset
                                                          • String ID:
                                                          • API String ID: 412478286-0
                                                          • Opcode ID: 7c153861a633cb2777003ae0a5080577ee06139addc109216cbbf956f1f5cd09
                                                          • Instruction ID: f1e0416a9fbb702397d099a553b1bbeb467eb7edfa827b67e4d929599f800dc6
                                                          • Opcode Fuzzy Hash: 7c153861a633cb2777003ae0a5080577ee06139addc109216cbbf956f1f5cd09
                                                          • Instruction Fuzzy Hash: 0A515A33B29B828AEB14DF65E4502AD23E1EB45B98F104036DE4E93B58DF3CE9068740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9DF6C Relevance: 9.1, APIs: 6, Instructions: 68synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CloseCreateHandleMessageObjectSingleThreadTraceWaitmemset
                                                          • String ID:
                                                          • API String ID: 1682848740-0
                                                          • Opcode ID: 46e6b5c3b0f8aa8e31107bbd9ca0b565c528f2ebf4e463368e41e7a3efbda1ed
                                                          • Instruction ID: 25aa646b29269d9b06d75f2ea0737d4958df4c0b214b4f24fef05d8c565c005b
                                                          • Opcode Fuzzy Hash: 46e6b5c3b0f8aa8e31107bbd9ca0b565c528f2ebf4e463368e41e7a3efbda1ed
                                                          • Instruction Fuzzy Hash: 8D31F733E29B8385EA14CF15E8043A923E5FB85B94F444636DA4EC36A4DF7DE546C780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F937F0 Relevance: 9.0, APIs: 6, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FreeUninitialize$AmsiCallCancellationDisableEventLocalTask
                                                          • String ID:
                                                          • API String ID: 3167936928-0
                                                          • Opcode ID: 6858d9e30df0dcfbf67b6ce1753371e657be826698c9ca451710dec0b67db709
                                                          • Instruction ID: 04de251124cda63f6023ffaef5b2ffe6e6c5f92b038b51a1671fc52c47f6f35e
                                                          • Opcode Fuzzy Hash: 6858d9e30df0dcfbf67b6ce1753371e657be826698c9ca451710dec0b67db709
                                                          • Instruction Fuzzy Hash: 8E017526B2AA8685EF199F65E85417823E0EB49F95B194435CD0EC73A0DF2CE4558210
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9B994 Relevance: 9.0, APIs: 6, Instructions: 31encryptionwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyIcon.USER32(?,?,0000000A,00007FF679F96A1E), ref: 00007FF679F9B9A6
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,0000000A,00007FF679F96A1E), ref: 00007FF679F9B9B5
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,0000000A,00007FF679F96A1E), ref: 00007FF679F9B9C4
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,0000000A,00007FF679F96A1E), ref: 00007FF679F9B9D3
                                                          • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,0000000A,00007FF679F96A1E), ref: 00007FF679F9B9E7
                                                          • CertFreeCertificateContext.CRYPT32 ref: 00007FF679F9B9F6
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Free$Task$CertCertificateContextDestroyIcon
                                                          • String ID:
                                                          • API String ID: 1758463638-0
                                                          • Opcode ID: 10877b419859cd511e729633a2bde1fab1b411c78889c5dac0f300857978e8ab
                                                          • Instruction ID: 04838a86f40d2f7434b542db75e2b2ea18c875f0bc124ced11fd013fcbcd354f
                                                          • Opcode Fuzzy Hash: 10877b419859cd511e729633a2bde1fab1b411c78889c5dac0f300857978e8ab
                                                          • Instruction Fuzzy Hash: 2B01C867635F4682EB15DF61D4A533823B0FB89F5AF150224CA0E8B158DF7CD498C394
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F99C0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: OpenSemaphore$ErrorLast
                                                          • String ID: _p0$wil
                                                          • API String ID: 3042991519-1814513734
                                                          • Opcode ID: 833088781b758e7a2cf04f8a7611536e1bc26bd4b1926d6580bc5d1c448e99e3
                                                          • Instruction ID: f71565acb722c87bd770b83f9729a1273a3236de397142c67a38cb89a997b9a7
                                                          • Opcode Fuzzy Hash: 833088781b758e7a2cf04f8a7611536e1bc26bd4b1926d6580bc5d1c448e99e3
                                                          • Instruction Fuzzy Hash: 1C71CD63B2DAC386EF619F64A4442B963E8EF85B90F554132DA4DC7794EE3DE844C310
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F979F8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 165COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF679F97B15
                                                          • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF679F97BC7
                                                            • Part of subcall function 00007FF679F9A000: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A022
                                                            • Part of subcall function 00007FF679F9A000: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A034
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CreateErrorLastSemaphore
                                                          • String ID: _p0$internal\sdk\inc\wil\resultmacros.h$wil
                                                          • API String ID: 778173943-1203722284
                                                          • Opcode ID: e59a87873efca91228c6980149d08e75932e5e9c95ac530b74547e51717e48c4
                                                          • Instruction ID: 152d088770cc04bdc2f9fe8afbf8ce0d30ef4e3fae57a78254a6a763de5ec623
                                                          • Opcode Fuzzy Hash: e59a87873efca91228c6980149d08e75932e5e9c95ac530b74547e51717e48c4
                                                          • Instruction Fuzzy Hash: 4461AF63B29BC381EE618F2494547AA63E4EF84BA4F544536DA4DC3B98EF3CD545C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F97790 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF679F977C8
                                                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF679F9780A
                                                            • Part of subcall function 00007FF679F9A000: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A022
                                                            • Part of subcall function 00007FF679F9A000: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A034
                                                            • Part of subcall function 00007FF679F98870: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF679F9888F
                                                            • Part of subcall function 00007FF679F98870: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF679F988A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorHeapLastProcess$AllocCreateCurrentMutex
                                                          • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                          • API String ID: 3112127618-630742106
                                                          • Opcode ID: 92002ed23795a74e951eb270572a922eb61b186bbc03f7d13aab9b2cd1f3b32f
                                                          • Instruction ID: 7b558cb4b9e35f5778497dd954c9e7f5ba883dbc28f1f5476a5de19ae15710cb
                                                          • Opcode Fuzzy Hash: 92002ed23795a74e951eb270572a922eb61b186bbc03f7d13aab9b2cd1f3b32f
                                                          • Instruction Fuzzy Hash: E8419C33B38AC392EB209F65E4807EA63A0EB98794F504032EA4DC7B55DE3CD559C740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F95138 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: InformationToken$ErrorLast
                                                          • String ID: internal\sdk\inc\wil\tokenhelpers.h
                                                          • API String ID: 2567405617-3871617126
                                                          • Opcode ID: 1ffd6dbedc111b1049763a05cd469ce08c267febaae59aca3930c93cc31331c7
                                                          • Instruction ID: c7ccedd3b7f1db028bca57bf1c0b59e6d9ca75bfefba866663899b721ff0f626
                                                          • Opcode Fuzzy Hash: 1ffd6dbedc111b1049763a05cd469ce08c267febaae59aca3930c93cc31331c7
                                                          • Instruction Fuzzy Hash: 1B217123B2CAC381EB109F51E8406BA63E1FFC67A4F644131EA5DC7AA9DE3DE5458700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F98870 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 86memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID: wil
                                                          • API String ID: 1617791916-1589926490
                                                          • Opcode ID: 7ad0da0bc6465dabc86cdc8135d544a965b8adbcb967d66c1c276fa009d079ed
                                                          • Instruction ID: 21c1195e59fc89e3d2e38742ae31653521813435a984484a39c671c94b4a9836
                                                          • Opcode Fuzzy Hash: 7ad0da0bc6465dabc86cdc8135d544a965b8adbcb967d66c1c276fa009d079ed
                                                          • Instruction Fuzzy Hash: 81314B23A28B8696E720DF16E4403AA63E0FB88794F548235DB8CC7B55EF3DE595C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F93780 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CallCancellationInitialize$AmsiDisableEnableUninitialize
                                                          • String ID:
                                                          • API String ID: 3148144523-0
                                                          • Opcode ID: 3b4a0a84eb8e4beeff96c3ffa93fa2a326fb188288a30ff30b41d0ed82d0e75a
                                                          • Instruction ID: 47d0fff03c2e617c56540af47d585116a4e397126f3f9432abc5a00d9aa5d7d6
                                                          • Opcode Fuzzy Hash: 3b4a0a84eb8e4beeff96c3ffa93fa2a326fb188288a30ff30b41d0ed82d0e75a
                                                          • Instruction Fuzzy Hash: 76212623B2CBC382EB598F65E44467922E1EF85BA8F148435D90EC7694DFADE546CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9FE53 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ClassFreeLocalUnregister$Delete
                                                          • String ID:
                                                          • API String ID: 1956529754-0
                                                          • Opcode ID: af42a267e88bc03621c1da599525a631b6c31afab5ec3cdc72a7cfcad17aefdc
                                                          • Instruction ID: f47b744a4680f6ce3d78a22d0ef136ff7d3267e6c703d557bdde25cdacbedc63
                                                          • Opcode Fuzzy Hash: af42a267e88bc03621c1da599525a631b6c31afab5ec3cdc72a7cfcad17aefdc
                                                          • Instruction Fuzzy Hash: 2201E827A25A8689EB20EF31D8543B923A1FB4AF99F049031CA1D87A65CF2CD594C200
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9C9BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF679F9B950: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,00007FF679F9CA22), ref: 00007FF679F9B96F
                                                            • Part of subcall function 00007FF679F9B950: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FF679F9CA22), ref: 00007FF679F9B985
                                                          • RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF679F9CA45
                                                          • RtlLengthSid.NTDLL ref: 00007FF679F9CAC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ActivationCreateExceptionFactoryLengthRaiseReferenceStringWindows
                                                          • String ID: Windows.Internal.StateRepository.Application$ds\security\services\lua\consentui\context.cpp
                                                          • API String ID: 1436923132-3692511694
                                                          • Opcode ID: ac6a279d73b4630aff2bab37cafd4e21057c8fe2441cf34f1e32a0db50ffdd7a
                                                          • Instruction ID: 12e5470f5b59a3d55b5a6390d2dc4218f31e52ad2e713d9300c5ca0b362ffec9
                                                          • Opcode Fuzzy Hash: ac6a279d73b4630aff2bab37cafd4e21057c8fe2441cf34f1e32a0db50ffdd7a
                                                          • Instruction Fuzzy Hash: E9614223729AC791E710DF61E850AAA67A0FB86BE0F415232DE5ED3BA5DE3CD445C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679FA05BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentOpenUserValue
                                                          • String ID: AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current
                                                          • API String ID: 959624552-1582783161
                                                          • Opcode ID: 7cb211b2319d2484271118ddd2ea72a63055e69232969d5aa9a3183ce6209266
                                                          • Instruction ID: 13b3fa38c14ef4759a565c319e2b5492cace2f7936c4441fd9672c76cb895b3a
                                                          • Opcode Fuzzy Hash: 7cb211b2319d2484271118ddd2ea72a63055e69232969d5aa9a3183ce6209266
                                                          • Instruction Fuzzy Hash: 75212F22B28B8781EB148F15E45437967E0FB86B88F584135E94E87795DFACD946C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9FFE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FlashPropWindow
                                                          • String ID: $TwoFootCriticalNotification
                                                          • API String ID: 1278527393-2469437643
                                                          • Opcode ID: 7e539d80af679723a50f19627c5f64c5a8bb8572005d7ff16e6228ee2df21d68
                                                          • Instruction ID: e457f847498bbcd1b932aaedc5e4f1a46bd69cbf1229370b19db9508520679ce
                                                          • Opcode Fuzzy Hash: 7e539d80af679723a50f19627c5f64c5a8bb8572005d7ff16e6228ee2df21d68
                                                          • Instruction Fuzzy Hash: C2E012B363874183E7108F10F44935A77A0F75A759F541124E98A47658DF7DC198CF45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F93600 Relevance: 6.2, APIs: 4, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FreeLocal$AmsiEventScan
                                                          • String ID:
                                                          • API String ID: 2910536158-0
                                                          • Opcode ID: 820b2bb45d0619a70507507d0e5ec155fa956682729f9485b21050a7c0634e92
                                                          • Instruction ID: fb68c341f4cc2dabb0c0d2aaf499979c5b704952e0ad34b78043b8ebbb884cc6
                                                          • Opcode Fuzzy Hash: 820b2bb45d0619a70507507d0e5ec155fa956682729f9485b21050a7c0634e92
                                                          • Instruction Fuzzy Hash: 2C711673A29B8785EB148F15D4403A963E0FB85BA8F508032DA4EC73A9DF7DE445CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9DBDC Relevance: 6.1, APIs: 4, Instructions: 88synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF679F9D8A3), ref: 00007FF679F9DC39
                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF679F9D8A3), ref: 00007FF679F9DC46
                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF679F9D8A3), ref: 00007FF679F9DC88
                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF679F9D8A3), ref: 00007FF679F9DC93
                                                            • Part of subcall function 00007FF679FA0380: EtwTraceMessage.NTDLL ref: 00007FF679FA03B7
                                                            • Part of subcall function 00007FF679F9A218: EtwTraceMessage.NTDLL ref: 00007FF679F9A22B
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastMessageObjectSingleTraceWait
                                                          • String ID:
                                                          • API String ID: 2828113838-0
                                                          • Opcode ID: d320e9a1a7c455f8445992d790062423f6f85f0a5f08e9d49ff3ba12f0b6cd9c
                                                          • Instruction ID: d88df164f53eb0fd756e8222fcac7df15576131a2b550f26171d5d9136df9f2b
                                                          • Opcode Fuzzy Hash: d320e9a1a7c455f8445992d790062423f6f85f0a5f08e9d49ff3ba12f0b6cd9c
                                                          • Instruction Fuzzy Hash: 24413823A2C6C345EB68CF16954827522E4EF45B64F344532EA4EC36E4DFBCE8828780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F94610 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                          • String ID:
                                                          • API String ID: 140117192-0
                                                          • Opcode ID: 1a36e1d22939388315354ccc0137201634089dd6f1b4e6de5b798e6e8be04ba2
                                                          • Instruction ID: b604e5b5e6c0bea85cd07aa58335a325cea129003159dc5cf33442bf98081edf
                                                          • Opcode Fuzzy Hash: 1a36e1d22939388315354ccc0137201634089dd6f1b4e6de5b798e6e8be04ba2
                                                          • Instruction Fuzzy Hash: BE41C47AA28F8285EA509F19F85036673E4FB9A794F904136D98EC3764DFBCE454C700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9E4D8 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E4E4
                                                          • GetThreadDesktop.USER32(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E4EC
                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E529
                                                            • Part of subcall function 00007FF679F9E3C4: GetUserObjectInformationW.USER32 ref: 00007FF679F9E3EB
                                                            • Part of subcall function 00007FF679F9E3C4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF679F9E3F1
                                                            • Part of subcall function 00007FF679F9E3C4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF679F9E41D
                                                          • CloseDesktop.USER32(?,?,00000000,00007FF679F9DA9F), ref: 00007FF679F9E508
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$DesktopThread$CloseCurrentInformationObjectUser
                                                          • String ID:
                                                          • API String ID: 2001675675-0
                                                          • Opcode ID: 8091418ad0455d055d58c0a2693ec9bdfb5b102dd5aa2b32c7ffda5fc07a03af
                                                          • Instruction ID: a89422e09d7b0ddb771b56e1c3612c344e80f9888096d3aaed86036ca4d6f148
                                                          • Opcode Fuzzy Hash: 8091418ad0455d055d58c0a2693ec9bdfb5b102dd5aa2b32c7ffda5fc07a03af
                                                          • Instruction Fuzzy Hash: AB01EC22F2DBC781EE549F65A94427812E0EF86B94F584435D90ECB7A5EE3CE4458700
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F9A500 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList, xrefs: 00007FF679F9A561
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: FromStringValue
                                                          • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList
                                                          • API String ID: 1884225406-3816395346
                                                          • Opcode ID: a0e02dcd3db2e47f44ca7ce78d9b363da0cb4ecf81595da20a14ddc0fa1df37f
                                                          • Instruction ID: 1d27dc628abb48ca1e8209ea6ffa65c9c302064afb83b386b8351d48bab8efd3
                                                          • Opcode Fuzzy Hash: a0e02dcd3db2e47f44ca7ce78d9b363da0cb4ecf81595da20a14ddc0fa1df37f
                                                          • Instruction Fuzzy Hash: 1C112173618B8786EB208F54E4403AAB3B0FB85714F900136DA8D87758DF7CD509CB44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F994D8 Relevance: 5.1, APIs: 4, Instructions: 84memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 0180f77ebc56c7c2ce5e67e2a7baa2e0070938d7665c8334581b37d5ff794b4b
                                                          • Instruction ID: c1dd40066bbf946792170d195faa5f316f4ee1c66657f4496689ad9833590a56
                                                          • Opcode Fuzzy Hash: 0180f77ebc56c7c2ce5e67e2a7baa2e0070938d7665c8334581b37d5ff794b4b
                                                          • Instruction Fuzzy Hash: FC3124A2A15B8286EB04DF5AA4443A877E4FB49FD8F598036DE0C87755DF39D492C304
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF679F98B8C Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF679F99EE0: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF679F98BB4), ref: 00007FF679F99EF9
                                                            • Part of subcall function 00007FF679F9A000: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A022
                                                            • Part of subcall function 00007FF679F9A000: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF679F98BC9), ref: 00007FF679F9A034
                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF679F98BF0
                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF679F98BDE
                                                            • Part of subcall function 00007FF679F98C6C: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF679F98C4E), ref: 00007FF679F98C70
                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF679F98C26
                                                          • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF679F98C34
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.376827923.00007FF679F91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF679F90000, based on PE: true
                                                          • Associated: 0000000D.00000002.376816327.00007FF679F90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376855078.00007FF679FA8000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376870389.00007FF679FA9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000D.00000002.376881955.00007FF679FAC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7ff679f90000_consent.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Heap$FreeMutexObjectProcessReleaseSingleWait
                                                          • String ID:
                                                          • API String ID: 2060072361-0
                                                          • Opcode ID: dfc86838ead7c9c4049b0375952a65c205fd62fecb4223e794680a1955a5858e
                                                          • Instruction ID: ebb01c800bfc65431915ab4bbb8dddb0141a8a492993a3f40f626e610b71639e
                                                          • Opcode Fuzzy Hash: dfc86838ead7c9c4049b0375952a65c205fd62fecb4223e794680a1955a5858e
                                                          • Instruction Fuzzy Hash: 85218C63B2ABC386FA149F62A84017963E0EF95BB0B094135DA9EC7395DF3CE8418300
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%